Sysadmin Lab

My lab environment and my findings

bookmark bookmark
Admin On June - 30 - 2010

Updated 2nd July 2010: Clarified the alphanumeric password description.
Updated 1th July 2010: Added that iPhone supports password expiration.
Updated 27th August 2010: Changed "Enforce password history" since it works (Thanks Hans and Doctor Osos).

There has been a lot of discussion regarding the iPhone and the support for the EAS (Exchange ActiveSync Policies). With the new iPhone OS 4.0 out, I decided to test the policies out in my lab. Please feel free to comment if I got something wrong or if your tests have turned out differently.

In my previous tests, I have noticed that EAP is very picky about versions so please keep in mind that I tested this on Exchange 2007 (SP1), running through a TMG 2010, behind a Cisco ASA and iPhone OS 4.0 (running on an iPhone 3GS).

General tab


  • Allow non-provisionable devices - Easily put, if you select this, you don't care about checking the policies on the phone at all. In short, Exchange will ask the phone if it supports the policies. If the phone is old or doesn't support EAS at all, Exchange will let is sync anyway.
  • Refresh interval (hours) - How often the mobile phone checks for updates of the policy. Default seems to be "Unlimited" and the Experts Exchange discussion also creates some confusion. My experience says that whenever you sync it will check if the policy has been updated.

Password tab


  • Require alphanumeric password & Minimum number of complex characters - Works! A complex character is any character that is not a letter. If you put the minimum to 1 you need to have at least 1. Otherwise you'll get an errormessage: "Enter a strong passcode with 5 or more letters/numbers and one special character (#&!)". And yes, if you set the policy to 9 charactes and 2 complex characters, the iPhone will tell you that!
  • Enabled password recovery -  Doesn't work. In case the user forgets their passcode, this article explains how password recovery works. However, when I click Display Recovery Password in OWA, I get "No password is available".
  • Require encryption on the device - Works!
  • Require encryption on the storage card - Works!
  • Allow simple password - Works! This setting enables or disables the ability to use a simple password such as 12345. If a user tries to put "12345" you will get the errormessage "The passcode must not have ascending or descending characters". If they try "11111" you get "The passcode must not have repeating characters".
  • Number of failed attempts allowed - Works! However, I haven't been able to test it live yet but I can see in the iPhone that it has auto-erase switched on after the amount of retries I specified in the policy.
  • Minimum password length - Works! If they enter a too short password, you get "The passcode must be longer". Note that if you select just numbers as a passcode the pad that the iPhone displays gets much bigger and easier to unlock the device after autolock.
  • Time without user input before password must be re-entered (in minutes) - Works! But since the iPhone in general doesn't support more than 5 mins before autolock, it doesn't matter if you put it to 10 mins, it will then be set to 5 mins.
  • Password expiration (days) - Works! It asks you to renew your password after the number of days you have entered here.
  • Enforce password history - Works! If I put it to remember 5 passwords, I can't re-use any of the last 5 passwords.

Sync Settings tab


  • Include past calendar items - Doesn't work. Even if you set the policy to only allow past two weeks items the iPhone will let the user configure and sync older items, like past 3 months.
  • Include past e-mail items - Works! When you set the policy to only allow for example the past 3 days, the iPhone GUI doesn't allow you to select to sync and older e-mails than what the policy says. If you change this in the future, the iPhone will force the user to what you set in the policy if you increase or decrease it. But if the user, after this, decide to lower the number of days - it will work and the policy will not force the iPhone back to the policy.
  • Limit message size to (KB) - Doesn't work. Even though i limit it to 5 kB, it will download and read e-mails that are huge (just text, not including attachments).
  • Allow synchronization when roaming - Sorry, haven't been able to test this yet.
  • Allow HTML formatted e-mail - Doesn't work. It allows HTML mails to be read (with images downloaded if they're external) without any problem.
  • Allow attachments to be downloaded to the device - Doesn't work. It will let you download attachments no matter what. Also, see below.
  • Maximum attachment size (KB) - Partly works (?). If you receive an e-mail with a attachment with a larger size (in my example I allowed max 250 kB and sent a 1,6 MB PDF file) than allowed you will see the attachment but if you click it, nothing will be downloaded. It will simply show download in progress. But at the bottom the e-mail see a button "Download complete message" and this works. If this is an iPhone bug or just my lab environment, I don't know. If someone can confirm this behavior, please comment!

Device tab


  • Allow removable storage - N/A. I would say there is no removable storage on iPhone.
  • Allow camera - Works! It simply removes the Camera icon from the iPhone.
  • Allow Wi-Fi - Doesn't work. Still possible to connect to Wi-Fi networks even though we disable it in the policy.
  • Allow infrared - N/A since no infrared device on iPhone.
  • Allow Internet sharig from the device - Sorry, haven't been able to test this yet.
  • Allow remote desktop from the device - Since a RDP client is not included in iPhone OS, I hardly think this policy will make any difference.
  • Allow synchronization from a desktop - I would guess that this is aimed at Microsoft ActiveSync or the Windows Mobile Device Center. Since iPhone only uses iTunes I don't think this policy will have any affect. Any tried it?
  • Allow Bluetooth - Doesn't work. Even though I completely try to disable Bluetooth, it's still possible to enable it.

