SphereShield enables organizations to limit access to their Skype for Business (Lync) server to approved devices only. Device Access Control restriction can be implemented to meet the following requirements and deployments:

• Limit access to corporate device only
• Restrict access to managed devices (with MDM) only
• Maintain control over the devices connecting when deploying a BYOD (Bring You Own Device) approach
• Create user device affinity

The SphereShield access control engine verifies that only devices that are registered on SphereShield can connect to and use Skype for Business and Exchange Web Services (EWS). SphereShield offers several approaches on how to limit the Device Access Control based on one or more of the following features:

• Certificate enrollment – requiring a certificate to be enrolled to the device. The device certificate is required for joining the Wi-Fi network
• Limiting the registration to be within the corporate Wi-Fi network based on IP filtering. This blocks any attempt to register a device unless it is done while joining the corporate LAN Wi-Fi
• Manual approval of each device connecting by application admin. Implementing this approach requires the admin to approve each device after verifying the request manually
• Demanding VPN (Virtual Private Networks) access for the registration stage
• Requiring SphereShield app on the device. This app communicates with the SphereShield server to perform a back-end handshake during the activation of Skype for Business

In addition, SphereShield offers control based on device vendor and Operation System (OS) type and version, for example, by limiting access only to iPhone 5 and above with iOS8. SphereShield can also control the number of devices allowed per user.