Block email access for unmanaged devices

You can prevent devices that are not enrolled with Sophos Mobile from accessing email.

Prerequisite: You’ve set up the standalone EAS proxy in PowerShell mode.

In these instructions, Exchange refers to either your on-premise Exchange server or to your Exchange Online plan included in Office 365.

You can configure Exchange to quarantine unmanaged devices. Users will receive an email telling them to enroll the device with Sophos Mobile. After the device is enrolled, it’s automatically removed from quarantine.

Warning Before you apply these settings in a production environment, ensure that your devices are enrolled and can synchronize with Sophos Mobile. All devices will be quarantined by default and will only have email access if the Sophos Mobile server sets them as compliant.

Also, enrolled devices are quarantined if the EAS proxy doesn’t know their compliance status. This might happen when a device hasn’t synchronized with Sophos Mobile for too long or when the EAS proxy can’t communicate with the Sophos Mobile server.

To block email access for unmanaged devices:

  1. Open the Exchange Management Shell (if you have an Exchange server) or connect to Exchange Online PowerShell.

    For details, see the links in related information.

  2. Run the following command (in one line):

    Set-ActiveSyncOrganizationSettings -DefaultAccessLevel quarantine -UserMailInsert "Please enroll your device with Sophos Mobile."

    The text you specify with -UserMailInsert is added to the notification email that Exchange sends to users when their device is quarantined.

For more information on controlling email access in general, see the Microsoft document Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list.