We've been testing Outlook Mobile Access (OMA) and have found that our users' passwords are being cached. How do we control this behavior?
Well, that depends on your users' phones. Here's the situation: OMA uses Basic Web authentication over Secure Sockets Layer (SSL) to send an authentication request to users' mobile devices, which then can either prompt the users for credentials or return a cached set of credentials. To prevent the annoyance of needing to continually retype your password on a 10-key numeric pad, most cell-phone manufacturers include some kind of caching mechanism in their phones.
OMA isn't the one caching authentication information, so you can do nothing on the server side to prevent the behavior you describe. Whether you can clear the cache and stop the behavior depends on the phone. Some newer phones (e.g., Sony Ericsson's T610) include a separate password cache that has a shorter lifetime than the phone's typical cache. Contact the manufacturers of your users' phones to determine whether you can control those phones' caching behavior.