locked
Exchange Online Conditional Access not applied after a device reset RRS feed

  • Question

  • I have conditional access for Exchange Online deployed using Intune. If I connect a device, workplace join, make compliant and sync all works as expected.

    If I then do a remote wipe of a device (tested using Windows Phone and Android), and it no longer meets the compliance requirements after the reset, I can sync email immediately without needing to do a workplace join.

    This is an issue as the device has no password etc but can sync email.

    Please advise,

    Marcus

    Wednesday, June 17, 2015 2:00 PM

Answers

  • Hi Marcus,

    This is expected behavior depends on connector sync schedule. AFAIK it could take *up*  to 6 hours.

    So if you manual unenroll/retire/remote wipe and reconfigured e-mail on your device you'll need to wait this time frame

    After that your devices stop to receive mails and users will see only "Enrollment mail"


    Примечание:Сообщения предоставляются "КАК ЕСТЬ" без каких-либо гарантий,выраженных или подразумеваемых | Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied


    Wednesday, June 17, 2015 6:20 PM

All replies

  • Hi Marcus,

    This is expected behavior depends on connector sync schedule. AFAIK it could take *up*  to 6 hours.

    So if you manual unenroll/retire/remote wipe and reconfigured e-mail on your device you'll need to wait this time frame

    After that your devices stop to receive mails and users will see only "Enrollment mail"


    Примечание:Сообщения предоставляются "КАК ЕСТЬ" без каких-либо гарантий,выраженных или подразумеваемых | Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied


    Wednesday, June 17, 2015 6:20 PM
  • Thanks. It did take about 5 hours or so.

    I know it is unlikely that a "wiped" device would be brought back into service so quickly, but is this not potentially a security issue? It is possible to have email data on a none compliant device...

    Thursday, June 18, 2015 12:16 AM
  • Ok, further to this. I removed the email account, and un-workplace joined the device, removed the passwords etc. so the device is in a none compliant state. I have left the device for over 12 hours. Re added the account and it still sends and receives emails fine...

    The only difference to the earlier "test" was I didn't wipe the device. Surely staff can easily get around the compliance policies this way and operate without any screen lock etc.

    Thanks,

    Marcus

    Thursday, June 18, 2015 2:09 PM
  • Ultimately, this doesn't have anything to do with Intune though. It's the way the ActiveSync specification is written and implemented by Exchange and on the device. An access token is cached on the device out of reach of any selective wipe. This happens when a user resets their password also -- they can still get e-mail for up to 24 hours without having to set the new password on the device.

    The updated Outlook client for iOS and Android (update today in fact to be fully manageable) may address this, not sure though.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, June 19, 2015 12:22 AM
  • Ultimately, this doesn't have anything to do with Intune though. It's the way the ActiveSync specification is written and implemented by Exchange and on the device. An access token is cached on the device out of reach of any selective wipe. This happens when a user resets their password also -- they can still get e-mail for up to 24 hours without having to set the new password on the device.

    The updated Outlook client for iOS and Android (update today in fact to be fully manageable) may address this, not sure though.

     

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Yep, Jason you're absolutely right, Exchange maintains a 24 hour cache,so If you retire device Intune will remove the device record but Exchange will take up to 24 hours to recheck the device. But as I've heard from PG, this interval was decreased to 6 hours, not sure. So may be someone from PG who reads this forum could comment this statement about time frame


    Примечание:Сообщения предоставляются "КАК ЕСТЬ" без каких-либо гарантий,выраженных или подразумеваемых | Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied


    Friday, June 19, 2015 7:34 PM