A list of puns related to "ActiveSync"
Can anyone recommend an MDM/VPN/Gateway product that can sit in front of an on-premise exchange server (in a DMZ)? Essentially taking IIS off the internet.
We use Fortigate Firewalls, and our ideal scenario would be a VSphere appliance in a DMZ, and apps for IOS/Android.
SSL-VPN is an option, but ideally a seamless solution that doesnβt involve the user doing anything different (apart from maybe enrolment). So they power on their iPhone, and Outlook mobile just works.
Even better, as weβre an MSP, something subscription based or suitable for SMB (sub-50 user) customers.
Options I think include MobileIron, Citrix, Deepnet (looks dated), etc.
Looking for recommendations, thanks!
(Edit :- Iβd encourage all our clients to use O365 but we have some clients who βfear the cloudβ and prefer Exchange on-premise. Maniacs)
I have set up an ActiveSync email configuration profile in Intune that uses cert auth with Azure and seems to be authenticating successfully, but in the logs for the device it shows that it is being quarantined. We do not have any conditional access policies and it does not appear that EXO is quarantining the device either. The strange thing is that everything works fine if we change cert auth in the profile to use username/password. Has anyone run into this issue?
DeviceAccessState: Quarantined
DeviceAccessStateReason: AadBlockDueToAccessPolicyIntroduced PKI smartcards in the enterprise. Works great for all desktops and notebook based applications and Windows O/S.
Actually close to going "passwordless". The only thing holding me back, is the Android and iPhones using ActiveSync on my company Exchange server. How have other people managed this challenge? Issuing certificates to Samsung, Huaweii, iPhone etc. phones, is something I really do not have a good feeling about.
set-CASmailbox -identity "joe.bloggs@company.com" -activesyncallowedDeviceIDs@{B4685F67411B3EC992B3752A438342BD}
Can anyone tell me why this cmdlet isn't working? I'm trying to unblock a device to be able to access a mailbox via activesync. Error below:
A parameter cannot be found that matches parameter name 'activesyncallowedDeviceIDs@'.
+ CategoryInfo : InvalidArgument: (:) [Set-CASMailbox], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-CASMailbox
+ PSComputerName : outlook.office365.com
Thanks!
Hello, i need to create permission for our DS team only to enable ActiveSync and modify mailboxes in EAC nothing else, how can i achieve that ?
Depreciated tweak that does what I need: https://github.com/derv82/Exchangent
Basically, my workplace email can only be added to my iOS device via exchange server in mail app settings. They force you to be on iOS 14.5.1 (or latest) in order for the authentication to work. I would like a system wide tweak that spoofs my user agent to say I'm on iOS 14.5.1 (or whatever I specify), this way I can log in and stay authenticated. I would like my exchange emails + calendars to sync properly.
The linked tweak was able to accomplish this on older versions of iOS, maybe you can go through the source code for ideas on how to get this working. I would like this tweak to target iOS 14.3.
Hello everyone I replaced a wildcard cert a month ago but today our old one expired. Now everything is working OWA mail except for Mail to phone (ACTIVESYNC). I have gone round and round and I am just not coming up with anything I replaced the cert a month ago on Exchange and ADFS and ADFSWAP can anyone give me any ideas on where I should check. Everything is saying that my certs are current except users phones (ActiveSync) please help i am drowning thanks!!!!
Hello,
I recently bought an Axim X30 and would like to put some software on it. What's the best/easiest way to get ActiveSync working with Windows 10?
Thanks for your help.
Hey guys,
I know this isn't strictly an Intune question, but the primary reason for wanting to do this is so you can migrate devices to Intune and do Conditional Access. And I'm guessing if you're working on Intune you've worked on a setup like this :).
So question is has anybody given access to on-premise Exchange ActiveSync via Azure App Proxy from the likes of the native iOS Mail client?
I imagine it's possible if you use pass-through authentication in the App Proxy config, but we really do not want to do that as you've mostly exposed your Exchange to the Internet at that point and cannot enforce Conditional Access. Ideally we would like to use AzureAD pre-authentication and then I'd guess Kerberos Constrained Delegation (KCD) from the AAP Connector to Exchange. The native iOS Mail client supports modern auth these days, Exchange and AAP support KCD, so it sounds like it should all work but has anybody tried it or found Microsoft documentation that confirms/denies it should work?
I'm aware that Hybrid Modern Auth (HMA) would be a better way to go here, but it is too complex to implement at this time unfortunately.
Thanks!
