Skip to content

Sophos Mobile EAS proxy

You can set up an EAS proxy to control the access of your managed devices to an email server. Email traffic of your managed devices is routed through that proxy. You can block email access for devices, for example a device that violates a compliance rule.


Because macOS doesn’t support the ActiveSync protocol, you can’t use the EAS proxy to filter email traffic coming from Macs.

The devices must be configured to use the EAS proxy as email server for incoming and outgoing emails. The EAS proxy will only forward traffic to the actual email server if the device is known in Sophos Mobile and matches the required policies. This guarantees higher security as the email server does not need to be accessible from the Internet and only devices that are authorized (correctly configured, for example with passcode guidelines) can access it. Also, you can configure the EAS proxy to block access from specific devices.


The EAS proxy is downloaded and installed separately from Sophos Mobile. It communicates with Sophos Mobile through an HTTPS web interface.

For information on how to integrate the EAS proxy into your network architecture, see the Technical guide. We recommend that you read the information before you set up the EAS proxy.


  • Support for multiple Microsoft Exchange or IBM Traveler mail servers.

    You can set up one EAS proxy instance per mail server.

    For a list of mail servers that the EAS proxy supports, see the Requirements section in the Release notes.

  • Load balancer support.

    You can set up EAS proxy instances on several computers and then use a load balancer to distribute the client requests among them.

  • Support for certificate-based client authentication.

    You can select a certificate from a certification authority (CA), from which the client certificates must be derived.

  • Support for email access control through PowerShell.

    In this scenario, the EAS proxy service communicates with the email server through PowerShell to control the email access of your managed devices. Email traffic happens directly from the devices to the email server and is not routed through a proxy. See Set up email access control through PowerShell.

For non-iOS devices, filtering abilities of the EAS proxy are limited due to the specifics of the Traveler protocol. Traveler clients on non-iOS devices do not send the device ID with every request. Requests without a device ID are still forwarded to the Traveler server, even though the EAS proxy is not able to verify that the device is authorized.