iOS 9.3 fixes Multiple Response issue

iPhone 6 iOSUpdate 5/31/16: The glitch has been addressed in iOS 9.3.1.

Note: Be advised that iOS 9.3 contains a glitch which might prevent users from opening links from applications like Safari or other browsers, Mail or Outlook. The glitch causes the link not to work or the app to hang. Apple is aware of the issue and a fix is in the works. It is reported that, as a temporary workaround, disabling Javascript support in Settings > Safari > Advanced makes links work again in Safari.

Apple released iOS 9.3 today, which contains lots of enhancements and fixes. One of these fixes solves an issue with the Calendar app (for those still not using the Outlook app), where it would send multiple responses for an invite.

The release notes of iOS 9.3 mention:

Resolves an issue for some Exchange users that caused Calendar to send multiple responses to the same invitation

The fix supposedly solves issue 1.15 from the “Current issues with Exchange ActiveSync and 3rd-party device” overview (KB2563324), “Meeting organizer receives multiple responses from attendee. The related KB article, KB3108212, also contains instructions on how to identify users experiencing this problem. Note that the problem has also been addressed server-side in Cumulative Update 1 for Exchange 2016.

It’s almost a law that, for every bug that is fixed, new ones are introduced. So, some organizations may therefor want to test and accept this iOS update before giving it the green light for their Exchange environment. To block a specific version of iOS from Exchange, consult the instructions here.

Outlook for iOS adds Contacts support

imageA short notice on an update received today for Outlook for iOS 2.09. This update adds the much requested feature of integrating Outlook for iOS with the (native) Contacts in iOS:

“Your Office 365 and Exchange Contacts can now be saved to the iOS Contacts app. This will allow you to easily see the name of a contact when you receive a call or text message from them. Head to your Advanced Settings to turn on this feature.”

This does away with the requirement of resorting to setups like having the iOS Mail app sync with your Office 365 or Exchange On-Premises account, just to sync those contacts with your device. To disable syncing contacts through the Mail app, go to Settings > Mail, Contacts, Calendars and click the account you wish to disable syncing contacts for. Then, disable syncing its Contacts by toggling its switch:


You will get a warning contacts synced through this contact will be removed from Contacts, but since we are going to use Outlook for this, you can proceed.

Next, open up the updated new Outlook app, and go to Settings. Click the account from which you want to sync contacts to your device, and select Advanced Settings. In there, you will find a new switch, Save Contacts to Device. Behind it is the number of contacts available on this account:


Toggle the switch to start syncing contacts directly from your Office 365 or Exchange On-Premises account to Contacts, giving the Outlook app permissions to access your Contacts when requested. After this, you’re ready to go.

Note that all synced contacts will contain a line in the Notes field, stating:

Exported from Microsoft Outlook (Do not delete) [outlook:..:..]

This is to indicate this is a synced contact, and you must not edit or remove it using the device, rather remove it from the originating source as it might get recreated or overwritten during synchronization.

Finally, the sync is one-way, so although you can edit properties on your phone through the Contacts app, they won’t be synced back to the originating source. Also, when editing properties through Contacts, those edits are not propagated to the People view in the Outlook app, as those are the contacts from your Office 365 / Exchange On-Premises accounts. This can be confusing, but having to set up an e-mail account just once with a one-way sync seems more efficient and less confusing to me than having to configure the Mail app only to get your contacts on your phone.

Blocking Outlook App for iOS & Android

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate with the proxy service.
  • The app does not distinguish between devices (device identities are assigned to your account, which makes sense since the app uses a service to retrieve and process your e-mail).
  • The app does not honor ActiveSync policies, like PIN requirements. While true, this app is not an ordinary Exchange ActiveSync client.

You can read more about this here and here.

In all fairness, when the app was still named Accompli, nobody cried foul. But the app is now rebranded Outlook and property of Microsoft, so it seems this made the app fair game. I hope Microsoft is working behind the scenes to make the new Outlook app enterprise-ready, and I’m sure it won’t be long before we see the app’s services move from AWS to Azure. The whole outrage in the media also seems a bit misplaced, as Connected Accounts in Exchange Online, which will retrieve e-mail from a POP or IMAP mailbox, will also store credentials ‘in the cloud’.

It is recommended to treat the app as a consumer app for now, and you may want to block the app in your organization. I have written on how to accomplish blocking or quarantining faulty iOS updates before. However, in those articles I used the reported OS version to block or quarantine devices. The Outlook app proxy service reports itself as “Outlook for iOS and Android” as device model when querying your mailbox, allowing us to use the DeviceModel parameter for matching.

The cmdlet to block or quarantine the new Outlook app in Exchange 2010, Exchange 2013 or Office 365,  is:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Block

or, to quarantine:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Quarantine

For examples of alternative blocking methods using TMG or F5, check this article. If you need to specify the user agent string, use “Outlook-iOS-Android/1.0” (or partial matching on “Outlook-iOS-Android” to block future updates of the app as well).

