Set up email access control through PowerShell
When you set up the Sophos Mobile EAS proxy in PowerShell mode, it connects to your Exchange mail server through PowerShell and sets email access based on the device’s compliance status.
Because macOS doesn’t support the ActiveSync protocol, you can’t use PowerShell to control email access by Macs.
PowerShell mode has the following advantages over proxy mode:
- Devices communicate directly with the Exchange mail server.
- Because no mail traffic needs to go through the Sophos Mobile EAS proxy, you don’t need to open a port for inbound mail in your firewall.
- You can block mail access for unmanaged devices.
- PowerShell mode supports Exchange Online and Exchange Server, whereas proxy mode only supports Exchange Server.
For a schematic of the communication flow, see EAS proxy architecture examples.
The Exchange mail server can be either Exchange Server or Exchange Online, which is part of Microsoft 365. Supported versions are:
- Exchange Server 2016
- Exchange Server 2019
- Microsoft 365 with an Exchange Online plan
To set up email access control through PowerShell, do as follows.
Optional: If required, install Windows PowerShell on the computer on which you are going to install the EAS proxy.
Open PowerShell as an administrator and run the following command:
Exchange Server requires additional configuration:
Open the Exchange Management Shell.
Set the PowerShell execution policy:
Get the name of the PowerShell virtual directory:
Get-PowerShellVirtualDirectory -Server <server name>
<server name>is the name of the computer on which Exchange Server is installed.
In a standard installation, the PowerShell virtual directory is
PowerShell (Default Web Site).
Set basic authentication for the PowerShell virtual directory:
Set-PowerShellVirtualDirectory -Identity "PowerShell (Default Web Site)" -BasicAuthentication $true
Create a service account
A service account is a special user account on the Exchange mail server that Sophos Mobile uses to run PowerShell commands.
Open the Exchange admin center in a web browser:
For Exchange Server:
<ServerFQDN>is your Exchange server’s fully-qualified domain name.
For Exchange Online:
Create a user account.
- Use a username like
smc_powershellthat identifies the account purpose.
- Turn off the setting to make the user change their password the next time they log in.
- Remove any Microsoft 365 license that was automatically assigned to the new account. Service accounts don’t require a license.
- Use a username like
Create a new role group and assign it the required permissions.
- Use a role group name like
- Add the Mail Recipients and Organization Client Access roles.
- Add the user account as a member.
- Use a role group name like
Configure the PowerShell connection
Use the setup assistant as if you’re installing the Sophos Mobile EAS proxy. On the EAS Proxy instance setup page, configure the following settings:
- Instance type: Select PowerShell Exchange/Office 365.
- Instance name: A name to identify the instance.
Exchange server: For Exchange Server, enter the name or IP address of your server.
For Exchange Online, enter
outlook.office365.comif you’re using the global Microsoft 365 service. For other services, for example Office 365 Germany, see the values of the
-ConnectionUriparameter in Connect-ExchangeOnline.
Don’t enter the protocol
https://or the suffix
/powershell-liveidto the name. The setup assistant adds these automatically.
Allow all certificates: The EAS proxy doesn’t verify the server certificate. Select this for example if you’re using Exchange Server with a self-signed certificate.
This setting reduces the security of mail server connections. Only select it if required by your network environment.
Service account: The name of the user account you created in the Exchange Server or Exchange Online admin console.
- Password: The password of the user account.
Click Add to add the instance to the Instances list.
- Repeat the previous steps to set up PowerShell connections to other Exchange Server instances.
- Complete the setup.
Optional: If required, configure a proxy server that the EAS proxy uses to connect to Exchange Server or Exchange Online. On the computer on which you’ve installed the EAS proxy, open a command prompt using the Run as administrator option and type the following command:
netsh winhttp set proxy <server name or IP>:<port>
This command configures a system-wide proxy. Other programs running on the computer might be affected by this.
For details on the setup assistant, see Install the Sophos Mobile EAS proxy.
Upload the PowerShell certificate
Upload the certificate of the PowerShell connection to Sophos Mobile.
- In Sophos Central Admin, go to My Products > Mobile.
- On the menu sidebar, click Setup > Sophos setup, and then click the EAS proxy tab.
- Under General, select Restrict to Sophos Secure Email to restrict email access to the Sophos Secure Email app, available for Android and iOS.
Under External, click Upload a file. Upload the certificate created during configuration.
If you have set up more than one instance, repeat this for all instance certificates.
- In Windows, open the Services dialog and restart the EASProxy service.