How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise

Friday, February 12, 2010
I've been working on a solution for quite a while to securely deploy iPhones in the enterprise.  

This solution should work exactly the same way on the Apple iPad and should port over fairly easy to the Droid and other non-Microsoft ActiveSync-enabled phones, with some minor changes.


Update: I've tested these procedures on iPhone OS4 and everything works as expected. No changes need to be made to the existing procedures - it all works fine.


I'll be writing a 7 part series of articles that document all the steps. I'm sure there are other ways to do this, but I can assure you, none of them are documented. (Hint to Apple: This is not documentation, and neither is the iPhone Enterprise Deployment Guide.)

In the scenario I'll be documenting, the customer wants to configure Exchange ActiveSync to provide mobile access to email, calendars and contacts for iPhone users.  To make it more challenging (and slightly more complicated), the customer has Exchange 2003 mailbox servers with Exchange 2007 or 2010 Client Access Servers.

The requirements for deployment are such:
  • Only authorized ActiveSync users can access their Exchange email, contacts and calendars
  • Only authorized devices (iPhone 3GS or better, iPads) are allowed to use Exchange ActiveSync
  • Ability for users to configure/reconfigure ActiveSync for their iPhones over the air
  • Information stored on the iPhone must be encrypted
  • Capability to remotely wipe iPhones in the event of a security breach (wipes performed by end user or authorized administrator)
  • Easy roles-based administration
Summary of the Solution
ActiveSync will be configured to use Basic Authentication over SSL and require client certificates. An iPhone configuration profile will be created and "married" to each iPhone, preventing it from being used on any other iPhone than the one it is configured for. The profile will include the user certificate and its private key.  ActiveSync policies will be used to configure the iPhone to comply with corporate security policies.

The next step is to publish the same user certificate to each ActiveSync user in Active Directory. This will be used to enable certificate-based authentication for ActiveSync. I'll list a few ways that this can be done programmatically via scripts.

Finally, the user needs a way to install the profile. This will be done using a website that the user will open using Safari from the iPhone.



The solution requires a certificate of authority (CA) server that can generate a single user certificate. The CA can be an internal stand-alone or ADCS CA server. I prefer Windows Server 2008 R2 ADCS for the CA, but any CA will do.

More to Come...
I'll break each of these steps down in separate phases. There's a fair amount of detail in each step and I'll include troubleshooting and gotchas as I go through it, but this has worked out be a secure and easy to manage solution.


Articles in this series:
I've also created a complete PDF document version of all the phases here.

11 comments:

  1. Hi Jeff
    This sounds good, as it is similar to a requirement I have. My exchange server is on a Windows 2003 SBS, but access is via a Cyberguard firewall. What must I do to enable my iPhone to get past the firewall to the server? I sit just port forwarding, and if so, which port? 445?
    Rod Rocket

    ReplyDelete
  2. Highly interesting topic Jeff - and you're right; Apple isn't anywhere near providing actual documentation. (Their guide should almost be labeled foilware...)
    I covered parts of SCEP (for device certificates) and the over-the-air provisioning process over at my blog (http://mobilitydojo.net/2010/01/20/sinking-our-teeth-into-scep/), but I didn't cover the entire scenario like how to setup the CA, and configuring ISA and/or Exchange. From your description it looks like you might be looking at cradling the iPhones and using iPhone Configuration Utility, or accessing the certsrv site via WiFi, am I right?
    Anyways, looking forward to proper documentation of how this should be done :)

    ReplyDelete
  3. Now when iPhone 4.0 has been released I tested all the ActiveSync policies to see which ones that worked. Here's a summary: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-policies-what-really-works

    ReplyDelete
  4. Loved the article but was wondering there is a way to provide the web page via isa server?

    ReplyDelete
  5. Your document is very clear and detailed, however we cant get auth to work. I think we are missing something in the exchange server setup or maybe ad. Whenever we turn on the "require cert auth" in exchange, our phones get error that cant connect to mail server. The cert generation part is different too, i dont see an option to put in the company name and most of that other stuff. any ideas?

    ReplyDelete
  6. Excellent Stuff. My Q.

    How do you deal with 90 day password changes in AD and the iphone user is locked out. Is there a technical solve for this?

    ReplyDelete
  7. EAS does not offer any mechanism for users to change their expired password or unlock their account. The user will need to change their expired password using normal channels (logging in from a domain joined workstation or using OWA, assuming it's configured to do so).

    ReplyDelete
  8. Thanks Jeff for the insightful step-by-step guide. Was wondering if you had any thoughts on how this might change if we used Cisco ASA SSL VPN with two factor authenication?

    ReplyDelete
  9. If you need to access EAS over the ASA VPN, they will still need to do that. The solution presented would still not change.

    ReplyDelete
  10. How does Exchange authenticate the user? If a user exports the certificate out from the device and creates a new profile, can he pretty much impersonate any other user who has been set up this way?

    ReplyDelete
  11. Can the IT department snoop on someone's photos, gps coords, text message, app usage, etc??? When the user brings a BYOD to allow the IT staff to install Activesync

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.