This solution should work exactly the same way on the Apple iPad and should port over fairly easy to the Droid and other non-Microsoft ActiveSync-enabled phones, with some minor changes.
Update: I've tested these procedures on iPhone OS4 and everything works as expected. No changes need to be made to the existing procedures - it all works fine.
I'll be writing a 7 part series of articles that document all the steps. I'm sure there are other ways to do this, but I can assure you, none of them are documented. (Hint to Apple: This is not documentation, and neither is the iPhone Enterprise Deployment Guide.)
In the scenario I'll be documenting, the customer wants to configure Exchange ActiveSync to provide mobile access to email, calendars and contacts for iPhone users. To make it more challenging (and slightly more complicated), the customer has Exchange 2003 mailbox servers with Exchange 2007 or 2010 Client Access Servers.
The requirements for deployment are such:
- Only authorized ActiveSync users can access their Exchange email, contacts and calendars
- Only authorized devices (iPhone 3GS or better, iPads) are allowed to use Exchange ActiveSync
- Ability for users to configure/reconfigure ActiveSync for their iPhones over the air
- Information stored on the iPhone must be encrypted
- Capability to remotely wipe iPhones in the event of a security breach (wipes performed by end user or authorized administrator)
- Easy roles-based administration
ActiveSync will be configured to use Basic Authentication over SSL and require client certificates. An iPhone configuration profile will be created and "married" to each iPhone, preventing it from being used on any other iPhone than the one it is configured for. The profile will include the user certificate and its private key. ActiveSync policies will be used to configure the iPhone to comply with corporate security policies.
The next step is to publish the same user certificate to each ActiveSync user in Active Directory. This will be used to enable certificate-based authentication for ActiveSync. I'll list a few ways that this can be done programmatically via scripts.
Finally, the user needs a way to install the profile. This will be done using a website that the user will open using Safari from the iPhone.
The solution requires a certificate of authority (CA) server that can generate a single user certificate. The CA can be an internal stand-alone or ADCS CA server. I prefer Windows Server 2008 R2 ADCS for the CA, but any CA will do.
More to Come...
I'll break each of these steps down in separate phases. There's a fair amount of detail in each step and I'll include troubleshooting and gotchas as I go through it, but this has worked out be a secure and easy to manage solution.
Articles in this series:
- Phase 1 - Building the ADCS server and Generating Certificates
- Phase 2 - Configuring ActiveSync and Active Directory
- Phase 3 - Publishing User Certificates to Active Directory
- Phase 4 - Creating the iPhone Configuration Profile
- Phase 5 - Creating the Web Site for iPhone Profile Deployment
- Phase 6 - End-User Deployment of the ActiveSync Profile
Hi Jeff
ReplyDeleteThis sounds good, as it is similar to a requirement I have. My exchange server is on a Windows 2003 SBS, but access is via a Cyberguard firewall. What must I do to enable my iPhone to get past the firewall to the server? I sit just port forwarding, and if so, which port? 445?
Rod Rocket
Highly interesting topic Jeff - and you're right; Apple isn't anywhere near providing actual documentation. (Their guide should almost be labeled foilware...)
ReplyDeleteI covered parts of SCEP (for device certificates) and the over-the-air provisioning process over at my blog (http://mobilitydojo.net/2010/01/20/sinking-our-teeth-into-scep/), but I didn't cover the entire scenario like how to setup the CA, and configuring ISA and/or Exchange. From your description it looks like you might be looking at cradling the iPhones and using iPhone Configuration Utility, or accessing the certsrv site via WiFi, am I right?
Anyways, looking forward to proper documentation of how this should be done :)
Now when iPhone 4.0 has been released I tested all the ActiveSync policies to see which ones that worked. Here's a summary: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-policies-what-really-works
ReplyDeleteLoved the article but was wondering there is a way to provide the web page via isa server?
ReplyDeleteYour document is very clear and detailed, however we cant get auth to work. I think we are missing something in the exchange server setup or maybe ad. Whenever we turn on the "require cert auth" in exchange, our phones get error that cant connect to mail server. The cert generation part is different too, i dont see an option to put in the company name and most of that other stuff. any ideas?
ReplyDeleteExcellent Stuff. My Q.
ReplyDeleteHow do you deal with 90 day password changes in AD and the iphone user is locked out. Is there a technical solve for this?
EAS does not offer any mechanism for users to change their expired password or unlock their account. The user will need to change their expired password using normal channels (logging in from a domain joined workstation or using OWA, assuming it's configured to do so).
ReplyDeleteThanks Jeff for the insightful step-by-step guide. Was wondering if you had any thoughts on how this might change if we used Cisco ASA SSL VPN with two factor authenication?
ReplyDeleteIf you need to access EAS over the ASA VPN, they will still need to do that. The solution presented would still not change.
ReplyDeleteHow does Exchange authenticate the user? If a user exports the certificate out from the device and creates a new profile, can he pretty much impersonate any other user who has been set up this way?
ReplyDeleteCan the IT department snoop on someone's photos, gps coords, text message, app usage, etc??? When the user brings a BYOD to allow the IT staff to install Activesync
ReplyDelete