Exchange ActiveSync service has quarantined mobile...

HERNDONBRENT · ‎10-17-2018

Folks,
We recently upgraded to version 9.6.0.8. And it seems since then when an iPhone is enrolled in AirWatch we are now having the phone show in a quarnatined/block state in Exchange ActiveSync. We are NOT having any problems with Androids. The workaround at the moment is to go into Exchange and ALLOW the device. I am starting to research the issue and figured before I spent a bunch of hours on the web I would inquire to see if anyone in the community has come across this issue. This just is just isolated to the iPhones.

cpatterson84 · ‎10-17-2018

Have you always had quarantine enabled in ECP? That's an Exchange feature. Navigate to ECP -> Mobile -> Click Edit on the right -> Your options are located here to enable/disable quarantine when a mobile device hits active-sync. We have it enabled in our organization so people can't enroll any device. Check with your Exchange Admin. Hope this answer your question.

BethC · ‎10-17-2018

Its isolated to iOS devices. Happens to me too. Depending upon how you have Exchange setup for blocking devices that ping the server too many times (thinks it's someone trying brute force their way in) , it an happen often.

HERNDONBRENT · ‎10-17-2018

We do used quarantine to help prevent folks from trying to enroll personal phones, but has been running smooth until we updated to the newer version. Now just any iPhone is coming up blocked/quarantined. I will do some more checking.

HERNDONBRENT · ‎10-17-2018

Elizabeth....did you do some change or fix on your end?

BethC · ‎10-17-2018

I usually delete the device from the exchange side and let it reestablish the connection. But we use cert based authentication so not sure what your setup is. Its not the console version either because it's been going on since 2014 back on version 7.2. Its definitely the Exchange trying to defend itself. You can also remove the email profile from the device and push it back out after deleting the association on the exchange side. Usually doesn't come back afterwards. Seems to happen more with AT&T and Sprint devices more than any other carrier. Sorry!

HERNDONBRENT · ‎10-18-2018

New update...seems our Androids are effected too. Just found out that when our Android phones are being enrolled and they go to authenticate to AirWatch Inbox it is saying authetication failed. Seems that the ActiveSync is not switching to enabled in the enrollment process. Anyone seen that as well?

LukeDC · ‎10-18-2018

Have you checked you powershell MEM config? Maybe the service ID being used expired or the password is not working?

HERNDONBRENT · ‎10-18-2018

The workaround at the moment is to go into Exchange Management Console and go into the Properties of the persons mailbox, go to Mailbox Features and manually enable it.

HERNDONBRENT · ‎10-19-2018

NEW UPDATE! It appears BOTH Android and iPhone are having problems when they go to enroll into AirWatch and they do NOT already have ActiveSync enabled. If we have a current iPhone or Android user that is upgrading to a new phone and they already have ActiveSync enabled from their prior phone they do not have a problem with ActiveSync. But if they are a NEW AirWatch user and they go to enroll, ActiveSync is suppose to enable itself, but it does NOT. We actually have to go into Exchange and under Mailbox Features we have to enable ActiveSync. Seems this started AFTER we upgraded to 9.6.0.8. Any new thoughts?

ThomasCheng · ‎10-21-2018

I never heard of not enabling ActiveSync on user's mailbox before he/she can set up ActiveSync with or without AirWatch or any sort of MEM solution. Did you have maybe some sort of device rule to allow bypass? Or is your Exchange configured to accept ActiveSync only from your AirWatch server(s)?

HERNDONBRENT · ‎10-22-2018

Elizabeth C. --- We checked our Exchange server and was not seeing any bad password attempts from any of the recent users. The thing about all this was we were not getting these issues until after the upgrade to 9.6.0.8. Seems now every iPhone that is enrolled we get a blocked
device. May have to open a ticket with AirWatch.

BethC · ‎10-23-2018

Herndon, I agree. It has reached that level that you will definitely need some help with it. I haven't experienced the issue that broadly before. I wish you luck and a speedy resolution. Beth

HERNDONBRENT · ‎10-31-2018

I am working with an AIrWatch Tech (have not been very impressed at the moment) and I sent the below info about the situation as of today. Figured I would post this again to see if anyone has come across this lately after an upgrade:

In doing some more testing I determined the following:
I enrolled a Samsung Galaxy S7 into AirWatch and it enrolled with no issues! This was with ActiveSyncBlockedDeviceId and ActiveSyncAllowedDeviceId being empty/clear.
I did NOT receive any quarantined message about this device and received emails with NO ISSUE on the phone.

I enrolled an iPhone 7 into AirWatch and I get the email that it enrolled into AirWatch. However, since the ActiveSyncAllowedDeviceID was empty prior to enrolling this device I ended up getting an email saying the device was quarantined. I had to go into Exchange and ALLOW the device. Once I did that I was able to get email delivered to the iPhone.

So the issue appears to be ONLY with iPhone devices. This ONLY started happening after we upgraded AirWatch.

HERNDONBRENT · ‎10-31-2018

How are you guys handling rules/PowerShell configs for iOS devices in respect to allowing/blocking iOS devices based on if they are coming through AirWatch or ' trying' to come through ActiveSync (which like most places are probably blocking so they do not try to configure personal phones for company email)? We seem to have only an issue on our iOS devices but not our Android devices. As stated this all occured after our upgrade to 9.6.0.8. Waiting to hear more info from AirWatch Tech but it has been slow and painful.

All

Exchange ActiveSync service has quarantined mobile phone

Device Enrollment