When an Exchange Online mailbox has the ActiveSync protocol disabled, you may find that the Outlook app for iOS and Android mobile devices is still able to connect to the mailbox to send and receive emails.

PS C:\> Set-CasMailbox dave.bedrat -ActiveSyncEnabled $false

The reason for this is the architecture of the Outlook app and the infrastructure it connects to. From TechNet:

Outlook for iOS and Android uses a stateless protocol translator component that is built and run in Azure. This component routes data and translates commands, but it doesn’t cache user data. The app is coded with the Outlook device API, a proprietary API that syncs commands and data to and from the app. Exchange Online data is accessed via the publicly available REST APIs. The protocol translator enables communication between Outlook and Exchange Online.

Outlook for iOS/Android Still Able to Connect After Disabling ActiveSync
Image via TechNet

Even when ActiveSync is disabled the REST API is still accessible by Outlook. To block access to the REST API we need to use a different method. There are a few approaches that we can use:

  • A device access rule to block Outlook for iOS and Android. This is an organization-wide block and requires you to manually approve Outlook app usage on a per-user basis for anyone who still needs to use it, so it may not be a practical approach if you’re just trying to block one user from having any mobile email access.
  • A client access rule to block REST API access. Client access rules can be targeted at specific users but managing the target list over time could be cumbersome. This approach also blocks all REST API access for the targeted users, not just the Outlook app.
  • Block the Outlook app using an EWS block list. This is the approach I’ll demonstrate here.

As I’ve previously written here, EWS policies can be used to block or allow specific applications on a per-user or per-organization basis. If you want to block Outlook app usage for the entire organization then you would use an organization-level EWS block list. Since this example scenario is for a user who has had the ActiveSync protocol disabled I will stick to the per-user option. As a side note, if your Office 365 tenant has any “K” (kiosk) licenses then the organization-level EWS controls will not work, and you’ll need to use per-user EWS controls.

First, let’s take a look at the mobile device association that shows Outlook connecting to the REST API.

PS C:\> Get-MobileDevice -Mailbox "Dave Bedrat" | Where {$_.FriendlyName -like "Outlook*"} | Select DeviceModel,DeviceUserAgent,DeviceAccessState,ClientType

DeviceModel        : Outlook for iOS and Android
DeviceUserAgent    : Outlook-iOS/2.0
DeviceAccessState  : Allowed
ClientType         : REST

Next, let’s look at the EWS configuration for the mailbox.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*


EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy :
EwsAllowList               :
EwsBlockList               :

To block EWS access for the Outlook app we need to block the user agent. The iOS version of Outlook currently has a user agent of “Outlook-iOS/2.0” (shown above), and the Android version uses “Outlook-Android/2.0”. Earlier versions had a user agent of “Outlook-iOS-Android/1.0” for both platforms, so we can expect the user agent to change in future as the version number increments. As such, it’s best to use a wildcard in the EWS block list. The example below will block the original user agent, the current user agents for both platforms, and any future user agent strings that follow the same pattern.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Add="Outlook-iOS/*","Outlook-Android/*"}

Another look at the EWS configuration for the mailbox shows the two user agents have been added to the block list, and the EwsApplicationAccessPolicy option is now set to EnforceBlockList.

PS C:\> Get-CASMailbox "Dave Bedrat" | Select *EWS*


EwsEnabled                 : True
EwsAllowOutlook            :
EwsAllowMacOutlook         :
EwsAllowEntourage          :
EwsApplicationAccessPolicy : EnforceBlockList
EwsAllowList               :
EwsBlockList               : {Outlook-Android/*, Outlook-iOS/*}

This change doesn’t take effect immediately. In my demo environment it took about 30 minutes before the Outlook app on my iPad stopped retrieving new emails. The access token life is 1 hour by default though, so you should expect it to take at least that long.

To reverse the block, remove the two user agents from the block list, and if there’s no more block list entries you can also null the EwsApplicationAccessPolicy.

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsBlockList @{Remove="Outlook-iOS/*","Outlook-Android/*"}

PS C:\> Set-CASMailbox "Dave Bedrat" -EwsApplicationAccessPolicy $null

As one last point to keep in mind, the DeviceAccessState for the mobile device association won’t change from Allowed to Blocked when you use an EWS block list.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

    1. Marvin

      Did you ever figure out how to do this with an E3 license?

