our ADFS masters have turned on the ADFS smartlockout feature with x# of tries before lockout.
It looks that the device is doing multiple ActiveSync requests with the old cached password and then when the app realise that the password has changed and ask user for it, the ADFS smartlockout already locked the device authentication and restricted the possibility for the device to log in for some preset of time.
I really doubt that we can change the numbers of tries, but I want to ask anyway.
Are you using exchange on prep or exchange online?
With hybrid configuration or EXO only you can use “modern auth” which I believe will resolve the issue.
Else you can look at certificate based authentication which will also address the problem.
CBA is supported by boxer.