Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync

When an Exchange Online mailbox has the ActiveSync protocol disabled, you may find that the Outlook app for iOS and Android mobile devices is still able to connect to the mailbox to send and receive emails.

PS C:\> Set-CasMailbox dave.bedrat -ActiveSyncEnabled $false

The reason for this is the architecture of the Outlook app and the infrastructure it connects to. From TechNet:

Outlook for iOS and Android uses a stateless protocol translator component that is built and run in Azure. This component routes data and translates commands, but it doesn’t cache user data. The app is coded with the Outlook device API, a proprietary API that syncs commands and data to and from the app. Exchange Online data is accessed via the publicly available REST APIs. The protocol translator enables communication between Outlook and Exchange Online.

Even when ActiveSync is disabled the REST API is still accessible by Outlook. To block access to the REST API we need to use a different method. There are a few approaches that we can use:

• A device access rule to block Outlook for iOS and Android. This is an organization-wide block and requires you to manually approve Outlook app usage on a per-user basis for anyone who still needs to use it, so it may not be a practical approach if you’re just trying to block one user from having any mobile email access.
• A client access rule to block REST API access. Client access rules can be targeted at specific users but managing the target list over time could be cumbersome. This approach also blocks all REST API access for the targeted users, not just the Outlook app.
• Block the Outlook app using an EWS block list. This is the approach I’ll demonstrate here.

As I’ve previously written here, EWS policies can be used to block or allow specific applications on a per-user or per-organization basis. If you want to block Outlook app usage for the entire organization then you would use an organization-level EWS block list. Since this example scenario is for a user who has had the ActiveSync protocol disabled I will stick to the per-user option. As a side note, if your Office 365 tenant has any “K” (kiosk) licenses then the organization-level EWS controls will not work, and you’ll need to use per-user EWS controls.

First, let’s take a look at the mobile device association that shows Outlook connecting to the REST API.

PS C:\> Get-MobileDevice -Mailbox "Dave Bedrat" | Where {$_.FriendlyName -like "Outlook*"} | Select DeviceModel,DeviceUserAgent,DeviceAccessState,ClientType
DeviceModel        : Outlook for iOS and Android
DeviceUserAgent    : Outlook-iOS/2.0
DeviceAccessState  : Allowed
ClientType         : REST

Next, let’s look at the EWS configuration for the mailbox.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*
EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy :
EwsAllowList               :
EwsBlockList               :

To block EWS access for the Outlook app we need to block the user agent. The iOS version of Outlook currently has a user agent of “Outlook-iOS/2.0” (shown above), and the Android version uses “Outlook-Android/2.0”. Earlier versions had a user agent of “Outlook-iOS-Android/1.0” for both platforms, so we can expect the user agent to change in future as the version number increments. As such, it’s best to use a wildcard in the EWS block list. The example below will block the original user agent, the current user agents for both platforms, and any future user agent strings that follow the same pattern.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

Another look at the EWS configuration for the mailbox shows the two user agents have been added to the block list, and the EwsApplicationAccessPolicy option is now set to EnforceBlockList.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*
EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy : EnforceBlockList
EwsAllowList               :
EwsBlockList               : {Outlook-Android/*, Outlook-iOS/*}

This change doesn’t take effect immediately. In my demo environment it took about 30 minutes before the Outlook app on my iPad stopped retrieving new emails. The access token life is 1 hour by default though, so you should expect it to take at least that long.

To reverse the block, remove the two user agents from the block list, and if there’s no more block list entries you can also null the EwsApplicationAccessPolicy.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Remove="Outlook-iOS/*","Outlook-Android/*"}
PS C:\> Set-CASMailbox "Dave Bedrat" -EwsApplicationAccessPolicy $null

As one last point to keep in mind, the DeviceAccessState for the mobile device association won’t change from Allowed to Blocked when you use an EWS block list.

The post Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync appeared first on Practical 365.

        

Comments

• Hi Paul, Will this outlook for Android app issue is included ... by Aravind

Related Stories

• Comparing Solutions for Mobile Device and Application Management in Office 365