Exchange profile password expiry

wchestnutt's picture

wchestnutt

Joined: Jul 1, 2016
Your rating: None (9 votes)

Hello,

So in our environment we have an MDM platform which deliveries a exchange payload. All the information is completed apart from the password field as this expires every 90 days as per our corporate policy.

We also have account changes locked down as we don't allow personal email or apple IDs.

What I am experiencing so far is that when an exchange password expires, the user never gets prompted to input the password again, and doesn't have access to the account (due to the lock down) so they can't update the password!

Does anyone have a clever way of managing this other than moving users into a permissive policy group periodically?!

Thanks!

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

So it turns out that it does

Your rating: None

So it turns out that it does prompt eventually, probably after the token expires. If you click cancel to the prompt it then doesn't reappear, I haven't tested when this reappears yet

Top
Mitchtei's picture

Mitchtei

Joined: Apr 25, 2016

It does not reappear. What I

Your rating: None

It does not reappear. What I have the Helpdesk do is re-push the email profile from MDM this will force the password prompt to pop up.

Top
jpref's picture

jpref

Joined: Apr 18, 2012

During Enrollment, dont prompt for the password

Your rating: None

with the current mdm, we had the same issue when users enter the password into the field during enrollment. when we took it out, then this made the prompt on ios only appear when the actual cred request was called during the profile push , or after expire. If however the user enters it wrong amount of times the lockout policy, it will still act and lock, or if they cancel x times and launch mail.

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

Hello, So I have tested a

Your rating: None

Hello,

So I have tested a users password expiring and being reset again, and after the token expires on the iPad the password prompt reappears. This is with the latest iOS.

The annoying thing is that the iPad seemed to force a download of a full email set from day zero. i believe this is requested by the iPad via the push/activesync when it receives a number of 500 error messages from the server, possibly related to error messages. The iPad believes there is an inconsistency with the local copy of the synced data and requests a full sync rather than incremental. Very annoying!!!!

Has any one else experienced this? I am repeating my test tonight to see if it happens again.

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

hello. I have now found some

Your rating: None (2 votes)

hello. I have now found some very strange behaviors...

If I go in to photos and open in mail (to attach to an email) It doesn't choose my email account, and instead takes me to the add email account page!!

On other devices I am able to open in the mail app, but it doesn't attach the image to the email, instead it sends a blank email. The only way to get a photo attached to an email is to copy and paste it individually. not ideal!!

What is going on Apple!!

Top
jpref's picture

jpref

Joined: Apr 18, 2012

MDM Policy

Your rating: None (1 vote)

Check you dont have 'use only in mail' turned on , this prevents "send to" from happening in other apps if your security allows.

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

Finally a password suppression solution!

Your rating: None (2 votes)

hello, Thanks for teh reply. yes is was blasted in mail setting!! pretty annoyed that I missed that. It threw me because with the account restrictions enabled it allows you to open in mail, but it just strips the image.

but here is a really helpful tip for anyone out there with these passwords not reprompting after the user has cancelled the popup! To get the password to reappear you have to refresh your Phonebook contacts list. This then asks for your exchange password!!!!! Can't believe it.

In order for this to work you must have at least one contact (local or otherwise) in your address book. Then just swipe down to initiate the update... and voila.

Top
jpref's picture

jpref

Joined: Apr 18, 2012

mdm policies

Your rating: None

in the exchange EAS policy, you should never have it locked down for password, this is an issue. The user should always be able to edit the password in the settings --> mail, contacts, calendar --> "Exchange Account" --> Account --> Password
Password and description are the only editable fields on our policy settings.

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

iOS does not allow granular

Your rating: None (1 vote)

iOS does not allow granular control of this lock down. It is part of locking down account changes, which also prevent users from setting up Apple IDs, iCloud, and personal email accounts! unlocking this is not an option.

Top

Who is online?

There are currently 0 admins, 0 users and 36 guests online. Connected users: .

Recent Activity