  1. Dan LeBaron

    I have set the this policy to only allow these agents to connect using the EnforceAllowList, but Apple Mail can still connect. Am i missing something?

    Set-OrganizationConfig -EwsApplicationAccessPolicy EnforceAllowList -EwsEnabled $true -EwsAllowList @{add=’WorxMail/*’, “Microsoft Office/*”, “Microsoft+Office/*”, “UCCAPI/*”, “OC/*”, “Mozilla/*”, “*Teams/*”}

  2. John Sdao

    I’m 2016 trying to block specific connections with the STEM of /EWS in the attempt to block clients that present a specific user string.

    Set-CASMailbox –identity USER–EWSApplicationAccessPolicy:EnforceBlockList –EWSBlockList:”AppleExchangeWebServices/*”,”MacOutlook/14*”,”MacOutlook/15*”,”MacOutlook/16*”,”Mac+OS+X/*”,”Airmail*” –EWSAllowOutlook:$True –EWSAllowMacOutlook:$true –EWSAllowEntourage:$false –EWSEnabled:$true

    Dredging the IIS logs and testing mac for outlook 16 I see sc_status of 200 and I can still login.

    Is there something I’m missing. You stated that there is a possible delay of 1 hour. Does IIS need to be restarted?

    Our goal is to set this at the CASMBX role and not ORG for flexibility reasons. Does that make a difference?

    1. John Sdao

      It appears that EWSAllowMacOutlook must be set false to block MAC for outlook clients. The EWSBlock list does not honor agent strings. I could be wrong, but in testing that is my experience.

  3. Ozzy Ornelas

    Is there a way to run report to find all users that are using Outlook-iOS/*”,”Outlook-Android/* on their phone?

  4. Julian

    I’ve got a few Exchange Online P1 users that should use esclusively Outlook for Desktop.
    I do not have Intune nor conditional access available.
    I want the configuration to be very simple to maintain for coworkers so I do not want to use PowerShell.

    I’ve disabled ALL email apps (protocols ) but MAPI from Microsoft 365 Admin Center on a test mailbox.
    I’ve also disabled OWA for Devices in Exchange Admin Center.

    I know that disabling EWS on a mailbox removes some functionality in Outlook for Desktop and I accept it.

    PS C:\> Get-CASMailbox “Test” | Select *EWS*
    EwsEnabled : False

    The issue is that even now I can add account and read mail for the mailbox “Test” via Outlook for Android.

    Any ideas, anyone ?

    OutlookMobileEnabled, which is not exposed in Admin Center, really does something ?

    Thank you.

    1. Alan Cox

      I prefer to use set-casmailbox user@domain.com -OutlookMobileEnabled $False (after about 30 minutes, they will get a block message).

  5. Jimi

    You are simply the best. thank you for your help.

  6. Davi Castro

    Hi,

    When I execute
    Set-CASMailbox xxx -EwsBlockList @{Add=”Outlook-iOS/*”,”Outlook-Android/*”}

    Return
    EwsEnabled : True
    EwsAllowOutlook :
    EwsAllowMacOutlook :
    EwsAllowEntourage :
    EwsApplicationAccessPolicy : EnforceBlockList
    EwsAllowList :
    EwsBlockList : {Outlook-Android/*, Outlook-iOS/*}

    But, App keeps working.

    1. Ryan Hutchings

      Same here. I’ve cleared, re-added these settings. I’ve removed / re-added Outlook for Android – still works depsite the above settings.

