Blackberry 10 and Windows Phone 8 Password Prompts

by Ed Sparks

Now that more BB10 and WP8 devices are out in the wild, there are a few issues coming to light in regards to the connection to Exchange ActiveSync.

The most common is that users are periodically prompted for their password after having successfully synced with the server for some time.  In many cases (particularly BB 10) this results in an account lockout if the user simply cancels the prompt, or doesn't enter the password successfully.

The same issues do not seem to appear when using any iOS, Android or Windows Phone 7.x device against the same servers.  It's not yet clear why the implementation is different on these other platforms.

The solution - adjust the timeout settings on your Exchange server, or ISA/TMG or ASA gateways, so that the connections are held open for longer than the heartbeat interval of the ActiveSync device.

Follow the steps in this article to ensure the correct configuration is in place for both Exchange (2003/2007/2010) and your ISA/TMG.

Under the Web Listener
 for the EAS/OWA Rule - uncheck the "Apply session timeout to non-browser clients" setting as per this article.

Cisco ASA
Ensure any NAT rules that pass traffic to Exchange on HTTP/HTTPS have no timeouts, or very long timeout values.

Curious how all this fits together? Here's a great backgrounder on how EAS Direct Push works, heartbeat intervals, firewalls and more.

Apple - Please figure out Calendaring. Everyone else, update to 6.1.2

by Ed Sparks

It's becoming almost a ridiculous sad joke.  Each new iOS release seems to bring a new round of calendaring bugs that cause havoc with Exchange and Activesync, and create no end of headaches for users and admins.

The latest example - the iOS 6.1, 6.1.1 fiasco - has taken it to a new extreme.

Apple needs to stop dripping with hubris about this stuff, and actually test their products consistently and properly.  The post-Steve Jobs downward trend is sad, and concerning.  One product after another is increasingly flawed.

Anyway </rant mode>

In the mean time - read about the iOS 6.1 mess here, then immediately go and update all your i-Devices to 6.1.2.  Then wait for 6.1.3 or 6.2 or whatever is going to fix the lock screen bug.  

Rapid growth in transaction logs, CPU use, and memory consumption in Exchange Server 2010 when a user syncs a mailbox by using an iOS 6.1 or 6.1.1-based device

iOS 6.1: Excess Exchange activity after accepting an exception to recurring calendar event

An Open Letter to Tim Cook

iPhone lockscreen can be bypassed with new iOS 6.1 trick

The new face of BES - Connecting Blackberry 10 devices to Exchange

by Ed Sparks

With Blackberry 10 just days away from launch, we're seeing an increasing amount of interest and confusion about how these new devices will connect with mail environments, and how it compares to previous versions of the devices and servers.

Part of this confusion is due to RIM somewhat changing the plan along the (very long) way to BB 10. Thankfully the initial impressions of the devices look solid, so we expect there to be an uptick in usage again.

So what's changed? In a word, everything.

BB 10 (and Playbook 2.x) devices all use Exchange Activesync (EAS) as their only supported method of syncing with email servers.  This is great news for Exchange, and reduces much of the complexity of past.  The biggest win is that the devices now natively support email without a BES or BIS connection - just like iOS, Windows Phone and Android.  MUCH better user experience.

In the Enterprise, a BES is no longer required at all, if you simply want to connect and manage your BB 10 handhelds in a mostly unmanaged way - simply by continuing to publish your EAS servers to the public internet.  Autodiscovery and all of those niceties are supported by BB10.  As are EAS policies for passwords, remote wiping and the like.

So what does RIM bring to the table beyond that as part of their 'legendary security'?

It turns out quite a nice set of functionality - albeit at a pretty high price point.

Blackberry Enterprise Service is (not Server) is the new BES 10 but this has no relation to the old BES.  It is simply a management tool, and is an updating and re-branding of their previous Mobile Fusion, and Universal/Blackberry device services products.  The new BES will NOT talk to older Blackberry devices.  Period.  You will always need to keep a BES 5 server around while still using legacy devices.

Nicely, however, the BES 10 management product will manage your old devices, by pushing down policy to BES 5 and onto the devices.  Likewise, it will manage Android and iOS devices with certificate management, and installable clients if desired.  You can keep consistent policy across all of these, and report on them etc.  Sounds quite promising.

As for syncing - where most of the confusion occurs due to the native EAS support - is what BES 10 adds to that part of the puzzle.  

RIM will offer three levels of EAS/security:

1. Native EAS - no BES involved
2. Native EAS with BES Management - pushes the email settings and policy to the devices (so user's don't have to enter anything, and BES policy trumps EAS policy)
3. Full BES (our name) - device connections will be routed over an encrypted tunnel through the RIM network, back into your BES and then proxied on behalf of the user into the internal EAS server.  External publishing of EAS is not required.  This will only function on the "Work" side of the Blackberry 10 or Playbook 2's "Balance" profiles.  Casual users cannot natively get this functionality.

Overall we think the approach they are taking makes a lot of sense, and is a huge improvement over the former days of the steaming pile of Java crud that was the old BES.
It remains to be seen how well all this comes together, but if RIM pulls this off correctly, they've got a fighting chance, at not only a good device, but a great MDM product as well.

BES 10 is now available for download.

Need help with updating your environment? Questions?  Contact us today for Blackberry therapy.

iPhone, Android, Windows Phone high data usage due to "Exception message: Maximum request length exceeded"

by Ed Sparks

A significant flaw exists in the design of Exchange ActiveSync, in our opinion, ​in that most mobile devices - particularly the iPhone - will leave a large message stuck in the outbox and continuously try to resend the message over and over without limit until the user deletes the message.

This issue is most commonly caused by the default IIS configuration on Exchange CAS servers ​that limits incoming messages to about 4-10MB in size (depending on version) - regardless of the limits set elsewhere in the Exchange organizational or user configurations.  You will know this is the problem if you see the following event frequently in your Exchange CAS Application event logs:

EVENT LOG Application
SOURCE    MSExchange ActiveSync
EVENT ID  1008

Read More

Exchange 2010 ActiveSync Device Access Policies, Quarantine and more!

by Ed Sparks

Exchange ActiveSync (EAS) is Microsoft's excellent protocol that most vendors have adopted as the standard for direct-push email to mobile devices.  Thankfully, Microsoft has dramatically improved the ability to manage deces and restrict access to the Exchange or Office 365 environment in the latest versions.

The following are the various options and settings available, and some implementation details we've put together for clients.

Read More