blocking Apple's Mail.app and EWS without breaking AutoDiscover

exchange exchange-2010 exchange-2013

I need to block Apple's Mail.app email client from connecting to our Exchange 2010 and 2013 servers. Mail.appu ses EWS to connect to Exchange servers, so I blocked EWS with an IP filter. This stopped Mail.app from working, but it also stopped AutoDiscover.

Is there a better way to block Mail.app? Or can I enable AutoDiscover while blocking the rest of EWS functionality?


Solution 1:

The problem with blacklisting or whitelisting on User Agent is that the User Agent string is trivially spoofable.

I've done this in my own environment to confirm that a whitelist wasn't good enough for us, using the ExQuilla extension for Thunderbird. Instructions are at https://exquilla.zendesk.com/entries/41164327-Custom-User-Agent-string

Unfortunately I don't have a better answer to this question. We've had to block EWS at the reverse proxy to prevent external clients from being able to download email without 2FA. OWA is easy to 2FA and EAS supports Conditional Access or device quarantining, but EWS is just wide open with only username and password. It's a huge pain for us.

Related

Migrate Windows Server 2008 to another server
Linux: create software RAID 1 from partition with data
Can all domain users be logged into one local profile?
Active Directory Design
How can I configure sendmail (or another mail server) to accept outbound mail, but to not send it out?
Installing SharePoint Server 2010 on Windows 7 x64
Idle SSH connection gets reset in ubuntu 20.04 WSL (Windows10)
MacOS open a new chrome instance without extensions or profile
Computer won't boot after memory upgrade (old RAM doesn't work now)
Scanner is only detected and not the printer
locate command does not work on mac terminal
Should I replace My internal hardisk to a new external one? [closed]