How to Securely Deploy iPhones with Exchange ActiveSync - Phase 4 - Creating the iPhone Configuration Profile

Tuesday, March 2, 2010
This is the fifth post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here. In this phase, we will create iPhone Configuration Profiles using Apple's iPhone Configuration Utility.  I will also show you how to embed the user certificate and private key into the profile and how to marry the profile to a specific iPhone. 

Let's get started.

First, you will need to download and install the Apple iPhone Configuration Utility (iCU).  The latest version as of this writing is version 2.2.0.185 and is the one I will use here.  The iCU only installs on Windows XP SP3 or Windows Vista SP1 or greater.  It will not install on Windows Server.  It also requires NET 3.5 SP1.

Note: The iCU is not an enterprise class software program.  All the configurations, hardware profiles and configuration profiles are stored locally on the workstation in %USERPROFILE%\Local Settings\Application Data\Apple Computer\MobileDevice folder.  For this reason, I recommend using a single workstation for iPhone management and to backup this folder and child folders to a network location periodically.

Begin the configuration process by logging into the workstation with the credentials used to request and install the user certificate created in Phase 1.  This user has the ActiveSyncUser user certificate stored in his/her personal certificate store.  It will be needed later in this process.

Before the iPhone can be configured it must be activated on the AT&T network.  This is performed using iTunes.  Simply launch iTunes, connect the new iPhone to the computer using the USB cable, and follow the iTunes Setup Assistant.  Once the iPhone is activated you can close iTunes.

Now launch the iPhone Configuration Utility.  The iPhone will automatically be added to the Devices Library in the iCU, as shown below:


In the Devices library, click the iPhone and enter the user's name and email address to identify the device profile.  Note that most iPhones will have the helpful name "iPhone", so the Contact info you enter here will help you out later.

Now click the Configuration Profiles library and click the New icon to create a new base configuration profile.  The base configuration profile can be used for configuration settings that cannot be made using the Exchange ActiveSync Policy, such as iPhone Restrictions or VPN settings.  Apple calls these configurations "payloads".

To create a new base configuration, select the General (Mandatory) setting and enter a Name, Identifier, Organization, and Description, as shown. 


Choose whether the base configuration profile can be removed.  Choices are Always, With Authentication (using a password), or Never.  For base configurations, I recommend With Authentication to prevent end-users from easily removing company restrictions.  You must then supply the Authorization password.  Notice there is no "Save" button anywhere.  Whatever you configure is written immediately to the configuration profile(s).

You can now configure your base configuration settings and restrictions, as shown.  Refer to the iCU help for configuration settings.  If you want to delete a payload from a profile, click the minus sign in the top right corner of the configuration item.


I recommend using Exchange 2007 / 2010 ActiveSync over-the-air policies for any configuration that can be configured using them (for example, device locking duration and passcode complexity).  This will give you the greatest amount of flexibility and will allow you to make changes on the fly.

Now deploy the iPhone Base Profile to the iPhone by clicking the iPhone name under DEVICES on the left pane.  Select the iPhone Base Profile and click Install.


The iPhone will prompt you to install the iPhone Base Profile, as shown below.  Tap Install and the Install Now.  After the profile installs, tap Done.


Back in the iCU, click the Configuration Profiles library.  Click the New icon again to create the ActiveSync Profile.  Configure the General (Mandatory) section as shown:


I recommend setting Security so that the ActiveSync Profile can Always be removed.  This will allow users to remove the EAS profile, which will help later if you ever need to re-deploy the EAS profile.

Now click the Exchange ActiveSync section and configure your ActiveSync settings for the iPhone.  Enter the Account Name, Exchange ActiveSync Host, Domain, User, and Email Address, as shown:


Do not enter the user's password.  The iPhone will prompt the user for any field you leave blank when it installs the profile.  Going forward, the only items you will need to configure for subsequent ActiveSync profiles are the User and Email Address.