Hey all
We are new to hybrid and o365 and have a curious question
Background. We have external OWA access turned off to our exchange servers since the exchange breach. Smart or not, we were moving forward with any users that needed external mail would be moved to o365. Our MX record still points to our on-prem 3rd party spam/encryption provider we host. Mail still flows directly in to our on-prem servers
Thusfar we
All of a sudden, active sync started working on all of our configured employees phones as soon as we opened up the ports to microsoft. Their mailboxes are still on-prem. When you configure activesync, you point it to our public ip owa.xxxx.com (nat'd to our on-prem exchange servers). Why would activesync suddenly start working? Our firewalls see no traffic from the employee's public ip listed on the phones when using activesync
Why does activesync suddenly work? And is it somehow going through microsoft's public IPs to our exchange environment?
Sorry this sounds confusing but help is appreciated.
Hello,
I have been trying to decrypt active sync traffic via wireshark using the private key for the server cert but it seems to not want to. I have tried with IMAP and POP3 and it worked fine. All of them use a non (EC)DHE ciphersuite. Any ideas on how to accomplish that?
In light of the China OWA hack, admin is looking to turn off OWA access from the internet.
I easily did this in knee jerk fashion by just turning off the 443 port forward in my firewall, which also took out mobile phones.
We have users who access OWA internally and want to keep that. Is there a way to accomplish this? I was thinking there was an IIS entry to deny IP traffic from any public IP to OWA page but I'm not seeing it.
Hi,
is anybody using SOGo with ActiveSync? What's your experience? Is it reliable/stable for you? Especially with Outlook 2016 as client.
Thanks!
Confused by the documentation that says to no longer use ActiveSync since we use commands to setup mobile policies has the word "ActiveSync" in their name. The EAC site also uses "ActiveSync" on one of the pages under the Mobile page and Microsoft documentation on the other page still shows the word ActiveSync.
What technology is used by the Outlook mobile apps to implement the controls on the device like requiring a password, password length, etc.? Or did ActiveSync never implement the controls and just asked the phone to do so and I just equated the two?
Wrote a quick blog post on using more than just the SEG service to protect Exchange. If you want the tldr... Use UAG to protect Exchange. SEG and Tunnel for managed devices. Authenticated Reverse Proxy for unmanaged device access.
https://www.virtualjpr.com/2021/03/using-workspace-ones-secure-email.html
Over the course of the last hour a ton of our users that use the Outlook app (both iOS and Android) are getting quarantined in Exchange. These devices were already approved and were receiving email up until they popped the quarantine again.. We're not seeing any updates happening to the app itself (as that does often re-trigger a quarantine). Not seeing anything posted up in the 365 admin center or the MS365 Twitter, but that's always a day late and a dollar short anyways.
Because the native Outlook Calendar is rubbish, I use aCalendar+ for calendar management on my Android OS 10 phone. However, recently, the syncing of my work MS 365 calendar (enrolled in Endpoint) stopped working, whilst calendars from another non-Endpoint MS 365 account continued to sync.
The change seems to have coincided with this notice from my IT Department (the one hosting the MS 365 Endpoint account):
>In alignment with the direction of global leadership, Tech (IT) has been retiring legacy apps and services in favor of more standard, secure, and up-to-date solutions as part of our global strategy to enable us to strengthen our security posture to keep our data, and our clientsβ data protected.
>
>ActiveSync is an application developed by Microsoft in the late 90βs. Its intended use was to synchronize your email & calendaring functions. You may not be aware that the ActiveSync service is synchronizing your email and calendaring functions, because it works in the background. Microsoft will soon be discontinuing support of ActiveSync and recommends the use of their Outlook app which uses a modern authentication method.
>
>You have received the e-mail message as system logging indicates you are still making use of the ActiveSync service. Per February 1, 2021, ActiveSync will be disabled at our company. The Microsoft Outlook app can be used to continue to access your email and calendar information from your device.
>
>Outlook will help you to work efficiently with email, calendars, contacts, tasks, and more - together in one place. The Outlook app is our recommended app and available for all main platforms, installed by default on all our pcβs, and can be installed from the provided links below.
If for some reason you need an alternative email client, please update to a version that supports a modern way of authentication.
This date my MS 365 Endpoint calendar stopped syncing is rougly in line with this notice above.
I seem to recall that in the past I had used a dedicated "Exchange Sync" or "Active Sync" app from the play store to enable aCalendar+ to sync my Exchange calendars with it, however that app seems to have disappeared from the Google Play Store.
Do you have any thoughts on restoring sync functionality of Endpoint-enrolled MS 365 accounts to non-Outlook calendars on Android phones?
We recently moved from Airwatch to Intune. During this, some folks had been allowed ActiveSync through manual unquarantine methods.
We've now created a system that allows for a much more hands off approach for iOS and Android, but we need people to enroll properly. Is there an easy way to go prune devices that aren't Intune enrolled completely?
So I have semi-default Office 365 Exchange Online install (no local Exchange Servers, but local AD syncing to Azure AD) and full access to my web host.
