In the anywhere workspace era, one of the challenges is how to get a Zero Trust Secure environment built up. One of the areas we need to secure are SaaS resources.
Many enterprises are doing so by standardizing corporate tools including collaboration apps like mobile email. As a matter of fact, mobile email is the most commonly used apps in enterprise.
Boxer is often the best choice because the DLP capability such as watermark and all other enterprise grade features.
Once an enterprise chose a standard email client, all other shadow, non-approved clients shall be prohibited by policy. However, blocking is not as straightforward as it looks like.
For instance, enterprises adopted to Office 365 are all on the same URL. Any user can easily get mobile email from Office 365 URL with his email address and credential using any random mobile email app.
To have a tighter control, administrator can use powershell to implement a whitelist of mobile email clients.
On powershell console, connect to Exchange with “Connect-ExchangeOnline” using your administrator account.
Use “Get-MobileDevice | select Name, Identity, DeviceModel, DeviceType” to retrieve connected mobile device information. Pay attention to the last two columns. They are the parameters we need to use when it gets to whitelist composing.
To only allow Boxer to connect, we first have everything blocked by default with command:
“Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block”
Now use the values from column “DeviceType” to have Boxer whitelisted. We have to do it twice. One is for iOS and one is for Android Boxer.
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "BoxerManagediPhone" -AccessLevel Allow
New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "BoxerManagedAndroid" -AccessLevel Allow
User using blocked email apps will get a warning message from within the blocked app. A notification email will also be sent to blocked users. Of course, users will only get to see the new notification email from whitelisted email clients or on his desktop Outlook after the policy is implemented.
You can use “Remove-ActiveSyncDeviceAccessRule” to remove the blocking rule.
The blocking rule takes effect almost immediately. But it takes around 20 to 30 minutes for a released app to receive emails again after rule was removed.
Comments