Hi Kjetil
Good question!
The Cloud Extender integration with Exchange used PowerShell scripts to run against the Exchange environment.
The Office365 integration runs in a smilar way, can't remember if using PS script but in any case it is not an authentication protocol like Modern Auth (allowing users to authenticate), but rather a way to send commands to a platform to perform an action. Ideally they are separate concepts.
So there are potentially several scenarios in relation to your scenario:
1. You switch on Modern Auth, only users with mail clients configured for this can authenticate to the mail platform. Users who can't synch are restricted to those whose mail clients can't support Modern Auth. This is probably more of a configuration type restriction where by supporting Modern Auth only, users whose mail clients don't support it can't connect, so theoretically by installing the mail client which does, they can fix the issue.
2. You switch on AutoQuarantine, only approved mailboxes or mail 'partnerships' are allowed. We use the term 'partnership' to refer to connections between a mailbox and a device, established when a user sets a mail client up on a specific device. In this case, the Cloud Extender Configuration Settings either respect the existing Exchange configuration and allows the Exchange side to perform AQ, or Cloud Extender 'takes over' and performs the AQ-equivalent function. In either case, specific device partnerships are allowed or blocked, based on specific criteria or manual action. In the case of Cloud Extender it can work by a) Only enabling devices using Secure Mail, b) Blocking users who haven't enrolled, using a Block action in a Compliance rule, and/or c) Blocking or Approving a device manually on the device record. The impact of this is that the admins get to decide who connects or not, independently of the authentication type.
In addition to this you have asked whether these are appropriate instead of setting up Conditional Access.
In relation to Conditional Access, please see my colleague Clint Adams' blog:
https://community.ibm.com/community/user/security/blogs/clinton-adams1/2021/08/09/maas360-now-integrates-with-azure-ad-conditional-aIf you want to compare them, I think we're not comparing like with like, realistically speaking Conditional Access is a zero-trust type of approach, whereas AutoQuarantine and the use of Modern Authentication are both specific solutions to specific pieces of the puzzle.
Are we thinking along the same lines?
Best
------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
------------------------------
Original Message:
Sent: Wed November 10, 2021 05:33 AM
From: Kjetil Holm
Subject: Cloud Extender and Office 365 online email integration
Hi Eamonn,
thanks!
I'm aware that Cloud Extender is not needed to configure the Secure Mail client.
My question was for the Enterprise Email integration towards Office 365.
If I understand correctly, you can confirm that by integrating Cloud Extender towards Office 365, I can automatically block all devices not being enrolled in MaaS360 from syncing email (etc.) from Office 365/Exchange Online? And the fact that Exchange Online now only supports modern authentication does not limit this capability (i.e. to block unenrolled devices).
Do you recommend this approach as an alternative to using e.g. (Microsoft) Conditional Access?
BR,
Kjetil
------------------------------
Best Regards,
Kjetil Holm
Original Message:
Sent: Wed November 10, 2021 04:54 AM
From: Eamonn O'Mahony
Subject: Cloud Extender and Office 365 online email integration
Hi Kjetil
IBM MaaS360 Cloud Extender already supports integration with Office365.
See documentation: https://www.ibm.com/docs/en/maas360?topic=modules-exchange-module
Please note that Cloud Extender integration with a mail platform is usually done so that you can get visibility on devices connected to their mail account, and identify those which haven't yet enrolled.
The support for Modern Auth - which we do in the Secure Mobile Mail client - is already there - but separately to Cloud Extender integration.
This means that the Workplace policy can be configured to use Modern Auth for Secure Mail without needing Cloud Extender set up for it to work.
See policy settings here: https://www.ibm.com/docs/en/maas360?topic=mail-secure-settings-workplace-persona-policy
Please let me know if this is clear and whether you need anything else.
Best
------------------------------
Eamonn O'Mahony
Technical Client Success Manager
IBM Security
Dublin, Ireland
Original Message:
Sent: Tue November 09, 2021 07:10 AM
From: Kjetil Holm
Subject: Cloud Extender and Office 365 online email integration
Hi,
is it still possible to setup an email integration towards Office 365 (with modern authentication) using the Cloud Extender?
From the release notes it looks like it should be possible (Exchange ActiveSync module support for Modern Authentication for Office 365 integration - https://www.securitylearningacademy.com/mod/book/view.php?id=23773&chapterid=1870), but I haven't found any updated information on how to set it up or how it works.
Would this be a good alternative to Microsoft Conditional Access?
Best Regards,
Kjetil holm
------------------------------
Best Regards,
Kjetil Holm
------------------------------