Prevent manually adding Office 365 mail unless via Casper MDM

danseals
New Contributor II

I am just starting out with using Casper and I did some searches and wasn't able to find an answer, please let me know if I missed something.

Currently, when an iOS device is enrolled via Casper, it automatically pushes a Exchange profile to the user, and adds mail to their device. If they delete MDM, mail goes with it. That seems standard.

Now, is there a way to somehow prevent a user from adding their Office 365 account to a device that is not managed by Casper MDM? In my mind I'm thinking either a certificate, or admin credentials that get passed with the Exchange profile on Casper, so that without those, a user attempting to manually add the Office 365 account to their device would be stopped.

Thanks for your help!

10 REPLIES 10

bpavlov
Honored Contributor

Someone asked a similar question recently on slack. They wanted to prevent users using Mail instead of Outlook. Someone mentioned you can block mail clients via user agents which is pretty neat. I don't know more than what I read but perhaps that might give you ideas on how to tackle it. Perhaps if you had a way to take a list of users who are enrolled in the jss and then somehow export via the api into an AD group and then make exceptions so that only those specific users can connect to Mail on iOS. This would all run on a server somewhere at whatever interval you determine is appropriate. I'm probably thinking of this the wrong way tho. A certificate might work too like you mentioned. Curious to know what you learn.

Edit: I'm on mobile otherwise id link you to the conversation on Slack but it was asked today if you are inclined to search the Microsoft office channel on there.

danseals
New Contributor II

Yeah, our mail Configuration Profile actually pushes to the iPhone / iPad mail app, I don't mind that. I just can't figure out a way to prevent someone from just manually adding their phone, and bypassing MDM entirely.

It appears that Office 365 MDM can prevent it, but then I'm stuck not using Casper...

bpavlov
Honored Contributor

Well if you are able to maneuver a solution like I described (which I don't know if it's possible, it's all just conceptual) then you are definitely relying on Casper (it's just indirect). I assume the goal is to accomplish the objective, not so much how you go about getting there? Sometimes you do have to get a little creative....

milesleacy
Valued Contributor

This is more requirement design than implementation, but... Why does the user need to be prevented from accessing other email on the device?

danseals
New Contributor II

No sorry, I don't mind if they have other mail. I want to allow Casper to install corporate mail on their device. But I don't want them to say, just use their Office 365 login / password to install mail on a different device. I am trying to figure out a way make sure that every device in the "wild" that a user adds our mail to is managed by MDM.

On any phone currently, if you go to Mail, Contacts, & Calendars. Select Exchange and put in your Office 365 credentials. You're getting your mail on the device, and it isn't in Casper. I can turn off Activesync, but that prevents Casper from installing too.

TreviñoL
Contributor

Setup a new ActiveSync that only allows connection to Exchange with certificates. Users will only be allowed to make a connection to Exchange from Managed device which get deploy a individual certificate from a Internal MS CA using SCEP and JAMF MDM (SCEP Configuration Profile). Hope that helps. We are in the process of testing it in our environment once we have a MS CA running on version 2012 instead of 2008 R2. It works just like the feature that MobileIron and AirWatch offer when setting up a Exchange Poxy.

Here is a good article on how to set it up.

The Benefits of Kerberos SSO: By Steve Goodman

Certificate-based Authentication is ideal for ActiveSync devices because, if like most organizations, your users have to change passwords regularly, this can cause confusion and even account lockouts each time users change their password. If you provision devices centrally, using certificates rather than password can allow administrators to make sure ActiveSync devices will work without user intervention once they are out in the field. Finally, using certificate-based authentication helps ensure that end-users don’t connect personal devices to your organization – although features like ActiveSync device policies and quarantine features can help with this too.

Of course it’s not all simplicity when it comes to certificate-based authentication – the provisioning process is more complicated as the certificate needs to be on the device and configured correctly; a well-setup Exchange organization using password-based authentication benefits from AutoDiscover to allow end-users to easily setup their own devices by just using their email address and account username and password.

In part one of this article we’ll look at what’s involved in configuring Exchange to allow certificate-based authentication for ActiveSync devices including:

· A quick overview of the certificate authority we’ll be using for this multi-part article.

· How to allow administrators to request certificates on behalf of end-users to simplify provisioning.

· Configuring the underlying IIS features on each Exchange Client Access Server.

· Creating a second IIS site to optionally allow certificate-based authentication to be in use within your Exchange organization at the same time as password-based authentication.

· And, finally - enabling certificate-based authentication for ActiveSync.

In the second part of this series, we’ll then look at how to deploy certificate-based authentication for two different mobile device types; iOS devices like the iPhone, iPad and iPod touch and Android devices using Nitrodesk’s TouchDown ActiveSync client.

Part 1: http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/configuring-certificate-based-authentication-exchange-2010-activesync-part1.html

Part 2: http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/configuring-certificate-based-authentication-exchange-2010-activesync-part1.html

TreviñoL
Contributor

http://mobilitydojo.net/2010/05/19/securing-exchange-activesync-with-client-certificates-lan-access/

danseals
New Contributor II

RS4, I like where your head is at, that is perfect.

BUT...

I don't think I can do that using Office 365, that's only on prem Exchange as far as I can tell.

bentoms
Release Candidate Programs Tester

@danseals Yep, O365 can't do cert based auth for exchange.

You might want to look at Exchanges Allow/Block/Quarantine list.

I've some details about it here.

But it would have to be manually managed as the JSS does not currently have any automated tie in.

danseals
New Contributor II

Yeah that's what I'm afraid of, essentially I would have to block all installs. Then manually approve those coming in through JSS as they happen.

Oh Microsoft... It annoys me that they have this functionality built into Office 365 MDM (and even more if you use MS Intune) but they don't allow any other MDM to replicate it.