Skip to content

Block email access for unmanaged devices

You can prevent devices that are not enrolled with Sophos Mobile from accessing email.

These instructions apply to on-premise Exchange Server installations and Exchange Online.

Requirement

You’ve set up the standalone EAS proxy in PowerShell mode. See Set up email access control through PowerShell.

You can configure Exchange to quarantine unmanaged devices. Users will receive an email telling them to enroll the device with Sophos Mobile. After the device is enrolled, it’s automatically removed from quarantine.

Warning

Before you apply these settings in a production environment, ensure that your devices are enrolled and can synchronize with Sophos Mobile. All devices will be quarantined by default and will only have email access if the Sophos Mobile server sets them as compliant.

Also, enrolled devices are quarantined if the EAS proxy doesn’t know their compliance status. This might happen when a device hasn’t synchronized with Sophos Mobile for too long or when the EAS proxy can’t communicate with the Sophos Mobile server.

To block email access for unmanaged devices:

  1. Open the Exchange Management Shell (if you have an Exchange server) or connect to Exchange Online PowerShell.

    For details, see the Microsoft documents Open the Exchange Management Shell and Connect to Exchange Online PowerShell.

  2. Run the following command (in one line):

    Set-ActiveSyncOrganizationSettings -DefaultAccessLevel quarantine -UserMailInsert "Please enroll your device with Sophos Mobile."
    

    The text you specify with -UserMailInsert is added to the notification email that Exchange sends to users when their device is quarantined.

For details on controlling email access in general, see the Microsoft document Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list.