iOS 4 and Exchange ActiveSync
Published Jul 01 2010 12:48 PM 24.9K Views

Recently Apple released iOS 4 (the new name for the operating system that runs on iPhones, iPod touches, and iPads). Since its release there have been numerous reports (link, link, link) of a number of issues with new iPhone 4s (and older iPhone models running the updated software version) when using Exchange ActiveSync (EAS) for mobile email. I wanted to put up a quick posting about what issues users may be seeing and what we’re doing about it.

Issues:

  1. Exchange administrators are seeing heavier than normal loads on their servers from users with iOS devices: We are in contact with Apple’s engineering team and are trying to help them fix this issue. In the meantime Apple has released a support article (link) which directs administrators who are experiencing this issue to push an iOS profile (link) that changes the timeout their Exchange ActiveSync connection uses to their users to four minutes which should be long enough for the vast majority of users. Those that need longer can edit the XML file in any text editor by searching for ‘240.0’ (no quotes) and changing it to the desired number of seconds, or you can use Apple’s configuration utility editor (link) to make this change.
    Update 7/15: Apple has released iOS 4.0.1, which includes the iOS profile change discussed earlier in this post.

    Update 7/1 1:10 PM: We had suggested using Apple's configuration utility to make this change. Apple has informed us that you should not use the configuration utility to edit or install the update. Use a text editor such as Notepad to change the timeout value in the update, if required. The configuration utility doesn't know about the timeout key used in the update.

  2. Email, calendar, or contacts are not syncing: We believe this is the same issue as #1. The support article and solution listed above are the current recommendation from Apple while a fix is being worked on.
  3. iPhone is not working with Google Apps over Exchange ActiveSync: Google licenses the server portion of Exchange ActiveSync from Microsoft (link) but Google wrote their own software to implement the protocol. Google is responsible for making sure their implementation of Exchange ActiveSync runs correctly and in this case Google claims that they had a server issue (link).

We have been in contact with Apple about each of these issues (as well as some others that seem to not be directly related to EAS but are more email related in general). Apple has assured us that a fix is being worked on though they have not commented on a release timeline for the fix. We will be continuing to work with Apple to help resolve the current issues relating to iOS 4 using Exchange ActiveSync.

Adam Glick
Sr. Technical Product Manager

80 Comments
Not applicable
Aweome that you guys are working with Apple on this.  Microsoft is head and shoulders above Apple "support" and demonstrates how customers should be treated.
Not applicable
Thanks for the communication Adam. It's extremely valuable for customers to just know the status of the problems – keep the communication channels open and the customers informed (a hint to Apple)....
Not applicable
Adam, thanks for the timely update, will you be updating this blog post as new information is publicly available?  And thanks for posting an informative status update before the issue is resolved, this provides an authoritative source of information (better than newsgroups and non-authoritative blogs).
Not applicable
Agreed. We alsways know we can count on Microsoft for timely, useful, and authoritative information.  Thanks, Adam!
Not applicable
From what I can determine there is a separate issue that is similar, but not identical to issue 2 described here. We see with some of our customers who are running Exchange 2010 that they can connect, receive mail and sync calendars, but are unable to send mail after upgrading to IOS4. The profile fix posted by apple does not appear to fix this issue. The users get "Cannot Send Mail
An error occurred while delivering this message."
Everything else works.

From what I see on various online forums this particular issue seems unique to environments running E2010
Not applicable
Can MS or Apple elaborate on : "In addition, some Exchange Server administrators may notice their servers running slowly." . Are all versions of Exchange 2007/2010 affected? Is it specific to any server roles (CAS, Mailbox)? What kind of performance hits should we be looking at (Disk IO, CPU, etc)? Thanks.
Not applicable
Can you comment about which Exchange Servers have been affected?  The one article indicates 2007 and 2010 CAS servers.  Have you heard of admins of Exchange 2003 also complain of issues as well?  Thanks for the updates on this issue.  Agree with others that this info is really helpful to read and be aware of.
Not applicable
Question, If we have x no of users using iOS 4 devices then we might notice this specific issue or is it also with only few devices?. Do you have any answer on what could be the value x?. Just to see if anyone is noticing the same issue if they would have fewer users connecting through iOS 4 devices.
Thank you.
Not applicable
Any "fix" that does not update the user agent of the device is useless as its is impossible to tell who applied an update otherwise. If Apple does this as an updated firmware fix, the user agent will be updated and you can give users a week to fix or block the old user agent from connecting...
Not applicable
I did some testing which ActiveSync Policies (EAS) that works on iPhone OS 4.0. The result: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-policies-what-really-works

