How to Securely Deploy iPhones with Exchange ActiveSync - Phase 5 - Creating the Website for iPhone Profile Deployment

Tuesday, March 2, 2010
This is the sixth post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here.  In this phase, we will create the deployment website that end-users will use to download the appropriate iPhone Configuration Profile created in Phase 4.

Since you're most likely using Outlook Web Access served up by the CAS servers, these make a natural choice for hosting the website.  I'll cover how to do this using a single CAS server and then follow up with guidance and best practices for environments with multiple CAS servers.

Add the ASP Role Service to the Web Server
Begin by logging into the CAS server with administrator credentials and opening Server Manager.  Expand Roles and select Web Server (IIS).  Right-click Web Server (IIS) and select Add Role Services.  Under Application Development add the ASP role service, as shown.

Click Next and Install to complete the installation.  No restart is required.

Create the EAS Virtual Directory
Open Internet Information Services (IIS) Manager.  Expand the CAS server name > Sites > Default Web Site.  Right-click Default Web Site and choose Add Virtual Directory.  Enter EAS for the Alias and click the (...) button to browse for the Physical Path.  Navigate to C:\inetpub\wwwroot and click the Make New Folder button.  Name the new folder EAS and click OK twice.

Configure the EAS WebSite Permissions
Right-click the new EAS virtual directory and choose Edit Permissions.  Click the Sharing tab and configure the EAS share with the following share permissions: Add ActiveSync Users (Read) and ActiveSync Admins (Full Control).  Remove Everyone from the share permissions. 

On the Security tab click Advanced and Change Permissions.  Uncheck Include inheritable permissions from this object's parent, click Add (for Windows Server 2008, click Copy), and click OK twice.  Click Edit and remove the Users (CASname\Users) group.  Add ActiveSync Users (Read & Execute, List Folder Contents, Read) and ActiveSync Admins (Full Control), and click OK twice.

Configure the EAS WebSite Authentication
Select the EAS website and double-click Authentication.  Disable Anonymous Authentication and enable Basic Authentication.  Select Basic Authentication and click Edit in the Actions pane.  Enter the domain name for the Default Domain and click OK.

Configure MIME Handling
MIME handling tells the web server how to handle different file extensions and associates file extensions with applications.

Select the EAS website and double-click MIME Types.  Click Add in the Actions pane.  Enter mobileconfig for the File name extension and application/iphone-configuration for the MIME type, as shown, then click OK.

Create the Default Document for the EAS Website
We now need to create a default ASP document for the folder.  This ASP page will be used to cause the iPhone to automatically download the correct iPhone Configuration Profile.

Download the default.asp page here.  Edit default.asp to replace in the second to last line with the FQDN of your publicly available CAS server.  Save the file in the EAS folder.  You can now close Internet Information Services (IIS) Manager.

Putting It All Together
Now that we have the EAS share and website configured, it's simply a matter of exporting the iPhone configuration profiles to the EAS share (as described in Phase 4), using the ActiveSync user's logon name as the name of the file (for example, jqsmith.mobileconfig). 

You then instruct the user to enter in Safari from the iPhone.  The user will be prompted for authentication to access the website.  After the user enters his/her AD username and password, the iPhone Configuration Profile that matches the logon name will be downloaded to install on the iPhone.  I'll cover those steps in detail in the final phase.

Special Configuration for Multiple CAS Servers
If your environment has more than one CAS server in a load-balancing solution used for OWA, you need to perform the procedures above for each of those CAS servers.

You will also need to make sure that you copy the encrypted and signed iPhone Configuration Profiles to each CAS server's EAS share when you export it.  If this pertains to your environment, I recommend using DFS to replicate and distribute the profiles amongst the participating CAS servers.  With DFS you can save the iPhone Configuration Profiles to \\domain\EAS and it will replicate to all the CAS servers automatically.

This completes the configuration of the EAS deployment website.

This concludes Phase 5 of my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.  In the last phase I will provide the end-user instructions and procedures.

Other articles in this series:


  1. Hi Jeff,

    Something wrong with .ASP download link? I'm trying to edit, save as, nothing works as it takes me to your default site page and I can't find the info you mention?


  2. Sorry, wrong extension for the attachment. I fixed it.

  3. Jeff, thanks for the articles they are great.

    My question is about the Configure the EAS website permissions. Where you call for adding ActiveSync Users and ActiveSync Admin. I am using an Exchange 2007 with a 2003/2008 AD structure and I do not have those accounts. Do these groups need to be created and who would need to be added to them.
    Thanks for your help.

  4. Hi Dan,

    You should have created those two groups in Phase 2. They are necessary to apply the necessary rights.


Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.