If you’re using OMM to configure EAS (Exchange ActiveSync) profiles, note that the Apple iOS 10 release has introduced an issue affecting OMM’s ability to perform Password Sync for EAS profile updates on iOS devices. This is also an intermittent issue with iOS 9.
EAS updates add a new EAS profile which is installed on the iOS device, removing the existing one. The password sent with the new profile is not retained by the device. As a result, end users cannot authenticate with the email service to access email, contacts, etc. This problem occurs only on EAS updates and does not occur on initial configurations of EAS by OMM.
End users enrolled in OMM are impacted by this issue when any of the following events occur:
- When a password change is initiated by an end user or admin. End user password changes can be triggered by Password Sync agents and/or Password Push in Okta.
- Any change to the EAS configuration by an Okta admin, such as a profile name.
- When an end user signs-out from Okta Mobile and then signs back in again.
We are treating this as a high-priority issue and have reported the issue to Apple.
- Configure Office 365 EAS certificate-based authentication for iOS devices if appropriate for your environment. This feature allows users enrolled in Okta Mobility Management (OMM) to authenticate to iOS native apps without entering their credentials.
Alternatively . . .
- Instruct your end-users to re-enter their EAS password after any subsequent configurations of EAS mail. From their device, go to Settings > Mail > Accounts > mail account > user account > add the password.
- Admins can remediate EAS updates triggered by Password Sync agents by disabling them; however, end users are still required to enter the EAS password manually whenever an EAS update occurs.