Let me know if you have tested and experienced something else.
Not applicable
Is there a way to tell which devices (i.e. iPhone OS 3.1 vs iPhone 4.0) are connecting the CAS?
Not applicable
I have been tracking this issue since it was announced a few days ago. We have an Exchange 2007 server with ISA 2006 handling OWA FBA, Autodiscover rules and now activesync.

We have a 3GS and updated it to 4.0. I cannot replicate the issue, i'm not sure if ISA is throttling the requests from the device.
Not applicable
We have 2000 users with iphone in our company. 100 users have updates their 3GS iphones to IOS 4. Only 1 user so far with the IOS4 has brought one of our exchange 2007 SCC clusters to a state slower that driving miss daisy. The issue is that the iphone does not wait for a timeout and therefore keeps making read requests to the CAS server (2007) which keeps openning multiple sessions to the mailbox server (2007 SCC cluster) increasing the average latency to an extermly high level. The profile fix has worked for us so far. The bottom line is that not all updated iphones show this bahavior which is odd.
Not applicable
the problem we ran into was that the cpu usage on the mailbox server was very high, in the 70% range, that slowed down everything else to a crawl. used perfmon, look at rpc average latency under msexchangeis client, the activesync counter was over 100. Also, used exmon to find out who is using all that cpu. turn off activesync for the guy and then restart corresponding active sync app pool in iis of the cas server.

ios4 has the useragent string 801.293, use ps to get a list.
Not applicable
I'm having some massive issues getting exchange 2003 SP2 to play nice with the new iOS.
Not applicable
Are you also aware that Exchange/2010/2007 NOTES also do not sync? I am told this is some kind of authentication issue. Any word on this??
Not applicable
ALL HAIL NOTEPAD!!!
Not applicable
Our organization has had an issue where any iPhone user that has upgraded to iOS4 only gets "Immediately, After 1 Minute, After 5 Minutes, After 15 Minutes, and After 1 hour" for the Require Passcode lockout time period.  We used to have an option for "After 4 hours" which is the setting most users set their devices to.  Users that have not upgraded to iOS4 still have the 4 hour setting available.  We have an ActiveSync Policy that requires a password to be set, but we do not have the "Time without user input before password must be re-entered" option configured.  We're running Exchange 2007 SP2.  Has anyone else run into this?
Not applicable
Thanks for the updates! Microsoft seems to be doing a much better job of communicating with customers than Apple. We're glad you're helping Apple resolve the issue - it demonstrates what a company that cares about its customers does at times like these, and that is to forget rivalry in one segment (mobile phones, where Microsoft catching up to do with Windows Phone 7) and collaborate to help resolve customer issues. We love the Exchange team and Microsoft for it.
Not applicable
This issue affects all versions of Exchange that have EAS (2003, 2007, 2010).  The symptoms are random, but typically occur on mailboxes with high item counts (inbox/calendar are the usual culprits) and/or are already comprimised perf wise.  In other words: if your server is already near the tipping point, this will bring it over the edge.  Just because you don't see any perf issues because of the firmware update doesn't mean your user base's iPhone population shouldn't apply the config file.  Apply to all your iPhone users with the iOS 4 update.

Exchange Server 2010 gives you the ability to quarantine devices based on the user agent until the owner contacts the admin and confirms they've applied the update.  Yes it's time consuming, but it's a lot better than having your server down. :)
Not applicable
You can identify iOS4 devices with the "DeviceUserAgent" value of 801.293

Get-ActiveSyncDeviceStatistics -Mailbox

Apple-iPhone1C2/801.293           = iPhone 3G on iOS 4.0
Apple-iPhone2C1/801.293           = iPhone 3GS on iOS 4.0
Apple-iPhone3C1/801.293           = iPhone 4 on iOS 4.0
Apple-iPod2C1/801.293               = iPod Touch 2G on iOS 4.0
Apple-iPod3C1/801.293               = iPod Touch 3G on iOS 4.0
Not applicable
Does anyone know why apple would not recommend using the configuration utility to install this change on the IOS4 devices? I am already creating a custom profile with our attached verisign cert to the profile / Exchange configuration and thought it would be easier just to add this in during the install.

