blocking Apple's Mail.app and EWS without breaking AutoDiscover
I need to block Apple's Mail.app email client from connecting to our Exchange 2010 and 2013 servers. Mail.appu ses EWS to connect to Exchange servers, so I blocked EWS with an IP filter. This stopped Mail.app from working, but it also stopped AutoDiscover.
Is there a better way to block Mail.app? Or can I enable AutoDiscover while blocking the rest of EWS functionality?
Solution 1:
The problem with blacklisting or whitelisting on User Agent is that the User Agent string is trivially spoofable.
I've done this in my own environment to confirm that a whitelist wasn't good enough for us, using the ExQuilla extension for Thunderbird. Instructions are at https://exquilla.zendesk.com/entries/41164327-Custom-User-Agent-string
Unfortunately I don't have a better answer to this question. We've had to block EWS at the reverse proxy to prevent external clients from being able to download email without 2FA. OWA is easy to 2FA and EAS supports Conditional Access or device quarantining, but EWS is just wide open with only username and password. It's a huge pain for us.