Click the + sign under Authentication Credential Name.  The Personal Certificate Store will open for you to add the ActiveSyncUser user certificate to the Exchange ActiveSync profile, as shown:


Enter the password you entered for the certificate's private key in Phase 1.  The certificate and private key will be added to the Exchange ActiveSync configuration.  Check Include Authentication Credential Passphrase to include it in the profile, otherwise the device will prompt the user for the passphrase (not good).


You now have a fully configured iPhone ActiveSync Configuration Profile.  All that's left is to export the ActiveSync Profile so that the user can install it.  You need the user to do this because the profile will prompt for the user's Active Directory password (something I hope you don't know).

Ensure that the ActiveSync Profile is selected and click the Export button.  The Export Configuration Profile window will open.  Select Create and sign encrytped configuration profile for each selected device from the dropdown box and select the correct device, as shown below.  Then click Export.  This will "marry" the ActiveSync configuration profile to the selected device, preventing it from being installed on any other iPhone.  This is how we meet the requirement that "only authorized devices can access Activesync".


Now I need to jump forward a bit.  In the next phase, I will explain how to create the deployment website.  For now, let's assume that the website already exists and that the UNC path to the share for that website is \\EXCAS1\eas.  Save the configuration profile to that share, naming the profile with the AD user's logon name (for example, jqsmith.mobileconfig).

Congratulations!  You have now created a unique ActiveSync configuration profile with the embedded ActiveSyncUser user certificate, and encrypted and married the profile to a specific iPhone.



This concludes Phase 4 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.  The next phase will cover how to create the website for end-user iPhone profile deployment.

Other articles in this series:

20 comments:

  1. Hi,


    I was hoping to see how to configure iPhone and certificates on the device so that user doesn't have to enter their AD username and password to sync with Exchange. The challenge we have is that company policy dictates password to be changed every 60 days, and if the iPhone uses UN/Pass credentials to get to Exchange it will lock the account out (unless user remembers to change his AD password in iPhone as well, which we all know is not something we should rely on).


    Thanks

    ReplyDelete
  2. This solution only requires the user to enter their Active Directory password once, when installing the iPhone profile. The user will NEVER need to know or enter the certificate password. ActiveSync will never lock the user out.

    BTW, Exchange ActiveSync clients cannot handle password expiration notification messages. Additionally, you cannot change an expired password by using an Exchange ActiveSync client.

    ReplyDelete
  3. When applying a baseline profile on the iPhone that is intended to restrict the passcode timeout to 1 hour, it doesn't appear to limit it to the 1 hour setting. After installing the profile, I can still set the timeout value to 4 hours. Is there a way to restrict that, or am I missing something?

    BTW: this article series is great, very helpful!

    ReplyDelete
  4. Kevin, are you configuring the setting in an iPhone configuration profile or using an EAS policy?

    ReplyDelete
  5. Right now, just in the iPhone configuration profile.

    ReplyDelete
  6. Jeff,

    I have an issue where I set up a second desktop in a remote location (so iphone can be provisioned there) and when I go to add the cert to the activeSync mobile profile it generates an error "certificate exception: key not valid for use in specified state"

    I generate the same config on mine here and it works fine (although I dont have the device here) - same cert

    Any ideas????

    ReplyDelete
  7. Hi Mark,

    It sounds like you don't have the private key installed for the user on the second desktop. Try exporting the user cert and private key again from the first desktop to a PFX file and reimporting it on the second desktop.

    ReplyDelete
  8. Now when iPhone 4.0 has been released I tested all the ActiveSync policies to see which ones that worked. Here's a summary: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-policies-what-really-works

    ReplyDelete
  9. NICE work, Sysadminlab.net! Thanks for sharing this.

    ReplyDelete
  10. For some reason when I build the ActiveSync Profile, I cannot select the Include Authentication Credential Passphrase option. It is greyed out. Everything works fine up until that point. Can you tell me why I am having this issue.

    ReplyDelete
  11. Hi Sean,

    I had the same issue with the latest version of iCU, and it appears to be a bug. If I copied the profile I just created, I was able to enable it on the copy. Then I deleted the first one I created.

