Office 365 and Exchange ActiveSync payloads

ConnorL
Meraki Employee
Meraki Employee

Office 365 and Exchange ActiveSync payloads

Hey Community folks! 👋🏻 

 

With Microsoft recently depreciating Basic Auth for Office 365, those who are using Exchange ActiveSync payloads will likely experience authentication errors if they're not already using modern authentication.

 

A simple fix for this is to enable "Use OAuth for Authentication", this will prompt the user to authenticate using the modern method and allow the user to continue to use the native Mail, Calendar, Contacts, and Notes applications on iOS.

 

Screenshot 2022-10-25 at 10.52.53.png

 

 

 

 

 

 

You shouldn't need to fill in the Signin URL or Token Request URL fields, as it'll prompt the device to auto-discover, however, if you do need these they can be found on your Office 365 admin console. 

 

A small downside of this compared to basic auth, is that the end user must know the username & password of the O365 account they're authenticating, this is a limitation of using modern auth and is not something we can control on the Meraki end.

 

Meraki Support can assist if you have issues installing the payload, but once the payload is installed this is outside the remit of Meraki's control and you should direct authentication questions to Microsoft. 

13 Replies 13
ConnorL
Meraki Employee
Meraki Employee
Josh3
Here to help

We set up OAuth last week for mobile users, but many of them keep getting prompted every day to re-enter their password.  Is there a timeout setting somewhere that I need to look for that will extend this login period?  

ConnorL
Meraki Employee
Meraki Employee

Hey @Josh3,

 

This will be configured most likely on the Office 365 end, the Exchange Payload has no capacity to define when a user must authenticate.

 

Do note however, that any time you make a change to a profile that contains an ActiveSync payload (even if the change isn't regarding ActiveSync) the profile is re-installed and the user will be prompted to reauthenticate. Therefore it's best to have the ActiveSync payload in its own profile, so that any other changes (such as WiFi, restrictions etc) don't require the user to authenticate.

PG01
New here

Did you guys get around this? Looking to implement soon. Our issue is, folks don't know their passwords, as they are field techs. 

Josh3
Here to help

That's kind of my issue as well as the linemen don't keep up with their password.  It is strange.  Some folks it asks for password re-entry every day, others it's longer.  Some people never have an issue.  Newer devices seem to act better.  

TreyGill
Conversationalist

Hi thanks,

 

I am unable to get it set up. It will ask for admin approval. I am unsure how to set it up. I have now spent over a week on this. It keeps asking for consent admin permission and I do not want to give each user admin consent. 

 

Is there documentation on how to set it up from beginning to end?

 

Regards,

Trey

praker
Here to help

You should only have to provide admin approval once.  I recommend setting up the device for an admin first and when prompted provide the approval.  After that is complete, users should not receive the prompt.

Derf1
New here

Thanks ConnorL for this helpful post.

 

So just to confirm, with OAuth enabled, the password push is basically meaningless right? (eg: users must interactively enter their password?)

 

We're in a similar situation as PG01, where our field users don't know the password to their mailbox, and everything is just pushed to their (shared) device.

 

Hoping there's a workaround where passwords can continue to be pushed even with OAuth enabled.

PaulF
Meraki Employee
Meraki Employee

Sadly, the authentication process is completely different for OAuth and requires user input... This can't be avoided.

pstokes
Here to help

So the issue I'm having with this is it seems like anytime the device check ins with meraki it breaks the auth. If I go into settings and accounts it shows the account isn't authenticated. When you click re-enter password you don't have to actually enter the password it just does it's thing and closes. 

 

To me this would feel like an issue on the meraki end? nothing is changed in the settings/profile so it's not re-installing that profile when it does a check in. 

PaulF
Meraki Employee
Meraki Employee

Is your Exchange policy combined with other policies in the same payload? If so, every time you make a change to any of the policies in a payload, iOS will automatically re-apply the policy to devices, resulting in the exchange policy being re-applied, and the resulting password prompt

 

If not, raise a case, and ping directly either myself or @ConnorL and we'll take look

pstokes
Here to help

No change in payloads, just seems to be as I stated whenever the device checks in it causes it to break. 

pstokes
Here to help

@PaulF @ConnorL just opened a case on it. Case # 09568723

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels