Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 13, 2019 7:29 AM
Hello!
We have on-premises Exchange 2016. Since my users started using Outlook for IOS and Android instead of native mobile mail clients I observe strange things.
- Mobile users connect to Exchange from Microsoft IPs. Does that mean that Microsoft proxies all ActiveSync connections from Outlook for IOS and Android to our on-premises Exchange? (We don’t use Office365!).
- From time to time Mobile Clients change their IDs. This behavior is very annoying because our mobile device policy puts every new device to quarantine for administrator approval.
There are logs. Mobile device connects to Exchange from IP-address 52.125.138.60, that belongs to Microsoft with DeviceID 8715CA5A50BF0D57. Then its IP and DeviceID changes and Device goes to quarantine. New IP belongs to Microsoft too.
Can I change this behavior of Outlook for IOS and Android?
Nov 12 20:45:57 vm-ha71 haproxy[1190]: 52.125.138.60:44108 [12/Nov/2019:20:45:57.645] mail.maildomain.su~ exchange/vm-exchange 0/0/1/24/25 200 825 - - 6/6/4/5/0 0/0 "POST /Microsoft-Server-ActiveSync?User=mydomain%5Csmith&DeviceId=8715CA5A50BF0D57&DeviceType=Outlook&Cmd=Settings HTTP/1.1"
Nov 12 20:45:57 vm-ha71 haproxy[1190]: 52.125.138.60:44106 [12/Nov/2019:20:45:57.656] mail.maildomain.su~ exchange/vm-exchange 0/0/1/32/33 200 591 - - 6/6/3/4/0 0/0 "POST /Microsoft-Server-ActiveSync?User=mydomain%5Csmith&DeviceId=8715CA5A50BF0D57&DeviceType=Outlook&Cmd=Sync HTTP/1.1"
Nov 12 20:45:57 vm-ha71 haproxy[1190]: 40.101.31.101:39102 [12/Nov/2019:20:45:57.901] mail.maildomain.su~ exchange/vm-exchange 0/0/1/2/3 401 262 - - 7/7/3/4/0 0/0 "OPTIONS /Microsoft-Server-ActiveSync?Cmd=Options&User=smith&DeviceId=OPCC2ED957E50835CA47A5F45AFD77DF&DeviceType=Outlook HTTP/1.1"
Nov 12 20:45:57 vm-ha71 haproxy[1190]: 40.101.31.101:39102 [12/Nov/2019:20:45:57.930] mail.maildomain.su~ exchange/vm-exchange 0/0/0/7/7 200 1144 - - 7/7/3/4/0 0/0 "OPTIONS /Microsoft-Server-ActiveSync?Cmd=Options&User=smith&DeviceId=OPCC2ED957E50835CA47A5F45AFD77DF&DeviceType=Outlook HTTP/1.1"
Nov 12 20:46:00 vm-ha71 haproxy[1190]: 40.101.31.101:39102 [12/Nov/2019:20:46:00.017] mail.maildomain.su~ exchange/vm-exchange 0/0/0/6/6 200 1144 - - 8/8/4/5/0 0/0 "OPTIONS /Microsoft-Server-ActiveSync?Cmd=Options&User=smith&DeviceId=562ef08332654fae9dfc021dc039cd3b&DeviceType=Outlook HTTP/1.1"
Nov 12 20:46:02 vm-ha71 haproxy[1190]: 40.101.31.101:39102 [12/Nov/2019:20:46:02.383] mail.maildomain.su~ exchange/vm-exchange 0/0/0/7/7 200 1144 - - 7/7/3/4/0 0/0 "OPTIONS /Microsoft-Server-ActiveSync?Cmd=Options&User=smith&DeviceId=562ef08332654fae9dfc021dc039cd3b&DeviceType=Outlook HTTP/1.1"
All replies (9)
Wednesday, November 13, 2019 9:03 AM ✅Answered
Read here: /en-us/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth?view=exchserver-2019
Or here if you don't have HMA configured: /en-us/exchange/clients/outlook-for-ios-and-android/use-basic-auth?view=exchserver-2019
Monday, November 18, 2019 2:39 AM ✅Answered
That's OK. Because device IDs are not governed by any physical device ID, they can change without notice. If you want to use Outlook for iOS and Android, you are recommended to manage these devices based on device type or device model. For reference: Device access policy
Regards,
Lydia Zhou
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 13, 2019 11:26 AM
Hi Vasil. Thank You for links. I didnt find why Outlook suddenly changes its DeviceID? Can I prevent this?
Wednesday, November 13, 2019 7:36 PM
It can be the switch to the new architecture for example, or something else on the backend. You don't have much control over it.
Thursday, November 14, 2019 10:40 AM
Hi GennadyB,
It's great that you get useful information in our forum. It's recommended that administrators only set mobile device access policies that allow/block devices based on device type or device model.
Regards,
Lydia Zhou
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, November 15, 2019 10:54 AM
Hi Lydia.
We dont need to control device type and model. Our policies require manual approval of every ActiveSync-enabled device which wants to connect to our Exchange server. And changing of DeviceID makes it difficult. I think we will migrate back to native e-mail clients because they never change DeviceID.
Monday, November 18, 2019 3:00 PM
Hi Lydia, yesterday my "Outlook for iOS and Android" suddenly changed not only Device ID, but also Device Type, and then returned both the original state))
Sent at 15.11.2019 19:20:06
The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action.
Information about the device that triggered this notice:
User: [email protected]
Device model: Redmi 4
Device type: Android
Device ID: androidc2009092539
Device OS: Android 7.1.2
Device user agent: Android-Mail/2019.08.18.267044774.release
Sent at 15.11.2019 23:46:06
The Exchange ActiveSync service has quarantined the mobile device listed below. It won't be able to synchronize Exchange content until you take action.
Information about the device that triggered this notice:
User: [email protected]
Device model: Outlook for iOS and Android
Device type: Outlook
Device ID: 562ef08332654fae9dfc021dc039cd3b
Device OS: OutlookBasicAuth
Device user agent: Outlook-iOS-Android/1.0
Wednesday, November 20, 2019 9:46 AM
It seems that the user [email protected] used the Mail app on his android previously. Then he changed to use Outlook for mobile.
Regards,
Lydia Zhou
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, November 22, 2019 10:26 AM
It's great that you get useful information from our forum. Here is a brief summary about this thread for quick reference.
Issue Symptom
=================================================
We have on-premises Exchange 2016. Since my users started using Outlook for IOS and Android instead of native mobile mail clients I observe strange things.
- Mobile users connect to Exchange from Microsoft IPs. Does that mean that Microsoft proxies all ActiveSync connections from Outlook for IOS and Android to our on-premises Exchange? (We don’t use Office365!).
- From time to time Mobile Clients change their IDs. This behavior is very annoying because our mobile device policy puts every new device to quarantine for administrator approval.
Can I change this behavior of Outlook for IOS and Android?
Cause
=================================================
Outlook for iOS and Android is a cloud-backed application. The Exchange ActiveSync (EAS) connection between Exchange Online and the on-premises environment enables synchronization of the users' on-premises data.
Solution
=================================================
Because device IDs are not governed by any physical device ID, they can change without notice. If you want to use Outlook for iOS and Android, you are recommended to manage these devices based on device type or device model.
Reference Links
=================================================
Regards,
Lydia Zhou
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].