Skip to content

Set up email access control through PowerShell

When you set up the Sophos Mobile EAS proxy in PowerShell mode, it connects to your Exchange mail server through PowerShell and sets email access based on the device’s compliance status.

Restriction

Because macOS doesn’t support the ActiveSync protocol, you can’t use PowerShell to control email access by Macs.

PowerShell mode has the following advantages over proxy mode:

  • Devices communicate directly with the Exchange mail server.
  • Because no mail traffic needs to go through the Sophos Mobile EAS proxy, you don’t need to open a port for inbound mail in your firewall.
  • You can block mail access for unmanaged devices.
  • PowerShell mode supports Exchange Online and Exchange Server, whereas proxy mode only supports Exchange Server.

For a schematic of the communication flow, see EAS proxy architecture examples.

The Exchange mail server can be either Exchange Server or Exchange Online, which is part of Microsoft 365. Supported versions are:

  • Exchange Server 2016
  • Exchange Server 2019
  • Microsoft 365 with an Exchange Online plan

To set up email access control through PowerShell, do as follows.

Configure PowerShell

  1. Optional: If required, install Windows PowerShell on the computer on which you are going to install the EAS proxy.

    See Installing PowerShell on Windows.

  2. Open PowerShell as an administrator and run the following command:

    Set-ExecutionPolicy RemoteSigned
    

Exchange Server requires additional configuration:

  1. Open the Exchange Management Shell.

    See Open the Exchange Management Shell.

  2. Set the PowerShell execution policy:

    Set-ExecutionPolicy RemoteSigned
    
  3. Get the name of the PowerShell virtual directory:

    Get-PowerShellVirtualDirectory -Server <server name>
    

    <server name> is the name of the computer on which Exchange Server is installed.

    In a standard installation, the PowerShell virtual directory is PowerShell (Default Web Site).

  4. Set basic authentication for the PowerShell virtual directory:

    Set-PowerShellVirtualDirectory -Identity "PowerShell (Default Web Site)" -BasicAuthentication $true
    

Create a service account

A service account is a special user account on the Exchange mail server that Sophos Mobile uses to run PowerShell commands.

  1. Open the Exchange admin center in a web browser:

    • For Exchange Server: https://<ServerFQDN>/ecp

      <ServerFQDN> is your Exchange server’s fully-qualified domain name.

    • For Exchange Online: https://admin.exchange.microsoft.com

  2. Create a user account.

    • Use a username like smc_powershell that identifies the account purpose.
    • Turn off the setting to make the user change their password the next time they log in.
    • Remove any Microsoft 365 license that was automatically assigned to the new account. Service accounts don’t require a license.
  3. Create a new role group and assign it the required permissions.

    • Use a role group name like smc_powershell.
    • Add the Mail Recipients and Organization Client Access roles.
    • Add the user account as a member.

Configure the PowerShell connection

  1. Use the setup assistant as if you’re installing the Sophos Mobile EAS proxy. On the EAS Proxy instance setup page, configure the following settings:

    • Instance type: Select PowerShell Exchange/Office 365.
    • Instance name: A name to identify the instance.
    • Exchange server: For Exchange Server, enter the name or IP address of your server.

      For Exchange Online, enter outlook.office365.com if you’re using the global Microsoft 365 service. For other services, for example Office 365 Germany, see the values of the -ConnectionUri parameter in Connect-ExchangeOnline.

      Don’t enter the protocol https:// or the suffix /powershell-liveid to the name. The setup assistant adds these automatically.

    • Allow all certificates: The EAS proxy doesn’t verify the server certificate. Select this for example if you’re using Exchange Server with a self-signed certificate.

      Warning

      This setting reduces the security of mail server connections. Only select it if required by your network environment.

    • Service account: The name of the user account you created in the Exchange Server or Exchange Online admin console.

    • Password: The password of the user account.
  2. Click Add to add the instance to the Instances list.

  3. Repeat the previous steps to set up PowerShell connections to other Exchange Server instances.
  4. Complete the setup.
  5. Optional: If required, configure a proxy server that the EAS proxy uses to connect to Exchange Server or Exchange Online. On the computer on which you’ve installed the EAS proxy, open a command prompt using the Run as administrator option and type the following command:

    netsh winhttp set proxy <server name or IP>:<port>
    

    Warning

    This command configures a system-wide proxy. Other programs running on the computer might be affected by this.

For details on the setup assistant, see Install the Sophos Mobile EAS proxy.

Upload the PowerShell certificate

Upload the certificate of the PowerShell connection to Sophos Mobile.

  1. In Sophos Central Admin, go to My Products > Mobile.
  2. On the menu sidebar, click Setup > Sophos setup, and then click the EAS proxy tab.
  3. Under External, click Upload a file. Upload the certificate created during configuration.

    If you have set up more than one instance, repeat this for all instance certificates.

  4. Click Save.

  5. In Windows, open the Services dialog and restart the EASProxy service.