This is fairly normal behavior. The workaround we've put in place is to allow the Boxer client IDs at the Exchange level. Since we know Boxer will be coming in as managed (both in MDM and standalone scenarios), this is approved from our security team.