Brace yourself for a surprise: there’s at least one major bug in Apple’s Exchange ActiveSync client in iOS 6.
cue shocked silence…
This is not surprising, of course; EAS is a fairly complex protocol and Apple has displayed a somewhat cavalier attitude towards verifying that their EAS clients behave properly. If you don’t believe me, all you have to do is look at this list of known EAS issues with third-party devices and see how many of them involve iOS.
Anyway, the latest widely reported issue is that meetings sometimes appear to be hijacked– Alice will send out a meeting invitation to Bob and Carole, but somehow Carole will end up as the meeting organizer, thus gaining the ability to cancel or change meetings.
The hijacking bug isn’t the only one; users have reported a few other iOS 6 EAS issues, including its apparent failure to handle the case where the user’s primary SMTP address is different from the user name (e.g. an SMTP address of firstname.lastname@example.org coupled with a UPN of email@example.com, for example), but these other issues all have easy workarounds; meeting hijacking is the most pestiferous.
The usual pattern for these bugs is fairly predictable:
- Apple (or another EAS licensee) releases an update.
- People start complaining in various fora that some EAS-related functionality is broken. However, these reports are only rarely made directly to either Microsoft or the vendor.
- A critical mass of reports accumulates and begins to draw attention. This is often accelerated by the opening of support cases with either Microsoft or the ISV.
- The source of the problem is identified, a resolution is developed, and everything is fixed.
- GOTO 1
Now, stop laughing. That really is what usually happens. Note that Microsoft’s hands are somewhat tied during this process. Until they get feedback from customers that something is broken, they can’t very well investigate it. I imagine that it is very frustrating for the EAS team to see people blaming Exchange for what end up being bugs in the EAS client implementation. But I digress.
Tony points out a few nuances of how the process works, including suggestions for figuring out which devices are actually in use. (Note that one improvement in iOS 6 is that it reports a value for the DeviceOS property returned by Get-ActiveSyncDeviceStatistics; older versions just left that field blank.) Leaving that aside, though, it’s interesting to consider what’s known about the calendar hijacking bug. The best explanation I’ve seen, ironically, comes from the Z-Push development team. (Z-Push, you may recall, is an open-source EAS implementation that has nothing to do whatsoever with Exchange.) However, they are apparently first to market with a public explanation of the problem with iOS 6 that causes meeting hijacking. I won’t repeat it here; it’s worth reading the original. The root of the problem appears to be that iOS 6 emits meetings with zero attendees, and that Exchange accepts these as valid. I’m not sure whether Exchange’s acceptance is a desired behavior or not but I’m pretty sure that the device should never be emitting a zero-attendee meeting. It’s possible that there are cases where this is not true, which is why the Z-Push folks are holding their patch in QA for now instead of pushing it into the main tree of their product.
The tricky issue here, of course, is how to get the problem fixed for those of us who aren’t using Z-Push. Microsoft could conceivably make a change to Exchange’s business logic for calendar items, preventing ill-formed meeting items from being propagated. Apple could likewise fix their client so that it doesn’t send out ill-formed items in the first place. Both sides have an interest in providing a smooth EAS experience for iOS users, but each side has a different set of engineering and delivery constraints that make the process of actually getting the fix out to customers a challenge.
Microsoft hasn’t publicly said much about this bug, other than that it is being investigated. (And Apple, AFAIK, has said absolutely nothing about it, which is regrettably typical.) Your best bet is to keep an eye on KB 2563324 for updates so you’ll know when Microsoft believes they have a solid understanding of the problem and the best way to fix it.
Meanwhile, the Z-Push team claims that turning off the Exchange calendar attendant feature would eliminate the problem, at the cost of some useful functionality. The iOS 6 bug is rare enough in most environments that I’d advise living with it rather than giving up the attendant functionality, but that’s a choice you’ll have to make based on your users and their needs.
I wonder whether Emtrace’s MoxierMail client has this problem? I’ve got an evaluation copy but haven’t been able to evaluate it yet; might be time to move that up a couple of notches on the priority scale….
4 responses to “iOS 6 and Exchange ActiveSync misbehavior”
Pingback: iOS 6 and Exchange ActiveSync misbehavior | Paul’s Down-Home Page « JC’s Blog-O-Gibberish
Pingback: Dave Stork's IMHO : iOS6 and ActiveSync bug fixed in Zarafa.
Pingback: Exchange ActiveSync Issues with iOS6
Nice Post. From a security perspective I ask myself how it can be that an ActiveSync client can send faulty appointments that make other persons to meeting organizer… This seems to imply that an ActiveSync client somehow can tweak settings that should never be changeable from the clients side…