Sophos Mobile EAS proxy

You can set up the Sophos Mobile EAS proxy to control the access of your managed devices to an email server. Email traffic of your managed devices is routed through that proxy. You can block email access for devices, for example a device that violates a compliance rule.

The devices must be configured to use the EAS proxy as email server for incoming and outgoing emails. The EAS proxy will only forward traffic to the actual email server if the device is known in Sophos Mobile and matches the required policies. This guarantees higher security as the email server does not need to be accessible from the Internet and only devices that are authorized (correctly configured, for example with passcode guidelines) can access it. Also, you can configure the EAS proxy to block access from specific devices.

Installation

The EAS proxy is downloaded and installed separately from Sophos Mobile. It communicates with Sophos Mobile through an HTTPS web interface.

For information on how to integrate the EAS proxy into your network architecture, see the Technical guide. We recommend that you read the information before you set up the EAS proxy.

Features

• Support for multiple Microsoft Exchange or IBM Traveler mail servers.

  You can set up one EAS proxy instance per mail server.

  For a list of mail servers that the EAS proxy supports, see the Requirements section in the Release notes.

• Load balancer support.

  You can set up EAS proxy instances on several computers and then use a load balancer to distribute the client requests among them.

• Support for certificate-based client authentication.

  You can select a certificate from a certification authority (CA), from which the client certificates must be derived.

• Support for email access control through PowerShell.

  In this scenario, the EAS proxy service communicates with the email server through PowerShell to control the email access of your managed devices. Email traffic happens directly from the devices to the email server and is not routed through a proxy. See Set up email access control through PowerShell.

For non-iOS devices, filtering abilities of the EAS proxy are limited due to the specifics of the Traveler protocol. Traveler clients on non-iOS devices do not send the device ID with every request. Requests without a device ID are still forwarded to the Traveler server, even though the EAS proxy is not able to verify that the device is authorized.

Known issue with Outlook on Android and iOS

The EAS proxy sometimes blocks the Outlook app’s mail traffic on Android and iOS because it can’t find the associated device in Sophos Mobile.

The cause of this issue is as follows:

When Outlook contacts the EAS proxy, Sophos Mobile finds the associated device by searching for the username and ActiveSync ID that Outlook provides. If there’s no such device, for example, because Outlook contacts the EAS proxy for the first time, Sophos Mobile adjusts the search criteria. It now searches for a device with the username but without an ActiveSync ID. If the device exists, Sophos Mobile sets its ActiveSync ID Outlook device property.

In some situations, this process fails because there’s no, or more than one, such device. This may be for the following reasons:

• If the user is assigned to several devices that all haven’t contacted the EAS proxy yet.
• If the user has re-installed Outlook on the device and Outlook has created a new ActiveSync ID.

The issue doesn’t exist for the native mail apps, Gmail on Android and Mail on iOS, because Sophos Mobile gets their ActiveSync ID during device enrollment.

For information on how to fix the issue, see Authentication of email client error "Failed to resolve active sync id".

For details on how Sophos Mobile associates a mail app with a device, see How does Sophos Mobile assign an ActiveSync ID to Android devices?