Guest post by Shawn Liu
An issue encountered by some users is when trying to access OWA published by UAG via mobile devices and downloading attachments. With some platforms, the user may receive an error saying “According to your organization’s download policy, the requested download is not allowed.”
If an email has multiple attachments, on iOS and Android devices, the first attachment might fail to download, while the other attachments download fine. On Windows Phone devices, none of the attachments can be opened.
While the error seems to suggest this is caused by incorrect endpoint policy settings, the issue persists even if we set all of the access, download and upload policies for the OWA application to Always as seen below:
The cause for this is the fact that some UAG scripts for OWA are using hard-coded policies. For Exchange 2010 OWA, the script will be checking the Microsoft OWA 2010 Download and Microsoft OWA 2010 Upload policies, no matter what is actually configured in the applications properties.
By default, those 2 policies are set to Never for the Linux and Other platforms, and since all mobile devices are classified as Other (as discussed in the blog post http://blogs.technet.com/b/ben/archive/2010/05/25/phones-be-gone.aspx), the policy applies and the attachments are blocked.
To work around the issue, you need to edit the endpoint policies themselves, instead (or in addition) to assigning different policies to the application. Edit either or both download or upload, and configure the policy for the Other platform to Always, as seen below:
A similar issue may also happens when a mobile device tries to download or upload some attachment from a UAG published SharePoint sites. If you have seen this error, you may need to edit the corresponding policy of your SharePoint version to set the policy for the Other platform to Always. E.g. for SharePoint 2010 sites, edit the policy “Microsoft SharePoint Server 2010 Download” and “Microsoft SharePoint Server 2010 Upload”.
Shawn Liu – Support Engineer, Microsoft APGC Security Support Team
Thanks for this informative post. Have you tested this on Exchange 2013?
When publishing OWA on UAG with Exchange 2013 wizzard, I still get the "According to your organization’s download policy, the requested download is not allowed." error message after editing the "Microsoft OWA 2013 Download" policy to include "Other: Always".
I am having the same issue as Tom. I am pulling my hair out trying to figure this out.