Exchange ActiveSync (EAS) allows for email, calendars, contacts, and synchronization to mobile devices. What data is synchronized wholly depends on what the ActiveSync client supports – the ActiveSync protocol provides no means by which an Exchange administrator can define which data types are allowed or not allowed. With most (if not all) Exchange ActiveSync clients, all supported data types are synchronized when the user sets up an ActiveSync profile. For example, by default, in iOS/iPadOS, the following data types are synchronized:
With device enrollment, administrators have the capability to push an Exchange ActiveSync profile to devices (what’s often referred to as a managed EAS profile). The benefit of this approach is that it simplifies deployment, ensures consistent configuration (e.g., OAuth instead of basic authentication), and ensures data removal during wipe/retirement actions. Managed EAS profiles also support and integrate with other MDM device restrictions like Viewing corporate documents in unmanaged apps (allowOpenFromManagedToUnmanaged).
Unfortunately, prior to iOS 13, administrators had no control over what data is synchronized with a managed profile – only the user could enable or disable a data type. But with the release of iOS 13 and iPadOS, this has changed. Apple has introduced the ability for administrators to control what data types are synchronized to the device. In addition, administrators can define whether the user can override what data types are synchronized. For more information, see Apple’s documentation on Device Management Profile ExchangeActiveSync.
With the November service release, Intune supports this functionality natively.
When configuring a new (or existing) managed EAS profile, you’ll see that we have redesigned the email profile into three distinct sections:
While Apple’s implementation enables granularity in which data types are synchronized, Intune took a more scenario-focused approach. Within the Exchange ActiveSync profile configuration section, administrators have two options. First, they can choose to decide whether users have the capability to override what data types are synchronized (by default, users have this capability). Second, administrators have the capability of choosing the following scenarios:
Note: If the above data type synchronization scenarios are not applicable to your organization, you can leverage the Intune Graph API to specify the easServices values you require. For more information, see iOS EAS email profile configuration.
In the event you want to change an existing profile to take advantage of these new settings, keep in mind that adjusting what data types are synchronized will result in a new profile being pushed to the device. Users will be forced to enter their credentials and the profile changes won’t take effect until authentication is complete.
Why would you want to use this functionality? There are several possible scenarios:
We hope you find support for Apple’s new functionality useful. As always, if you have any questions, please let us know.
Ross Smith IV
Principal Program Manager
Customer Experience Engineering
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.