Advanced tab


  • Allow browser - Works. It simply removes the browser icon from the iPhone.
  • Allow consumer mail - Even though I disabled this, the Gmail account configured continued to work and if you wanted to add a new e-mail account, you could still add mobileMe, Gmail, Yahoo, AOL and Other accounts.
  • Allow unsigned applications - Doesn't work. I suspect this only works on Windows Mobile since there's no such thing as signed apps on iPhone. Maybe if Apple signs them when they add them to AppStore, but on the other hand you can't install apps on a default iPhone that are not on AppStore.
  • Allow unsigned installation packages - See above.
  • Allowed Applications - See below.
  • Blocked Applications - Doesn't work. I tried adding the names of some apps on the iPhone, but they can still be started.
Categories: ActiveSync, Mobile

40 Responses

  1. Great job! This is some really useful information.

  2. John says:

    I am running the exact same setup minus the Cisco and all works fine, haven’t had any problems with OS4,

    But the real question here is, will it work (send mail) on exchange 2010?

    Planning on migrating from 2007 to 2010 tonight and need to know if there is a problem with the iPhone sending mail on Exchange 2010 or not.

  3. Dim says:

    Do you know how to fix the following?

    1. Appending "carets" >>> in Outlook, when replying to a plain text e-mail from iPhone

    2. Appending indented lines, when replying to HTML e-mail from iPhone. This causes previous e-mail thread to shift to right in Outlook.

    To reproduce this please do these steps:

    1. Send a test e-mail to yourself from Outlook (HTML format)
    2. Reply to this e-mail from iPhone.
    3. Continue replying to this e-mail from iPhone

    In Outlook you will see previous e-mail threads shifting to right after each subsequent reply.

    Please help me to resolve this issue.

    Thank You

  4. Admin says:

    Haven't tested ALL policies but I know Exchange 2010 is working with iPhone 3.x anyway. I will go ahead and test everything below on Exchange 2010.

  5. Admin says:

    I just tried what you suggested and yes - I get the same problem? Sorry, I have no fix for this but I get any, I'll make sure to post it.

  6. Russ says:

    Hi, my experiences with the iPhone4, like many IT admins, I get 200+ emails a day. First thing in the morning I check the emails when I get up to make sure there is no critical emails that need my attention. I travel by train for some thirty minutes, and in that time we pass through tunnels and out of network coverage. This is when the iPhone4 (and the others) gets annoying, as I when I try to delete emails, I get a message telling me that "The Server can't be contacted" but the message seems to disappears, only to reappear again when the folder is refreshed. Now tell me, if other activesync mobile providers can get this to work, why can't Apple.

  7. I do a lot of computer repair, and most of it is done remotely. I have tried stuff like remote desktop connection or VNC but teamviewer comes out on top all the time. My client can just run the portable version and we are away.

  8. Tom Basham says:

    Hi,
    Thanks for your comment on my blog post. In case you're interested I have posted some updated information about ActiveSync policy compatibility with various devices including the new iPhone and Android OS's. The info is from Apple and Google directly so should be pretty accurate.

    http://refraction.co.uk/blog/2010/07/19/android-and-iphone-exchange-activesync-policies/

    Tom

  9. John says:

    Hi,
    Do you know if it's possible to access a shared mailbox (with disabled AD account) using the native exchange mailbox on iPhone4? OWA works through Safari for the shared mailbox, but using activesync seems to be a whole other beast.

    Thanks,
    John

  10. Admin says:

    That's an excellent overview. Thanks!!

  11. Admin says:

    Yeah, have the same problem. Or when you travel on an airplane and want to spend some time clearing out your mailbox but you can't do it since iPhone don't allow offline access to your mailbox. Don't know why, but I guess they simply haven't built the functionality to store your mailbox offiline.

  12. PJ says:

    How can you tell if the iPhone is encrypted?

  13. Admin says:

    The 3GS is encrypted by default. At least according to http://db.tidbits.com/article/10416

  14. Hans says:

    Actually enforcing password history seems to work as well.

    The value here is not binary (0=off and 1=on) but actually means the number of passwords that may not be repeated.

    E.g. putting "5" means it recalls your five previous passwords and won't allow going back to one of those. (Error message "This passcode has been used too recently." on the device).

    iOS 4.0.2 on iPhone 3G

    HCD

  15. Doctor Osos says:

    Enforce password history does work, just not the way you think.
    If you set it to "1", it will remember your current password.
    If you set it to "2", it will remember your current password and the previous one you are attempting to reuse.

    Password Recovery is available via 3rd party solutions like Mobile Iron, Trust Digital, AirWatch, Sybase Afaria. They allow you blank the password and the user will need to enter new password.

  16. Admin says:

    Thanks Doctor Osos and Hans for clearing the "Enforce password history" out for me. After some testing I realized that I probably did something wrong when I tested.

