Configuring Microsoft 365 cutoff

Microsoft 365 offers two forms of cutoff for ActiveSync. Similar to Exchange, the Device Family cutoff prohibits users from connecting directly to Microsoft 365 via ActiveSync, ensuring that all mobile devices connect through Forcepoint ONE SSE. The other method is through password encryption.

Device Family Cutoff

Works through the use of a pre-shared identifier to prevent device connections through ActiveSync that are not passing through the Forcepoint ONE SSE proxy. The cutoff works in stages:

In the first stage, upon adding the account, the Forcepoint ONE SSE Autodiscover service ensures that the server is Forcepoint ONE SSE.
This is accomplished by sending a unique pre-shared identifier to Microsoft 365. This identifier is used to create a Device Access Rule on the Microsoft 365 server that will prohibit ActiveSync connections from any device that is not passing through Forcepoint ONE SSE.
When an ActiveSync request is sent to Microsoft 365, it authenticates with the configured IdP before it caches the password. Microsoft 365 caches the password so they do not have to do an IdP check on every request.