Solved: Re: Apple ID restrictions and Exchange ActiveSync

Bobby2234 · ‎04-24-2018

Morning -

We are switching all of our devices over to DEP and within the new profiles I have the restriction ' Allow Account Modification' disabled. This disables the user from logging into Apple with an ID. The problem here is that it also disables the user from updating their password within their email account in Exchange ActiveSync. This is a deal breaker due to the users password expiring every 90 days so we now have this enabled and users can login to Apple. We don't want users to login because it causes confusion and opens us up to company data getting off our network. Has anyone had this issue and figured out a workaround? I reported it to AirWatch but they had no suitable option and opened up a feature request. Speaking of, how do I check the status on those?

Thanks for any help

chengtmskcc · ‎12-18-2018

Bobby, I understand your frustration as I went through the same ordeal even with professional services.

In any case, check out my blog post on this set up here and let us know what issue you are facing.

https://goo.gl/r66ZGR

View solution in original post

Stansfield · ‎04-24-2018

The only solution I know of is to use Kerberos for your email

Bobby2234 · ‎04-24-2018

Stephen - Thanks for the reply. I just saw this solution in a YouTube video. Is there a guide for this setup?

Thanks

Bobby2234 · ‎04-24-2018

After searching a bit, this doesn't appear seamless. Staff will be able to still get their email off the domain, correct? I saw this post:

https://support.air-watch.com/posts/115000517488

Opening up more failure points makes me a bit nervous but users not having to enter the password in would be a great feature. I just would like to know that it would work as easy as it does now with ActiveSync, and as reliable.

CharlieVoissem · ‎04-25-2018

Can you enable OWA / ' Outlook on the Web' for these users? They could change passwords through that, leaving the phone interaction alone.

Bobby2234 · ‎04-25-2018

Thanks for the response Charlie but we have that enabled and it will not help the situation. The password in the phone remains constant until the user updates it. So the problem is not resetting the password, it's updating it on the phone. Adding the restriction to disable Apple ID logins, it disables the ability to update the password on the phone. It semi blows my mind that there is no fix for this but... That's AirWatch for ya.

Bobby

LukeDC · ‎04-25-2018

It's really not Airwatch limiting you, it's Apple 😉 AW only does what Apple lets them do.

Bobby2234 · ‎04-25-2018

Understood... But the huge potential for a DLP breach here would make you think this would have been addressed a long time ago. Some kind of workaround should be easily implemented until Apple fixes their side.

If anyone could link me to the proper setup of certificates for email, that would be great. Support is clueless when I call. Curious of the advantages and disadvantages of setting this up?

LukeDC · ‎04-25-2018

Certs would allow you to provision and get mail running without any interaction from the user, you push the profile down and mail starts flowing.

https://docs.vmware.com/en/VMware-AirWatch/9.2/vmware-airwatch-guides-92/GUID-AW92-CertificateManage...

Bobby2234 · ‎04-25-2018

Luke - Thank you!

mikemeiter · ‎04-25-2018

I have been Running DEP over a year with solid success with ActiveSync and iPhone native email app and lockdown of the account.
Exchange activesync sessions do not expire immediately when passwords in AD expire. The session token can live up to 24 hrs

https://blogs.technet.microsoft.com/messaging_with_communications/2012/06/26/part-i-disabled-account...

When the session does expire, the email client will prompt for new password.

I also created a device tag / assignment group pairing specifically to remove some restrictions. Our 24 hr. service desk will assign the tag, then walk the user through resetting password, or what ever else you may need to expose. Once work is completed, remove the tag.

chengtmskcc · ‎12-02-2018

Luke, how's your suggestion different from certificate based authentication with SEG (Kerberos Constrainted Delegation?) Or doesn your suggestion work if SEG is not used?
Bobby, KCD with SEG will keep your users very happy as they would no longer require to change their AD passwords on their devices whenever the same passwords are changed on their computers. I wrote a blog about the setup to be published soon.

AmitLele · ‎12-02-2018

Content filter iOS profile should be able to block apple account URL. That way the users will not be able to login.

chengtmskcc · ‎12-03-2018

Amit, I believe your suggestion only works for Safari.

AmitLele · ‎12-03-2018

Potentially, I haven't tested it. But if it is only limited to safari then content filter profile is not the solution/workaround. Thanks for pointing it out Thomas.

Bobby2234 · ‎12-07-2018

Thomas, thanks for your follow-up. One thing I wasn't quite sure on is if SEG was required. I pretty much try to make any changes in the system that do not require work or approval from other departments. If I have to setup SEG, it looks like I will have to get other departments involved with several network changes. I try to avoid this so I can get a quick solution. I setup the certificate two weeks ago on a test device and got it to install. Problem is, mail is not flowing. When I contacted support, the response is:

1. As your not using a SEG server and certificate is installed from the AirWatch, nothing to check from our end because your device is presenting the certificate to exchange server, please check with exchange team, whether necessary settings are enabled on exchange CAS server for active sync connection.
2. Follow the KB article from Microsoft for the cert based authentication : https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-certific...

That said, it doesn't sound like SEG is required? If installing SEG is the correct and best practices way to go, I am all for it. I'd much rather it be secure if that is the best way. I look forward to your response and blog.

Bobby2234 · ‎12-07-2018

Another note...From the link support provided: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-certific...

Does a SEG do all this for you? I'd much rather install the SEG, if that's the case.

Thanks

chengtmskcc · ‎12-09-2018

The primary function of a SEG is to protect your Exchange infrastructure. Instead of allowing your devices to connect to your Exchange directly for EAS connectivity, they will instead connect through the SEG in front of your Exchange. Within the SEG, you can set policies to ensure only enrolled and compliant devices can access mailbox. You can also set additional policies to restrict attachment type as welll as mail client that can access mailbox. Without the SEG and based on your Microsoft KB, you can also set up certificate based authentication except the leg work is within Exchange. Like Luke mentioned previously, you will only configure and deploy the cert to your devices with AirWatch and yes you can proceed without the SEG.
I am in the same boat now where introducing new technology involves multiple teams. I can imagine the challenge but I think in the end it's all worth the extra mile for the end users.

Bobby2234 · ‎12-18-2018

Setup the SEG and it’s not testing correctly. I contacted them for support and they say I need to pay to get it fixed.

I have submitted three tickets over the last two months that are not fully resolved. I’ve easily spent 30+ hours on the phone. So frustrated with support.

chengtmskcc · ‎12-18-2018

Bobby, I understand your frustration as I went through the same ordeal even with professional services.

In any case, check out my blog post on this set up here and let us know what issue you are facing.

https://goo.gl/r66ZGR

All

Apple ID restrictions and Exchange ActiveSync

Device Management