  17. Tom says:

    Hi
    Great blog. A table would make this blog a lot easier to digest, or a table comparing iOS4 & Android 2.2.
    Thanks
    Tom

  18. While going through Apple's Dev documentation I found the official list from the guys in Cupertino (current as of iOS 4.1)
    - Enforce password
    - Minimum password length
    - Maximum failed attempts
    - Require alphanumeric passwords
    - Inactivity period
    - Prohibit/allow simple password
    - Password age
    - Password history
    - Minimum complexity
    - Manual syncing while roaming
    - Allow/block camera
    - Allow/block web browser
    - Max age of emails synced
    - Require device encryption (only on iPhone 3GS and 4)

  19. bselasor says:

    Hi,

    I'm wondering if anyone had encountered issues when sending email with attachment over 100kb? For some reason I can’t send attachments Word doc, Excel, and pdf from my iPhone 4 iOS 4.x or iPhone 3GS iOS 4.1. I get the message “Cannot Send Mail – An error occurred while delivering this message.”, and the mail get stuck in the Outbox. I can receive attachment alright, but can’t send or forward them. Have you encountered this issue in your environment?

    I'm using the default EAS Policy.

    To make it worse, sending attachments from iPad works fine.

    I appreciate any help. Thanks.

  20. Admin says:

    Sorry, I can't say that I have noticed this problem. Maybe the latest update have solved this in case it's not specified as a maximum in the EAS Policy.

  21. Alex says:

    Just curious, has anyone tested multiple exchange accounts? Which policy wins?

  22. Andre says:

    Hi All,

    I was reading through everyones comments and I was just curious what Exchange server services pack allows you to push EAS policies to Iphones??? Because I have service pack 2 and password requirement policies don't get pushed to iPhone. Thanks

  23. Admin says:

    Make sure you have the latest iPhone update. Which Iphone OS are you running?

  24. Haruhiko Nishi says:

    Here I wrote an article about my own ActiveSync implementation works with iOS4.x

    http://www.enterpriseios.com/forum/topic/iOS_Device_Management_Open_Source_Way

  25. John M says:

    I'm running exchange 2010 sp1 rollup 3. Under Organization Configureation - Client Access and the Excahnge ActiveSync Mailbox Policy I have two filters setup. Default and test. I have made no changes to deault, and in the test filter I've set several options (require password, min password length, unchecked Aloow consumer mail. However, none of these are being pushed to my iPhone4 running 4.2.8. Am I missing somthing or is the defalt policy overrideing the test one I created?

  26. Admin says:

    The default policy should be picked up by mailboxes "by default". If you create addidional policies, you have to specify (per mailbox) that it should use this policy instead.

  27. edmcc says:

    I just moved my mailbox onto our new Exchange 2010 server. i set up Exchange email on my droid, my iPad and my iPod. When I refreshed my email on the droid, I got 3 days worth of email, all my contacts and calender events. When I refreshed my iPad and iPod, I would lose Safari. Enabling the Broser access through this policy resolved the problem. I spent about 3 days on this, even stumping one of the Apple Genuis'. Thanks for the assist.

  28. Peter says:

    Andreas is right that's the list but I found a few more that worked even though it is not documented. Our company uses Microsoft Exchange Server 2010 from CloudWire and the policies allowed through their control panel really worked on the iPhone. I was kind of surprised because you know, that't the hosted version of exchange but it turns out that because they offer enterprise exchange server it may offer more ActiveSync goodies than I first thought. I will look into the difference between the Standard Exchange Server, the Enterprise and the Hosted and let you know what I found.

    Peter

  29. Yvonne says:

    When using mobile iron and profiles have been downloaded correctly the AD account is not locked but it doesn't recognise the user name and password. what is causing the issue?

  30. Richard Anderson says:

    I'm going through an Exchange 2007 deployment with over 30 iOS devices and this guide was invaluable.

    Thanks much for putting this together!

  1. [...] iPhone OS 4 and Exchange ActiveSync Policies (EAS) – what really works? | Sysadmin Lab Posted on June 30, 2010 by johnacook http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-pol… [...]

  2. [...] more: iPhone OS 4 and Exchange ActiveSync Policies (EAS) – what really … Filed Under Uncategorized Tagged With force-the-user, future, increase-or-decrease, iphone, [...]

  3. [...] My experience says that whenever you sync it will check if the policy has been updated…[read more] Number of View: [...]

  4. [...] Did you install/configure support for outlook/microsoft exchange? It is possible that this can disable the camera - see iPhone OS 4 and Exchange ActiveSync Policies (EAS) – what really works? | Sysadmin Lab [...]

  5. [...] my previous post, I tested all the ActiveSync policies on iPhone 4.0 and figured out what worked and what [...]

  6. [...] attachments" policy setting. (For a comprehensive overview of iOS and EAS polices check out some tests the guys at Sysadmin Lab did: don’t assume it all [...]

  7. [...] sauvegarder les pièces jointes ». (Pour tout savoir sur iOS et les politiques EAS, consultez les tests réalisés par le gens de Sysadmin Lab. Ne partez pas du principe que tout fonctionne correctement [...]

Leave a Reply