Set up email access control through PowerShell
When you set up the standalone EAS proxy in PowerShell mode, it connects to your Exchange mail server through PowerShell and sets email access based on the device’s compliance status.
In PowerShell mode, mail traffic goes directly from the Exchange mail server to your devices without a proxy. For a schematic of the communication flow, see “EAS proxy architecture examples” in the Sophos Mobile server deployment guide.
Advantages of the PowerShell mode:
- You do not need to open a port on your Sophos Mobile server for incoming email traffic from your devices.
- You can prevent devices that are not enrolled with Sophos Mobile from accessing email.
The Exchange mail server can be either Exchange Server or Exchange Online, which is part of Microsoft 365. Supported versions are:
- Exchange Server 2013
- Exchange Server 2016
- Microsoft 365 with an Exchange Online plan
Because macOS doesn’t support the ActiveSync protocol, you can’t use PowerShell to control email access by Macs.
To set up email access control through PowerShell, do as follows.
Optional: If required, install Windows PowerShell on the computer on which you are going to install the EAS proxy.
See the Microsoft document Installing Windows PowerShell.
Open PowerShell as an administrator and run the following command:
Exchange Server requires additional configuration:
Open the Exchange Management Shell.
See the Microsoft document Open the Exchange Management Shell.
Set the PowerShell execution policy:
Get the name of the PowerShell virtual directory:
Get-PowerShellVirtualDirectory -Server <server name\>
<server name\>is the name of the computer on which Exchange Server is installed.
In a standard installation, the PowerShell virtual directory is
PowerShell (Default Web Site).
Set basic authentication for the PowerShell virtual directory:
Set-PowerShellVirtualDirectory -Identity "PowerShell (Default Web Site)" -BasicAuthentication $true
Create a service account
A service account is a special user account on the Exchange mail server that Sophos Mobile uses to run PowerShell commands.
Open the Exchange admin center in a web browser:
For Exchange Server:
<ServerFQDN> is your Exchange server’s fully-qualified domain name.
For Exchange Online:
Create a user account.
- Use a username like
smc_powershellthat identifies the account purpose.
- Turn off the setting to make the user change their password the next time they log in.
- Remove any Microsoft 365 license that was automatically assigned to the new account. Service accounts don’t require a license.
- Use a username like
Create a new role group and assign it the required permissions.
- Use a role group name like
- Add the Mail Recipients and Organization Client Access roles.
- Add the user account as a member.
- Use a role group name like
Configure the PowerShell connection
Use the setup assistant as if you’re installing a standalone EAS proxy. On the EAS Proxy instance setup page, configure the following settings:
- Instance type: Select PowerShell Exchange/Office 365.
- Instance name: A name to identify the instance.
Exchange server: For Exchange Server, enter the name or IP address of your server.
For Exchange Online, enter
outlook.office365.comif you’re using the global Microsoft 365 service. For other services, for example Office 365 Germany, you can find the address in the Microsoft document Basic auth - Connect to Exchange Online PowerShell.
Don’t enter the protocol
https://or the suffix
/powershell-liveidto the name. The setup wizard adds these automatically.
Allow all certificates: The EAS proxy doesn’t verify the server certificate. Select this for example if you’re using Exchange Server with a self-signed certificate.
This setting reduces the security of mail server connections. Only select it if required by your network environment.
Service account: The name of the user account you created in the Exchange Server or Exchange Online admin console.
- Password: The password of the user account.
Click Add to add the instance to the Instances list.
- Repeat the previous steps to set up PowerShell connections to other Exchange Server instances.
- Complete the setup.
Optional: If required, configure a proxy server that the EAS proxy uses to connect to Exchange Server or Exchange Online. On the computer on which you’ve installed the EAS proxy, open a command prompt using the Run as administrator option and type the following command:
netsh winhttp set proxy <server name or IP>:<port>
This command configures a system-wide proxy. Other programs running on the computer might be affected by this.
Upload the PowerShell certificate
Upload the certificate of the PowerShell connection to Sophos Mobile.
- Sign in to Sophos Mobile Admin as a super administrator.
- On the menu sidebar, under SETTINGS, click Setup > Sophos setup, and then click the EAS proxy tab.
- Under General, select Restrict to Sophos Secure Email to restrict email access to the Sophos Secure Email app, available for Android and iOS.
Under External, click Upload a file. Upload the certificate created during configuration.
If you have set up more than one instance, repeat this for all instance certificates.
- In Windows, open the Services dialog and restart the EASProxy service.