MDM, EAS Profile and ActiveSync Policies

Back in the past to secure mobile devices, ActiveSync allow to apply some policies around passcode and other security settings.

While we can deploy EAS profile on the Windows Mail client, it will behave the same way as an EAS client even if the profile is installed by a MDM server.

doenst-meet-security-requirement

The layer displaying this behavior is the Exchange Active Sync Policy Manager Broker which is in charge of applying Active Sync policies.

UAC-Exchange-Active-Sync-Policy-Manager-Broker

Upon MDM profile removal the Windows Mail will ask for user consent which if he’s click on No will leave the account in the applications. The MDM server won’t have any say on this and won’t be able to remove it.

consent

To resume the workflow :

  1. MDM Enrollment
  2. EAS Email profile applied
  3. User connect to Exchange account
  4. Exchange Active Sync policies are applied
  5. Upon removal a consent is required as EAS manage some part of the application.

The workaround is to secure ActiveSync with Secure Email Gateway (Proxy or PowerShell) and then remove any ActiveSync policy, which are the issue here.