Managed Exchange ActiveSync Profile improvements in iOS 13/iPadOS

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Exchange ActiveSync (EAS) allows for email, calendars, contacts, and synchronization to mobile devices. What data is synchronized wholly depends on what the ActiveSync client supports – the ActiveSync protocol provides no means by which an Exchange administrator can define which data types are allowed or not allowed. With most (if not all) Exchange ActiveSync clients, all supported data types are synchronized when the user sets up an ActiveSync profile. For example, by default, in iOS/iPadOS, the following data types are synchronized:

 

IMG_E1711.JPG

With device enrollment, administrators have the capability to push an Exchange ActiveSync profile to devices (what’s often referred to as a managed EAS profile). The benefit of this approach is that it simplifies deployment, ensures consistent configuration (e.g., OAuth instead of basic authentication), and ensures data removal during wipe/retirement actions. Managed EAS profiles also support and integrate with other MDM device restrictions like Viewing corporate documents in unmanaged apps (allowOpenFromManagedToUnmanaged).

 

Unfortunately, prior to iOS 13, administrators had no control over what data is synchronized with a managed profile – only the user could enable or disable a data type. But with the release of iOS 13 and iPadOS, this has changed. Apple has introduced the ability for administrators to control what data types are synchronized to the device. In addition, administrators can define whether the user can override what data types are synchronized. For more information, see Apple’s documentation on Device Management Profile ExchangeActiveSync.

 

With the November service release, Intune supports this functionality natively.

 

EAS profile v2 complete.png

When configuring a new (or existing) managed EAS profile, you’ll see that we have redesigned the email profile into three distinct sections:

  1. Exchange ActiveSync account settings includes server endpoint, account information, and authentication methods.
  2. Exchange ActiveSync profile configuration allows configuration for what data types are synchronized (only applies to iOS 13/iPadOS or later).
  3. Exchange ActiveSync email settings allows for control over specific mail settings. These settings are only available when email data type is configured for synchronization.

While Apple’s implementation enables granularity in which data types are synchronized, Intune took a more scenario-focused approach. Within the Exchange ActiveSync profile configuration section, administrators have two options. First, they can choose to decide whether users have the capability to override what data types are synchronized (by default, users have this capability). Second, administrators have the capability of choosing the following scenarios:

EAS profile v2 data types.PNG

  1. All data – this is the default option when creating a profile (or accessing an existing profile). This scenario ensures all data types are synchronized by default.
  2. Email only – this scenario disables calendar and contacts synchronization, allowing only email synchronization.
  3. Calendar only – this scenario disables contacts and email synchronization, allowing only calendar synchronization.
  4. Calendar and Contacts only – this scenario disables email synchronization, allowing only calendar and contacts data.
  5. Contacts only – this scenario disables calendar and email synchronization, allowing only contacts.

Note: If the above data type synchronization scenarios are not applicable to your organization, you can leverage the Intune Graph API to specify the easServices values you require. For more information, see iOS EAS email profile configuration.

 

In the event you want to change an existing profile to take advantage of these new settings, keep in mind that adjusting what data types are synchronized will result in a new profile being pushed to the device. Users will be forced to enter their credentials and the profile changes won’t take effect until authentication is complete.

 

Why would you want to use this functionality? There are several possible scenarios:

  • Your organization has a security policy that prohibits certain information to be available on mobile devices.
  • Your organization has a policy to minimize the amount of data synchronized, so by default admins disable some of the data types synchronized but allow the user to override that decision.
  • Your organization has standardized using a third-party (from Apple’s perspective) mail app, but your users want to use the native iOS calendaring or contacts app.

We hope you find support for Apple’s new functionality useful. As always, if you have any questions, please let us know.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.