Sep 10 2019 01:50 PM
Sep 10 2019 01:50 PM
When someone checks their email from their phone, it adds an entry into the Mobile Devices area within the Exchange Admin Center. I'm trying to make sense of the data that it presents to me and don't understand what it's showing.
Here's a screen shot of a particular user. I checked a bunch of users and they are all very similar. This user has a Pixel 3xl but the screenshot as no information on device, model, etc. The OS says 28 which makes no sense.
Anyone know what any of this means and why it doesn't seem to show valid data?
Sep 11 2019 11:29 AM
That's how the Outlook app is designed. Back in the day when Microsoft first acquired Accompli, they were using a separate service that "cached" few weeks worth of email and applied its magic against those. The client connected to that service, and the service itself connected to Exchange Online, presenting itself as a "device". Since then they've moved away from this "middle tier" architecture, but decided to keep the per-instance device config, read more here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...
Adding @Ross Smith IV as a corrective.
Sep 11 2019 12:11 PM
So is there no way to get any actual device info then? We're turning on the O365 MDM but I was trying to do a comparison between the Exchange logging and the MDM logging to see what was different and that's when I noticed it didn't have any actual details any more.
Sep 11 2019 07:47 PM
Think of the Outlook mobile app as a virtual device - this is why when in Exchange you issue a remote wipe only data within Outlook is wiped, not the entire device.
Exchange and MDM providers see Outlook mobile as a unique device separate from the physical device because as an app we have to generate our own unique device ID (we cannot leverage the physical device characteristics as that is prevented by the OS). See https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...
With that said, we do have a bug where we are not accurately reporting the DeviceOS on Android. That will be fixed. For example, we do report the DeviceOS correctly on iOS:
DeviceUserAgent : Outlook-iOS/2.0
DeviceOS : iOS 12.1.4
LastSuccessSync : 9/11/2019 8:51:14 PM
Sep 12 2019 06:39 AM
OK, hang on a sec. So does that mean that even if we don't use MDM or Intune or anything like that, just with Exchange 365, we can initiate a Remote Wipe that will only wipe Outlook and not touch anything else?
Does that also work if people use a different mail app on their phone, like the native mail or gmail or whatever, to connect to their O365 email? If it only works with Outlook, is there a way to restrict all other mail apps other than Outlook?
The main thing we want is to be able to remove the company data from a phone, without having to wipe the whole thing, regardless of what email client the person is using. At one point we were told that we had to go an MDM route to do that but that might have been before we switched to O365 so maybe our information is now outdated.
Sep 12 2019 07:26 AM
@Mike Boehm yes, when you initiate a "full wipe" from Exchange against Outlook mobile, only Outlook mobile is wiped. See https://aka.ms/secureom for more info.
Some EAS clients also support Exchange's "account only remote wipe" functionality which only removes the EAS profile and does not wipe the entire device. See https://docs.microsoft.com/en-us/Exchange/clients/exchange-activesync/remote-wipe?view=exchserver-20....
Naturally, I recommend Outlook mobile over native EAS. :)
Sep 12 2019 01:16 PM
When we started this process we were on on-premesis Exchange and it was a while ago so things have apparently changed a bit since then. Maybe we don't need to do what we're doing.
The only things we need to do are for anyone who checks their email from their phone, we want to enforce a password/PIN, cap the limit for how long the screen can stay unlocked, and be able to remove the company data if needed
At the time, we had to use MDM to do that but maybe we don't need to do that any more? Can all that be done just through Exchange itself? We have a few paranoid people who don't want the company to have the ability to wipe the entire device but are OK if the company can wipe just the company data from the device. With MDM and InTune we'd have the ability to do both...
If anyone has suggestions on the best way for us to do this, that'd be great.