Not applicable
Bvig thanks for the info.
Not applicable
@Jason: because they have communicated to us that their configuration utility can't address these changes.  Apple support would be the best point of contact to ask why that is.
Not applicable
I wonder if apple is also using their own implementation of activesync. Does ms provide the binaries for each os?
Not applicable
Anyone know if it is true that a iPad connected via activesynch increases the IOPS by several times compared to a "normal" mailbox user?

Not applicable
@thesurg3on: Microsoft doesn't provide any binaries.  It's a licensed protocol they write the code for themselves.  You can find the useage of them on MSDN.  Bing it and you'll find links like this:
http://msdn.microsoft.com/en-us/library/cc307725(v=EXCHG.80).aspx

@Charlie O: We don't sync  notes (as in Outlook/OWA notes) with any version Exchange ActiveSync as far as I know.
Not applicable
Shouldn't the server throttle a client - any client - that is causing a perfomance problem?
Not applicable
Wrong! Notes have always sync'd. There are also 3rd party iPhone apps that sync Notes and tasks. IOS4 also introduced Note sync for GMAIL... which is also now having problems as reported all over the web as they luicense active sync.
Not applicable
While the updated config for iOS4 devices is helping, we're still seeing high CPU utilization on our 2k7 CAS servers.  We're watching for them in ExMon and trying to capture client side logs to see what they are doing that causes such high utilization.

Anyone else seeing something similar?
Not applicable
Hi,

wen hafe the same problem   Kjell Andorsen discriped.
User with an updated iphone 3gs to iOS4 can not send emails to an Exchange 2010.

Is there a fix or workaround availible?
Not applicable
Does anyone know if this is related to another EAS/iOS4 bug that occurs when connecting to the Exchange server via WiFi?

It's detailed in this Apple discussion:
http://discussions.apple.com/thread.jspa?threadID=2475890&tstart=0

But basically, when connected via WiFi, there are sporadic errors that state a connection occurred or the account information can't be verified.

Anyone seen this?
Not applicable
@Kjell Andorsen -- Re: In ability to sending email. This was confirmed yesterday as another bug buy Apple. See: http://marksmith.netrends.com/Lists/Posts/Post.aspx?ID=104 for the tracking of this issue.
Not applicable
When is Apple going to allign with Enterprise needs and actually work and share information PRIOR to releasing their half baked crap?

Thank god we have ActiveSync disabled and made Blackberry the standard.
Not applicable
I'm having a little trouble using PS to query for ActiveSync devices at our Exchange 2010 server.  I can do it for individual mailboxes, of course, but I'm trying to get them all to display or dump to a file.  I tried using one of the included examples in the get-help info, but most of the output is errors, followed by a few devices' info.  Can anyone show me what command I should be using to return the sync'd device info for all mailboxes?
Not applicable
@Jason: You can list ActiveSync user and device info using the examples in the following post:


Listing Exchange ActiveSync users and device information


http://exchangepedia.com/2008/06/exchange-server-2007-listing-exchange-activesync-users-and-device-i...

Not applicable
@Bharat:  The first command you have on your page returns results, but not what accounts the devices are linked to, nor the agent version.  The second command (with the Filter parameter) doesn't execute successfully: "Cannot bind parameter 'Filter' to the target."  This is, again, on Exchange 2010.
Not applicable
Just an update - this command did/does work on Exchange 2010:

$mbx = get-casmailbox -Filter {HasActivesyncDevicePartnership -eq $true -and -not DisplayName -like "CAS_{*"}; $mbx | foreach {$name = $_.name;$identity = $_.identity;$device = get-activesyncdevicestatistics -mailbox $_.identity; $device | foreach {write-host $mbx.name, $_.devicemodel, $_.devicephonenumber, $_.Identity, $_.deviceid, $_.FirstSyncTime, $_.LastSuccessSync} }
Not applicable
Running iOS4 on iPhone 3GS. ActiveSync not working properly through third party apps to sync tasks with exchange server. Some apps include "TaskTask" and "iMTasks" and "iMExchange"
Not applicable
I wish nokia will be as responsive as apple, it's been quite a while that Mail for Exchange is "working" really bad against Exchange 2007 and Exchange 2010, tons of bugs and nothing a customer can do...

