Issue with security defaults - activesync clients get quarantined

%3CLINGO-SUB%20id%3D%22lingo-sub-1229585%22%20slang%3D%22en-US%22%3EIssue%20with%20security%20defaults%20-%20activesync%20clients%20get%20quarantined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1229585%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20seeing%20issues%20after%20enabling%20Security%20Defaults%20where%20activesync%20clients%20get%20quarantined%20in%20Exchange%20Online%20and%20cannot%20be%20approved.%20O365%20Support%20have%20been%20unable%20to%20tell%20us%20why%20or%20fix%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20seen%20this%20or%20know%20how%20to%20resolve%3F%20Problem%20clients%20are%20all%20iOS%20using%20the%20native%20mail%20app.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20EXO%20PS%20using%26nbsp%3Bget-mobiledevice%20I%20can%20see%3A%3C%2FP%3E%3CP%3EDeviceAccessState%20%3A%20Quarantined%3CBR%20%2F%3EDeviceAccessStateReason%20%3A%20AadBlockDueToAccessPolicy%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20no%20activesync%20policy%20to%20quarantine%20devices.%20Some%20work%20fine%2C%20some%20get%20blocked.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1229585%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231165%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20security%20defaults%20-%20activesync%20clients%20get%20quarantined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231165%22%20slang%3D%22en-US%22%3E%3CP%3ESecurity%20defaults%20block%20legacy%20auth%2C%20which%20is%20the%20most%20likely%20reason%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1231175%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20security%20defaults%20-%20activesync%20clients%20get%20quarantined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1231175%22%20slang%3D%22en-US%22%3EiOS%20mail%20has%20supported%20modern%20auth%20since%20version%2012.%20I%20try%20and%20persuade%20them%20to%20use%20Outlook%20but%20some%20VIPs%20can%20be%20tricky.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1243406%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20security%20defaults%20-%20activesync%20clients%20get%20quarantined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1243406%22%20slang%3D%22en-US%22%3EMany%20iOS%20mail%20app%20clients%20work%20fine%20with%20Security%20defaults%20enabled.%20iOS%20mail%20supports%20modern%20auth%2C%20and%20I%20don%E2%80%99t%20think%20activesync%20is%20a%20legacy%20protocol%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1443335%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20security%20defaults%20-%20activesync%20clients%20get%20quarantined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1443335%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EWe%20have%20the%20same%20issue.%20How%20do%20you%20solved%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1443438%22%20slang%3D%22en-US%22%3ERe%3A%20Issue%20with%20security%20defaults%20-%20activesync%20clients%20get%20quarantined%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1443438%22%20slang%3D%22en-US%22%3EYes%2C%20remove%20the%20account%20from%20the%20device%2C%20approve%20in%20exchange%20quarantine%2C%20add%20again%20in%20the%20device.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

 

We are seeing issues after enabling Security Defaults where activesync clients get quarantined in Exchange Online and cannot be approved. O365 Support have been unable to tell us why or fix it. 

 

Has anyone seen this or know how to resolve? Problem clients are all iOS using the native mail app. 

 

In EXO PS using get-mobiledevice I can see:

DeviceAccessState : Quarantined
DeviceAccessStateReason : AadBlockDueToAccessPolicy

 

We have no activesync policy to quarantine devices. Some work fine, some get blocked.

5 Replies
Highlighted

Security defaults block legacy auth, which is the most likely reason here.

Highlighted
iOS mail has supported modern auth since version 12. I try and persuade them to use Outlook but some VIPs can be tricky.
Highlighted
Many iOS mail app clients work fine with Security defaults enabled. iOS mail supports modern auth, and I don’t think activesync is a legacy protocol?
Highlighted
Hi,
We have the same issue. How do you solved it?
Highlighted
Yes, remove the account from the device, approve in exchange quarantine, add again in the device.