I need to block Apple's Mail.app email client from connecting to our Exchange 2010 and 2013 servers. Mail.appu ses EWS to connect to Exchange servers, so I blocked EWS with an IP filter. This stopped Mail.app from working, but it also stopped AutoDiscover.
Is there a better way to block Mail.app? Or can I enable AutoDiscover while blocking the rest of EWS functionality?
The problem with blacklisting or whitelisting on User Agent is that the User Agent string is trivially spoofable.
I've done this in my own environment to confirm that a whitelist wasn't good enough for us, using the ExQuilla extension for Thunderbird. Instructions are at https://exquilla.zendesk.com/entries/41164327-Custom-User-Agent-string
Unfortunately I don't have a better answer to this question. We've had to block EWS at the reverse proxy to prevent external clients from being able to download email without 2FA. OWA is easy to 2FA and EAS supports Conditional Access or device quarantining, but EWS is just wide open with only username and password. It's a huge pain for us.
If the client is indeed connecting to Exchange via EWS, there is a way to discover the UserAgent being used for this client. As long as it is identifiable (not a thing in a hosted service, btw.) you can block it via Set-OrganizationConfig.
Use a log parser to look at IIS logs on exchange server to discover an app's User Agent string. Armed with this info, you may use the following on Exchange 2010 and above:
Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceBlockList -EwsBlockList @{Add="UserAgent/*"}
Wildcards can be your friend in the User Agent block list, this really depends on what you find in your IIS logs.
You could also block this per-user by using Set-CasMailbox instead of the org-wide 'Set-OrganizationConfig`
I also wrote about blocking a specific app here: http://blaughwtech.blogspot.com/2015/07/block-microsoft-send-app-in-ews-policy.html
