I need to block Apple's Mail.app email client from connecting to our Exchange 2010 and 2013 servers. Mail.appu ses EWS to connect to Exchange servers, so I blocked EWS with an IP filter.
Active2 years, 1 month ago
I need to block Apple's Mail.app email client from connecting to our Exchange 2010 and 2013 servers. Mail.appu ses EWS to connect to Exchange servers, so I blocked EWS with an IP filter. This stopped Mail.app from working, but it also stopped AutoDiscover.
Is there a better way to block Mail.app? Or can I enable AutoDiscover while blocking the rest of EWS functionality?
The problem with blacklisting or whitelisting on User Agent is that the User Agent string is trivially spoofable.
I've done this in my own environment to confirm that a whitelist wasn't good enough for us, using the ExQuilla extension for Thunderbird. Instructions are at https://exquilla.zendesk.com/entries/41164327-Custom-User-Agent-string
Unfortunately I don't have a better answer to this question. We've had to block EWS at the reverse proxy to prevent external clients from being able to download email without 2FA. OWA is easy to 2FA and EAS supports Conditional Access or device quarantining, but EWS is just wide open with only username and password. It's a huge pain for us.
Ryan TrainorRyan Trainor
If the client is indeed connecting to Exchange via EWS, there is a way to discover the UserAgent being used for this client. As long as it is identifiable (not a thing in a hosted service, btw.) you can block it via Set-OrganizationConfig.
Block App From Internet
Use a log parser to look at IIS logs on exchange server to discover an app's User Agent string. Armed with this info, you may use the following on Exchange 2010 and above: