So like many I'm sure we decided as a company to block anyone using the new Outlook app for IOS and Android. We have over 10k activesync devices that get mail so we wanted to get out in front of this before it became a big issue. So we put a device access rule in place to block any connections coming in from that app on any device with this:
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block
This works well. We also get alerted anytime any new user tries to sync the app and they get a nice email stating why we dont allow it.
Problem is we have several IOS (not android) users who downloaded the app and started using it before this was put in place. They were all able to sync their email even after I put that device access rule in place. No probelm right, I can just kill the Exchange partnerships for those devices:
Get-MobileDevice -Filter{Devicemodel -like "Outlook*"} | ?{$_.DeviceAccessState -eq 'Allowed'} | Remove-MobileDevice -confirm:$false
Nope. They are STILL able to sync their email using that app.
I can run this command to see any outlook app devices that are being allowed to sync and it returns ZERO results yet still these users are able to sync their email using this app.
Get-MobileDevice -Filter{Devicemodel -like "Outlook*"} | ?{$_.DeviceAccessState -eq 'Allowed'}
Again this is only users who were using this app BEFORE we put the device acces block in place.
Whats really weird is if I open their account in EAC and look at their mobile devices I can still see the outlook app listed and it says access granted. Then if I try to delete it it tells me that mobile device does not exist. I'm baffled. Probably open a case with MS on this but wanted to see if anyone else has come across this. Running Exchange 2013 CU7
Rich