We kept it simple because it's really just Outlook-type traffic for us. We used the Apple iPhone Configuration Utiity to set some minor restrictions like no iCloud, require a passcode and encrypted backups. We then set up a virtual port on the SA and require a client certificate to connect to the SA. The client certificate is distributed with the Apple .mobileconfig file. We then direct all ActiveSynctraffic through the virtual port to a Websense "Mobile Agent". It's not really an agent because it's a virtual server in our data center and it runs as an ActiveSync proxy. We apply our normal DLP policies to the ActiveSync traffic via the Websense Mobile Agent. If something gets blocked by DLP, the iPad user gets an email telling them to use their laptop or desktop to read the email.
... View more