As goes for all mobile devices in enterprise environments, as an organization it may be better to test and aprove devices and OS versions rather than to be confronted with mobile apps with possible faulty behavior after an update or which may violate corporate security policies.

OWA for iPhone and OWA for iPad are here!

imageToday, the Exchange team announced the immediate availability of the (free) OWA for iPhone and OWA for iPad apps. Exchange fellows Tony Redmond and Dave Stork already hinted earlier this month that something was about to happen in this area.

Users of the Windows 8 Mail app may find the look of the OWA apps to be very familiar:

A quick summary on the app features:

  • Stored credentials for automatic logins;
  • Push notifications;
  • Meeting reminders (even with app closed);
  • Voice activated actions (English only);
  • Contact sync for caller ID function;
  • Remote wipe capability (user data, when the app runs).

That last one is a great, much requested feature when Bring Your Own Device is practiced (apart from that it makes sense due to the sandboxing principle). When required the business can selectively wipe business data without touching your personal information, similar to a feature to be introduced with Windows 8.1 called Remote Business Data Removal.

Besides that you need an iPhone 4S or iPad 2 or higher running iOS 6 or later, the apps are currently only supported for Office 365 subscribers running the tenant on Wave15 (or later). There are reports of the apps working with on-premises Exchange 2013 but that’s unofficial. To find out which version your tenant is running, use Get-OrganizationConfig in a remote PowerShell session, e.g.

$session = New-PSSession –ConnectionUri –AllowRedirection –Authentication Basic –Credential (Get-Credential) –ConfigurationName Microsoft.Exchange
Import-PSSession $session
Get-OrganizationConfig | ft AdminDisplayVersion


My tenant is running on 15.0.698.10 (15 = Wave 15), so theoretically I’m good to be running OWA for iPhone or OWA for iPad. I say theoretically, as I don’t have any iPhone or iPad available for testing.

An app version for on-premises Exchange 2013 is expected to be released at a later date. More information on configuration and usage of the OWA apps on the Office 365 blog here.

The UC Architects Windows Phone App

Most of you listen to or at least are aware of our The UC Architects podcast. If not, The UC Architects is the world’s most popular community podcast on Exchange and Lync made by people with a passion for Microsoft Unified Communications.

CaptureNow, as of today and thanks to fellow Johan Veldhuis, you can keep track of new podcasts when travelling, check our Tweets or even download and listen to podcasts using the UC Architects Windows Phone App. The app is available for Windows Phone 7 and 8. More information on the app itself can be found on our The UC Architects website.

You can download the app here.

Loadbalancing, ActiveSync and Affinity

Recently, a client was experiencing load issues on the Exchange 2010 Client Access Servers. The client also had installed a hardware load balancer to balance client traffic.

While investigating the PAL results, the ActiveSync connections chart showed a significantly unbalanced number of ActiveSync connections between the CAS servers.

It turned out the client had load balanced all client traffic using Source IP affinity for all protocols. This means each client gets assigned the same CAS server, based on the client’s IP address. While this may sound reasonable, for ActiveSync this may not be optimal. Reason is that most mobile telephony providers use some form of NAT translation for their clients, resulting in these devices to appear having the same IP address.

When organizations standardize on a NAT utilizing mobile telephony provider, the problem might emerge sooner as all of their mobile clients will be assigned to the same Client Access Server.

In the picture above you’ll see the top two mobile devices are being NAT’ed. When the top device connects to the Exchange environment, it gets assigned the 1st CAS server based on its IP address. When the 2nd mobile device connects, the load balancer sees the same IP address after which it will direct that traffic to 1st CAS server as well.

While affinity is not required for ActiveSync, it is recommended since for each newly appointed CAS server, the notification subscription to the mailbox to be informed of updates would have to be recreated. Of course, this would result in a performance penalty and increased latency. Another option would be Session ID, but some EAS clients unnecessarily create a new SSL session ID.

After switching affinity from Client IP to Authorization HTTP Header the ActiveSync clients spread out more evenly. When using Authorization HTTP Header affinity, the load balancer uses the base64 encoded credentials as part of the http client request, e.g.

Authorization: Basic YW55IGNhcm5hbCBwbGVhc3VyZS4=

After switching affinity for ECP as well (should be Cookie or Session ID), the load issues were gone.

Where in the past mobile clients were insignificant to Outlook clients when compared in numbers, the ongoing consumerization of IT movement results in an increasing mobile client population. The number of ActiveSync users may easily outweigh the number of Outlook clients, as many users use a phone or tablet (or both) in addition to Outlook, if they use Outlook at all.

Exchange ActiveSync and Inheritable Permissions issue

The issue and solution described here is by design, but not known by every customer so here’s my short write-up on this subject.

Recently, I was at a customer reporting issues with several users not being able to synchronize their mobile devices using ActiveSync. The customer was running Exchange 2010 SP1 and used various mobile devices, e.g. iPhones as well as Android phones and tablets. A quick look in the IIS logs revealed that devices were connecting properly, but they received HTTP return code 403 (forbidden):

2011-08-30 10:09:31 OPTIONS /Microsoft-Server-ActiveSync/default.eas User=XXXXX&DeviceId=d849cec9be024c828b9af73da93bb59b&DeviceType=htcbravo&Log=LdapC2_Error:UserPrincipalCouldNotBeFound_Dc:dc.domain.com_Budget:(D)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5Fe205201e-d418-409a-a15b-4b51baef9bf4%2cNorm%5bResources%3a(DC) 443 domain\XXXXX Android-EAS/0.1 403 0 0 124

Another clue was provided by the eventlog, which revealed MSExchange ActiveSync was reporting error 1053:


The remainder of the message reads: “Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type “msExchangeActiveSyncDevices” and doesn’t have any deny permissions blocking such operations”. What happens when setting up ActiveSync is that Exchange tries to create a container named ExchangeActiveSyncDevices below the user object in Active Directory and will store in that container an MsExchActiveSync object for each ActiveSync device. Apparently Exchange doesn’t have sufficient permissions to create these objects.

To fix this, open up Active Directory Users and Computers. Now, to be able to inspect the security settings, we first need to activate Advanced Features if not already set. To do this, from the View menu option, select Advanced Features.

Next, navigate to the user object experiencing the issue. Open up Properties, select the Security tab and click Advanced.


Notice the Include inheritable permissions from this object’s parent is not set, the reason for Exchange not having any permissions on the object.

To fix the issue, simply check Include inheritable permissions from this object’s parent and click OK. You’ll return to the previous window where you’ll notice the Exchange Server account is now granted permissions on the object:


At this point, ActiveSync will work and Exchange will be able to create MsExchActiveSync objects in the ExchangeActiveSyncDevices container:


Note that Include inheritable permissions from this object’s parent by default is not enabled for members of the protected groups, e.g. Domain Admins. In fact, every hour the DACL on members of protected groups will be reset and inheritable permissions will be removed. This process is called AdminSDHolder which is to prevent inappropriate changes from being made to protected groups, accidently or otherwise.  Michael B. Smith did a nice write-up on this subject here. This is also the reason why bypassing the AdminSDHolder limitation by manually granting Exchange permissions would be inappropriate.

To prevent this issue, it is recommend to follow an old, yet far from rusty administrator best practice, which is to use one account for day-to-day operations, e.g. work and e-mail, and another account for administrative purposes.

Exchange & Windows Phone 7

This TechNet article on Windows Phone 7 got my attention. It appears you cannot fully utilize Exchange ActiveSync mailbox policies, unless you set AllowNonProvisionableDevices to True. If you don’t do that, you can only use the following properties, otherwise synchronization issues might be experienced:

  • PasswordRequired
  • MinPasswordLength
  • IdleTimeoutFrequencyValue
  • DeviceWipeThreshold
  • AllowSimplePassword
  • PasswordExpiration
  • PasswordHistory
  • DisableRemovableStorage
  • DisableIrDA
  • DisableDesktopSync
  • BlockRemoteDesktop
  • BlockInternetSharing

Another option is to create a seperate policy for Windows Phone 7 users.

Another thing worth mentioning is that when using multiple Exchange accounts on your Windows Phone 7, policies will be merged into a most restrictive set (credit to Dave Stork who got the information at TEE10).

Exchange ActiveSync and Hotmail

As of Monday, it is possible to synchronise your Hotmail account, i.e. e-mail, calendar and contacts, with your mobile using Exchange ActiveSync (EAS).

To synchronise your mobile with Hotmail, use the following settings:

Username E-mail address, e.g.
Password *****
Domain Leave blank
SSL Enabled

When asked, choose to accept the SSL certificate.

Synchronisation currently works for Windows Mobile 6.x, Windows Phone 7, iPhone, iPod Touch, iPad and Nokia E/S/N-Series with Mail for Exchange.

Windows Phone 7 to support multiple Exchange accounts

I seem to have missed the news from a few days back that during a broadcast on the @ch9live development network , Joe Belfiore, Microsoft Corporate Vice President for Windows Mobile, confirmed multiple Exchange account support in Windows Phone 7 Series. Goodbye to unsupported hacks or POP/IMAP’ing those additional Exchange boxes. I assume includes all the additional benefits like Direct Push (hello battery life!).

In addition, Belfiore stated that on Windows Phone 7 various calendars will be displayed in a single view using coler coding to differentiate between the calendars (i.e. accounts).

Thanks to fellow Exchange guy Magnus Björk for spotting this one.