APM Domain Membership Restriction?

I think that the requirement here was to allow only DOMAIN-joined machines to access OutlookAnywhere. Josh's second post is right on the money - the only way to do it is to have a client to connect to a web-based VIP first that will perform the inspection of the end-point and authenticate the user and confirm he's coming from domain-joined machines. THen it will create a "holding" session for that username for a short period of time, so that when the user launches Outlook client and OA connection is established, APM will authenticate those credentials and make sure that that username has been verified as coming from domain-joined machine within last x seconds or minutes - and let the connection through.

 

 

THe same logic can be applied to use client certs to authenticate OutlookAnywhere clients - use browser to connect to APM and perform 2-factor auth - then have APM automatically launch Outlook and authorize based upon the logic described above