    ReplyDelete
  12. Jeff,
    Thank You that worked. I would have never figured that out

    ReplyDelete
  13. Hi Jeff,

    I do have the same issue as Mark, where I try to setup my home PC with iCU,when I try to add the user certificate to the ActiveSync profile it displayed an error "certificate exception: key not valid for use in specified state", that is, after I enter and verified the password of the user certificate.
    My home PC has Windows 7. I also tried it in my other PC which running XP SP3, which generates the same error message.

    I tried to run it in my office desktop which is a part of the AD domain, and it works fine. My home PC's are all standalone/workgroup. Does Domain memebership matters? I assume it doesn't.

    ReplyDelete
  14. Hi Bobby,

    It sounds like you don't have the entore certificate chain installed on your home PC. You either need to do one of the following:

    1. Import the root CA's cert into the computer's Trusted Root Certification Authorities.

    2. Export the user cert and private key again, this time selecting the "Include all certificates in the certification path if possible" checkbox.

    When you view the Certificate Path of the user cert you should see both the user cert and the root CA's cert with no red X's.

    ReplyDelete
  15. Hi Jeff, thanks for the reply, It's working now. (I'm sure I did reply before and said thanks.)

    I have a follow-up question, I tried to install the ActiveSync profile (username.mobileconfig) in my iPAD using iCU and email attachment but I got the following message:

    An error occured while contacting server
    Without verifying the account, no information will be downloaded when the installation finishes.


    In my iPhone, I can install the ActiveSync profile using the iCU, but when I try to load the EAS mail client, I got the following error message:

    'Cannot connect to mail server'.

    I don't have any problem if I configure the EAS Mail client manually, except that I have problems sending/forwarding email with attachment >100kb.

    We are using Exchange 2007 SP1 with TMG 2010 SP1 in the DMZ.

    I'm wondering if this is an Apple bug or Microsoft, or something wrong in our configuration.

    BTW, I'm having a problem publishing the EAS website externally. I haven't tried it in our office WiFi, since I worked remotely.

    ReplyDelete
  16. Hi Jeff,
    what if the user has multiple devices (iphone + ipad) but only one login to Exchange? I can't use the same ACtivesync profile can I?

    ReplyDelete
  17. Yes, you can. It will work fine on multiple devices.

    ReplyDelete
  18. Awesome post!
    A couple of people memtioned not being able to import the certificate into the ICU - getting the Certificate Exception error. I got this tto, despite having the full cert chain imported. I got around it be re-importing the certificate, but this time I checked the "Mark this key as exportable..." box during the import. That seemed to do the trick.

    Also, my Cert Authority didn't allow me to enter the username etc for a user cert (even when going through the Advanced cert request). Instead it would enroll in the currently logged on uesers name, so I created a duplicate of the User cert, set the details in the Subject Name tab to "Supply in the Request". Ensure the Issuance Requirements tab has "CA certificate Manager approval" checked, and things should be all-good.
    Cheers
    Robert

    ReplyDelete
  19. Hi Jeff,

    Thanks a lot for such a great article.

    I have one question. Do you have any idea why iPCU supports only PKCS12 (and not a SCEP) for Exchange Certificate Based authentication?

    As I understand server side requires only certificate (public key). Private key can be on the iPhone and don't need to be shared with any other parts of the system.

    Am I missing something?

    Regards,
    Victor

    ReplyDelete
  20. Hallo Jeff,

    I just got over your tutorial while I was searching for a possibility to deploy user-certificates on our iPhone devices. I do not use certificate based ActiveSync in my Exchange 2010 though (not yet). But I some small questions, because I seem to misunderstand some points of your tutorial.

    1.) Every User requests his certificate himself at the ActiveDirectory CA, via CertSRV. After the Admin accepts this requests, the user can download his complete cert on his computer.
    From there he exports it completeley, with private key. Because the Public AND private key need to be imported in his iPhone profile. Correct?
    2.) I start the ICU with my administration user. Not with the user I'd like to set up? correct?
    3.) What do I have to do with the certificate for the admin user?

    Greetings
    Florian

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.