I am seeing multiple requests for domain.com/autodiscover/autodiscover.xml in my website logs. With Office 365 Exchange Online, obviously this file doesn't need/should to exist.
Coming from Outlook clients, this is the last step before requesting autodiscover.domain.com which accesses a Cname for autodiscover.outlook.com. The cname is functional, and the outlook clients are happy. Based on http://www.mistercloudtech.com/2015/12/08/how-to-resolve-slow-office-2016-autodiscover-with-office-365/ I have added the ADMX files and setup a GPO to change Outlook's default behavior to "Exclude the root domain query based on your primary SMTP address" which gives the client an extra speed boost to access the data from O365 that they need.
Reviewing the logs further, I am seeing additional requests from mobile clients, many of them Android. I have employees with droids so this is expected. Digging into this, it appears that various Active Sync clients routinely request domain.com/autodiscover/autodiscover.xml and at least on initial setup fail to autoconfigure if they don't find the file they are looking for.
Question Time:
- With the understanding that I have full control of my webserver how can I make the initial setup phase for droid email clients more automagical?
- For the ongoing requests would a 301 redirect of /autodiscover/autodiscover.xml to somewhere in Office 365 land be helpful? If so where?
- If not, is there a specially crafted autodiscover.xml that I could create to basically tell the ActiveSync clients to look at Office 365? If so how do I create this file?
I have an issue with encrypting messages on mobile devices via ActiveSync due to recipients public key being issued with a different domain. We are using MobileIron and Email+ and their engineers are stumped as to what could resolve this for us.
Example of the error: I am not an MS Exchange admin so have explained this as i see it, flow of the requests may actually be slightly different.
Email drafted to Joe@lab.dev & Email+ attempts to encrypt
An ActiveSync ResolveRecipients request with a CertificateRetrieval option is sent from the mobile device to the ActiveSync Sentry
ActiveSync Sentry passes ResolveRecipients request to Exchange
Exchange finds Joeβs mailbox and makes a request for a public key to encrypt the message with the email address(es) associated with the account to Active Directory
Active Directory looks up the published cert on the account for Joe
Domain account for Joe has a published public key certificate as Joe@Prod.com
Active Directory responds that the only published cert on the account does not match any of the email address(es) provided
Exchange responds no valid certificate found
ActiveSync Sentry responds no valid certificate cannot encrypt
Email + displays an open lock and will not encrypt the message
Below is an excerpt of the error in the logs captured via OWA
As I understand, it is the status "7" near the end that equals no valid certificate found
RequestBody :
<?xml version="1.0" encoding="utf-8" ?>
<ResolveRecipients xmlns="ResolveRecipients:">
<To bytes="24"/>
<Options>
<CertificateRetrieval>2</CertificateRetrieval>
<MaxCertificates>99</MaxCertificates>
<MaxAmbiguousRecipients>0</MaxAmbiguousRecipients>
</Options>
</ResolveRecipients>
AccessState :
Allowed
AccessStateReason :
Global
ResponseHeader :
HTTP/1.1 200 OK
MS-Server-ActiveSync: 15.1
ResponseBody :
<?xml version="1.0" encoding="utf-8" ?>
<ResolveRecipients xmlns="ResolveRecipients:">
<Status>1</Status>
<Response>
<To bytes="24"/>
<Status>1</Status>
<RecipientCount>1</RecipientCount>
<Recipient>
Any ideas or resources on how to diagnose and resolve these issues would be helpful!
Thankyou in advanced.
I have ONE mailbox on an on-prem Exchange 2016 server (CU19) that won't show most images or attachments since roughly the start of this week. This happens in Outlook 365 on multiple machines, as well as OWA on multiple machines, as well as iOS mail app. On the iOS mail app, some work, some don't, some stop working after initially looking fine (Cached?)
This appears to be happening on old and new emails, and images in question are generally in-line. Source shows CID on these broken images. Generally just getting the red X. Seems NO attachments are working, but can usually see them in iOS.
Ran a repair of the mailbox, no change. Rebooted the server, no change. Moved the mailbox to a different database, no change.
Anyone ever seen anything like this?
I understand that I can disable ActiveSync for exisiting users by running these commands:
Get-Mailbox | Set-CasMailbox -ActiveSyncEnabled $False
But is there a way to disable at organisation level so new accounts are also ActiveSync disabled?
I have been searching and searching and can't seem to find anyone else talking about it. On the most recent update to Pogo, Android 11 (I have a Pixel 4XL), ActiveSync now requires Location permission "Allowed All The Time" where before the update ActiveSync worked just peachy with "Allowed Only While In Use".
Has anyone else noticed this? Why the change?
Please note that this site uses cookies to personalise content and adverts, to provide social media features, and to analyse web traffic. Click here for more information.