I cannot express how frustrating it has been for users who are unable to connect their mobile device using ActiveSync. The good news is the problem is solved simple. The bad news is the fix is not really that simple.
To understand the solution, you need to understand the problem. Microsoft in their infinite wisdom decided to require a special permission setting buried deep in a user's accounts security setting for ActiveSync to work. It was a problem initially discovered when installing our new Exchange mail server. To enabled ActiveSync for everyone, I ran a utility to enabled that option on every staff account. That seemed to work as several users got their mobile device working including me.
So when other users could not connect, I did some troubleshooting and I know the settings worked. What I discovered when digging deep into an Apple iOS device, the old SSL certificate was there but the new SSL certificate was not. That let me to believe that the old SSL was cached and would not be replaced by the current SSL certificate. I looked everywhere for answers and even contacted Apple support. Nobody was of help.
So today I had an iPad which we did a complete reset and still nothing. I even checked and only the new certificate was in place. Well, my idea that the certificate was the root cause was not the answer.
So I fell back on the idea of the permission not being set on this users account. Sure enough it was not set. While I could see it might have gotten missed, it didn't make sense that dozens and dozens of users were missed. But sure enough, everyone I check didn't have that permission. More checking showed that even a couple of known users who were working didn't have that permission set either. This included me.
So some more digging and good use of Google allowed me to find the answer. Microsoft believes that setting is a security risk for anyone with elevated privileges beyond the common lowly user. Microsoft believes this so much so that they have an automated routine which runs quietly in the background removing the permission. It runs once per hour. So all of the permissions I set were gone.
Oh boy...
The work around is to enable the permission and have the user immediately set up their mobile device. The good news is once it is working, removing the permission doesn't seem to matter. So if you want your mobile device to work, bring it in when you come pick up your PC this week. Early adopters can call me at extension 1040. Just be ready to configure your device.
Seems crazy but just one of those whack things Microsoft has done. We will work through it with a little patience.
Jim, Network Services Manager
Thank you for digging! I didn't understand how yours was working and mine wasn't, with the same settings.
ReplyDelete