except of course going 3rd party sync software which makes no sense..
Not applicable
I had some of the same issues describe above. I have an iPhone 3GS running iOS4, it worked fine on Exchange 2003, but after migrating to Exchange 2010, it suddenly stopped working.

I am truly sorry to say, that my issue was not caused by Apple, but a new security settings set by default on Exchange 2010. See this forum thread: http://social.technet.microsoft.com/Forums/en-ZA/exchange2010/thread/37a1cb86-d4e3-4851-b41b-f8e4299...

I had the same symptoms. The event (1053) was present on our CAS, that Exchange ActiveSync doesn’t have sufficient permissions to create the user object. I am member of Domain Admins, and thereby member of a protected group.

I did as described in the forum thread, Included inheritable permissions from the object’s parent, on my own user object. And after deleting the exchange account on my iPhone and setting it up again it all worked fine again.
Not applicable
To Mark Texas - iOS 4 has been available for public beta test for months - you just needed to be part of their developer program. Small cost - hight benefit to access early release and test on your infrastructure before you get your user to deploy. Also they publish a knowledge base on their support site where you can find authoritative information and the latest info.

http://www.apple.com/support/iphone/


For users with additional problems look at default domain name (.local is not supported).

See http://support.apple.com/kb/TS3389




Not applicable
John M, am I hallucinating, or is that article actually suggesting that those with Windows domains ending in .local *change their domains* for the sake of the debacle know as iOS 4?!  First, isn't it extremely common for domains to end in .local?  Second, wouldn't changing the domain have all sorts of repercussions due to the domain being specified in all sorts of nooks and crannies both on Server itself and elsewhere?  Third, I'm surprised they're not recommending switching over to OS X Server (or whatever it's called).
Not applicable
is there a method to determine which users may be causing the high RPC latency values we are seeing after some users have updated their iPhone to IOS 4

in particular can we turn up logging and identify which users may be causing problems,  I am running exchange 2007 sp1 with cas, hub and ccr mailbox servers

fyi, so far we have identified users with very large numbers of calendar items are never able to synch their calendars, if  we apply the update file from Apple, their calendars do sync, but we are still experiencing heavy loads on mailbox servers

Thanks
Not applicable
Gregg - you can identify users by running exmon on the mailbox server. We had 4 iPhone users each consistently consuming over 20% on one of our mailbox servers.
Not applicable
@Rick & @John M - The .local issue only occurs if you're accessing your corporate resources internally.  For example mail.domain.local accessed internally only.  The best solution (though maybe not in all circumstances) would be to use a split brain DNS solution, so that you have the ability to address both mail.domain.com internally as well as externally, but have different IPs for both (internal/external).
Not applicable
Is anyone familar with how to restrict users from deleting the 'defaultEASTaskTimeout.mobileconfig' from their device? I can control this through the iphone Configuration utility for the Exchange profile that I am loading on each device.

If this is the temporary fix, I am concerned the end-user could easily just go into general/profiles and delete this profile.

Any thoughts are appreciated!
Not applicable
I think I answered my own question -

this will prevent the profile from being removed from the device by the end user. Add this into the config file:

<key>PayloadRemovalDisallowed</key>
<true/>

you will have to remove it via the Iphone configuration utility.
Not applicable
I think it is ridiculous that you can not create a patch for Exchange to resolve this. So lame. So lame. Basically you are doing NOTHING.
Not applicable
'  testt said:
I think it is ridiculous that you can not create a patch for Exchange to resolve this. So lame. So lame. Basically you are doing NOTHING.'

Eh? It's Microsofts fault that Apple have a problem with this and all the other devices out there using EAS don't? does not sound like a MS problem to memore like the way apple have implemented the standard.
Version history
Last update:
‎Jul 01 2010 12:48 PM
Updated by: