I have a customer with an unusual request - they have a user that they'd like to prevent from logging in to any domain PCs, but allow to access their mailbox, calendar, and so on through their mobile phone.
The domain in question is SBS 2008 (so essentially Server 2008 and Exchange 2007). The phone is an iPhone.
From some brief testing, it seems that I can go into the account properties, and check the "Require smart card for interactive login" for the user, but I'm not sure if this is going to stop working on the phone in a day or two - in my experience changes to the account take some time to propagate to the user's phone, particularly authentication things like password and permissions changes.