  7. swapnil

    I want to restrict ios and OL app onmobile devices for specific users –
    When I started with

    When I execute

    Get-MobileDevice -Mailbox “Swapnil” | Where {$_.FriendlyName -like “Outlook*”} | Select DeviceModel,DeviceUserAgent,DeviceAccessState,ClientType

    I don’t get any results

  8. Swapnil

    Hello Champ,

    -I want to restrict ios and OL app onmobile devices for specific users –
    When I started with

    Get-MobileDevice -Mailbox “Dave Bedrat” | Where {$_.FriendlyName -like “Outlook*”} | Select DeviceModel,DeviceUserAgent,DeviceAccessState,ClientType

    I don’t get results

    2) ClientType is showed as : EAS , Instead of REST

    PS C:\windows\system32> Get-MobileDevice -Mailbox v-9sjosh

    DeviceUserAgent : Apple-iPhone9C2/1601.366
    DeviceModel : iPhone9C2
    ClientVersion : 16.1
    ClientType : EAS

  9. Dennis

    This is an on premise 2013 Exchange.

    Thanks in advance for any valuable suggestions.

  10. Dennis

    Hi,

    I want to create a ActiveSync device access rule based on the accepted smtp domains as we have multiple accepted domains. One of the accepted domain should have block rule by default and the other accepted domains should allow any devices to connect the ActiveSync.

  11. Kirk Frankovich

    Paul,

    Thanks again for the help. I have opened a case with Microsoft because I have a situation where I have two iPhones, each with the latest Outlook for iOS, that are able to access my account in O365 but do not show up when I run a get-mobiledevice. Not sure if you have ever seen anything like that but that is the current situation I am in. My other two mail clients I am testing (native and nine) work fine. I’ll post back once MS has figured something out.

    1. Silverfun

      Kirk,

      Did MS ever find out why a couple of your users could see your mailbox? I am running into this issues as well now.

  12. Kirk Frankovich

    Hi Paul,

    First off thank you for not only this information but for your entire site. I refer to it often.

    Above you mention the following: “Outlook respects some ActiveSync policy settings (e.g. device access rules, mobile device mailbox policies). But once it’s connected to a mailbox it uses the REST APIs for it’s comms, not EAS.”

    Are you aware of any documentation that states exactly what it respects? Also…do you know if it should still show up under get-mobiledevice or get-casmailbox (does it still generate an activesyncdeviceID even though it uses REST for data access)?

  13. Joel

    We have been using this method for a few months now and it works well. However we have discovered a user connecting to her O365 mailbox even with {Outlook-Android/*, Outlook-iOS/*} defined in the EWSBlockList, EwsApplicationAccessPolicy set to “EnforceBlockList” and with EAS disabled. The O365 audit logs show “Client Info String: Client=Microsoft.Exchange.WebServices; Email/1.9.9 (iPhone; iOS 11.3)”. I can’t figure out what “Email/1.9.9” is. I suppose it could be some other mail app. Would it be bad to set “EwsEnabled” to “False” on mailboxes to prevent any connections over EWS?

  14. Rahul

    Hello All,

    I just want to block my team members (few selective users) from able to access SKYPE ON MOBILE. In short, these selective users should not be able to login/access Skype from their mobile device like iPhone or Android.

    Please tell me all possible steps and tips.

    Note: they should have access to install Outlook app in mobile. Just and only want to block Skype on mobile.

    We are currently on Office 365, cloud.

    Please reply at the earliest.

    Thanks,

    1. Avatar photo
      Paul Cunningham

      You can use Azure AD conditional access to block mobile apps from accessing Office 365 services.

  15. Teja

    In our environment, the user agent doesn’t necessarily follow one string format. Would it be possible to simply use “*” in the EWSBlockList to block ALL apps being used for email on mobile devices?

    I’m fairly certain it does since it seems wildcards are accepted, but just want to make sure I’m thinking of this correctly.

    Thank you for your excellent post!

    1. Avatar photo
      Paul Cunningham

      Not sure if that’s the best way to achieve that. Instead of using the block list you can switch it to use an allow list, and only allow specific strings.

      But, as always, test your theory and see if it suits your needs.

  16. Sam Azim

    Hey Paul,

    Thanks for this informative post. I do have a question for you though. Can this approach also be applied to the mobile OneDrive App while retaining the ability to do it per user? or a different approach would be required?

    1. Avatar photo
      Paul Cunningham

      I don’t understand your question. OneDrive doesn’t connect to ActiveSync or EWS. You can control OneDrive app connections through the OneDrive admin portal, by using Intune app policies, or by using Azure AD conditional access rules.

  17. Jeremy

    I am confused with how Outlook for iOS and Android is still blocked if the default organization setting is set to block and then can be allowed using a device access rule, since these settings are ActiveSync settings.

    I wonder if there are tenant settings or Organization Config settings that tell the app which protocol to use? In my current trial tenant it seems Outlook mobile uses ActiveSync and not EWS or REST. Modern Authentication is enabled and MFA is enabled on all users, as a confirmation that Modern Auth. is being used.

    Any thoughts on this? In my case , disabling ActiveSync globally as a means to only allow the Outlook app to work was a seemingly decent approach. But if Outlook app won’t use EWS/REST then it will be blocked too.

    1. Avatar photo
      Paul Cunningham

      Outlook respects some ActiveSync policy settings (e.g. device access rules, mobile device mailbox policies). But once it’s connected to a mailbox it uses the REST APIs for it’s comms, not EAS.

  18. MM

    Hi Paul,

    Is the following Outlook iOS app info accurate?

    Exchange Version: Protocol Port

    Exchange On-Premises 2016 CU6-8: EAS 443
    Exchange Online: REST/EWS 443

    Thanks,

    MM

  19. Jean

    Hi Paul,

    So, do “Mobile device mailbox policies in Exchange Online” apply for EWS access? We are using the Outlook app instead of the native ActiveSync client to access corporate email, but we need to enforce PIN and encryption on Mobile devices (BYOD) , we have a Default policy configured but it doesn’t work. There is another specify configuration for device policies for EWS?

    Thanks!

    1. David

      Same exact question as Jean above.

      1. Avatar photo
        Paul Cunningham

        Mobile device mailbox policies do not apply to EWS.

        To enforce policies in this scenario you would need to look at an MDM solution such as Intune.

  20. Barry

    Hi Paul,

    With ActiveSync DefaultAccessLevel set to Quarantine, i’m notified everytime someone tries to configure his email account on a mobile device using activesync, and i have the choice to block or allow that device.
    But with EWS i don’t have that possibility. For Example, this morning i have configured my email account on Spark Mail App on iphone. I was able to access my emails and i received no notifications (as admin) that someone was accessing his emails with a mobile device. So is there a way to quarantine by default all devices using EWS ?

    Thanks.

    1. Barry

      I just wanto to add also that the Spark email app is not event listed in the device list when using the command Get-MobileDevice.

      1. Avatar photo
        Paul Cunningham

        EWS is not ActiveSync, so the ActiveSync controls and things like quarantine do not apply to EWS, nor will an EWS connected device show up in the output of Get-MobileDevice which is an ActiveSync-related cmdlet.

  21. mark fuller

    hi there

    thanks for the info excellent post , do you happen to know what you need to enter for stopping the windows mail app?

    1. mark fuller

      hi

      just found it, its microsoft.windowscommunicationsapps

  22. Rocmail520

    Thanks for the valuable information Paul but I have few things to clear:
    1st: why OL app is forcing to use MS Authenticator app
    2nd: not able to setup account on updated version which was released a week ago.
    3rd: how can I verify If rest API is blocked or allowed ?
    4th: what role does EAS play for this app

    Thanks in advance.

    1. Avatar photo
      Paul Cunningham

      For #1, if you’re using Exchange Online then it’s possible there is an Intune or conditional access policy being applied to your access.

      #2 – no idea, but could be related to #1

      #3 – REST API is accessed via EWS. In the article above I demonstrate EWS block lists, and also mention client access rules that can be used to restrict EWS access in Exchange Online (search for TechNet article on that topic)

      #4 – EAS is not used by the Outlook app to connect to Exchange Online mailboxes. It is used for on-premises mailboxes though.

  23. Jonathan

    For federated accounts what are your thoughts on a fourth option, namely applying ADFS claims rules to block access to the legacy protocols?

    1. Avatar photo
      Paul Cunningham

      If it works for you and you prefer doing it that way then I see no problem with it.

  24. Aravind

    Hi Paul,

    Will this outlook for Android app issue is included for On-premises Exchange 2013 as well.

    Could you please clarify.

    Thanks in Advance

    Regards,
    Aravind

Leave a Reply