How to Securely Deploy iPhones with Exchange ActiveSync - Phase 6 - End-User Deployment of the ActiveSync Profile

Wednesday, March 3, 2010
This is the seventh and last post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here.  In this phase I will demonstrate the steps and procedures that the end-user will perform to configure their iPhone for ActiveSync.  I will also cover some advanced reverse proxy configurations, such as using Microsoft Threat Management Gateway (TMG), ISA, Tivoli Access Manager (TAM), etc.

As a review, the infrastructure has been built and the necessary software and certificates have been installed and configured.  Members of the ActiveSync Administrators group configure iPhone Configuration Profiles, one per iPhone, which includes the user's ActiveSync configuration settings and the ActiveSyncUser user certificate.  Each iPhone Configuration Profile (iCP) is married to the iPhone and exported to the EAS share, which is also a website virtual directory on the CAS server.  The iCP is named for the user for which it is intended (i.e., jqsmith.mobileconfig).

In this final phase, the user authenticates to the EAS website using Safari from the iPhone.  The iPhone automatically downloads the iCP that matches the username.

Here are the steps in detail:

The user is instructed to tap Safari on the iPhone and navigate to https://webmail.companyabc.com/eas (where webmail.companyabc.com is the public FQDN for the CAS server).  The user logs into the Secure Website using the user's AD logon name and password, as shown:


After successfully logging in, the iPhone will download the user-specific ActiveSync Configuration Profile, as shown.


The green Verified indication signifies that the profile was encrypted and signed for this device.

If the user taps More Details on the profile, the details of the configuration profile are displayed showing the ActiveSync server and the email address used in the configuration profile, as shown.  Note that the user cannot tell that a user certificate is embedded in the configuration profile.


Back on the Install Profile screen, tap Install and Install Now to begin installing the profile.

Note that the iPhone only supports one Exchange ActiveSync profile at a time (I sincerely hope this changes in the near future).  If the user already has Exchange ActiveSync configured, the iPhone will display the warning, "Can't install Profile. Only one Exchange account can be set up at a given time."  Remove the existing ActiveSync settings and begin the process again.

If the iPhone already has a passcode configured, the user will need to enter it at this time to begin installing the profile.

During installation of the profile the user is prompted for his/her AD password to connect to their mailbox, as shown:


Enter the AD password, tap Return, and then tap Next to complete installation of the profile.  When the profile has been successfully installed, tap Done.  The user can now close Safari.

If a device lock passcode has been configured in the Exchange ActiveSync Policy, the iPhone will display a message that the user must accept the new policy.  It will then prompt the user for a passcode using the complexity requirements specified in the EAS policy.

It may take a few minutes to complete synchronizing the user's email, calendar, contacts and tasks for the first time.

If at any time in the future the user needs to re-install the ActiveSync Profile on the iPhone (for example, after a hardware reset or software restore), simply follow these steps again.

Removing the ActiveSync Profile
If the user wants to remove the ActiveSync Profile, follow these steps.  Removing the ActiveSync profile also removes the user certificate from the iPhone.

Tap Settings on the iPhone home screen and then tap General.  Scroll to the bottom and tap Profiles.  Tap the profile to remove and then tap Remove.  If the iPhone has a passcode configured, it must be entered to remove the profile.


Reverse Proxy Scenarios
Some environments secure their Client Access Servers from direct Internet communication using Microsoft ISA, Threat Management Gateway (TMG) server, or another reverse proxy solution.

In these scenarios, the public ActiveSync connection and authentication is made at the reverse proxy.  The reverse proxy then proxies the authentication to the internal CAS server(s).  The CAS servers, themselves, act as reverse proxies to the mailbox servers.

With an environment such as this, you need to install the certificate and private key on the reverse proxy server(s).  The reverse proxies need to be configured to require client certificates and use Basic Authentication.  They must then pass the certificate, username, password to the CAS servers to complete the connection.  This diagram should help.


I hope this series helps you with the deployment of iPhones in your Exchange ActiveSync environment.  I welcome your comments.


This concludes my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.

Other articles in this series:

55 comments:

  1. Outstanding series! Thanks for taking the time to do this!!

    ReplyDelete
  2. It works!!! I followed your steps exactly and it works perfectly. Thank you so much for writing this up. It must have taken you a long time to do.

    We decided to have our remote users install the iphone configuration utility to create their device hardware profile and email it to us so we can create the profiles. That way they don't have to bring the iphones into the office. Works perfectly!

    Shame on Apple for not having clear instructions like yours... I can't believe you're doing this for free.

    ReplyDelete
  3. Thanks! I'm glad it's working out for you.

    ReplyDelete
  4. Jeff,

    we are moving from blackberry to iPhone because they are "cooler" according to management and i've had a pain in my head just thinking about the implications of this project but you have just made my weekend, i'm going to sleep soundly and i'm almost looking forward to getting started on monday.

    very comprehensie and very well thought out, thank you very much in advance.

    regards,

    Kev from Ireland

    ReplyDelete
  5. Thanks for the kind words, Kev. Have a nice shot of Jameson's for me!

    ReplyDelete
  6. Excellent article - well written. I do have one question for you though.

    We are exploring the use of the iPhone configuration Utility as a means to lockdown iPhones/iPads in use in the Organization. While we can deploy the profiles via the methodologies outlined here or other means, our testing has shown that the User can simply turn off the mail app under Settings and we no longer can see the device in Exchange. Once we no longer see the device in Exchange, we lose the ability to remote wipe the device should it get lost/stolen.

    We logged a case with Apple and they confirmed the behavior, although they seemed a bit surprised it was that easy. They suggested that we could edit the XML config file to possibly remove the ability to turn off the mail app (grey out the button much like Parental Controls does for Location), but since we do not have an Enterprise Agreement, they would charge us $695 for the custom config with no guarentee it would work other than they would put forth a "best effort".

    Have you considered how to remove the users ability to simply turn off the mail app (or the thieve/finder of the device) should it be lost?

    Any insight would be appreciated!

    ReplyDelete
  7. Thanks for the comments, RQ.

    This behavior isn't any different than a Windows Mobile device. If the user unconfigures ActiveSync on a WinMo device it can no longer be remotely wiped. I'm not aware of any way to prevent this on WinMo, except possibly using System Center Mobile Device Manager.

    I would advise the best practice is to enforce a passcode on the device to prevent someone from disabling ActiveSync, and to remotely wipe the device as soon as the device is confirmed lost.

    ReplyDelete
  8. Jeff:

    Understood. That means that both WinMo and Apple have a bit to go to match the security that a BES does for RIM devices.

    Although it could be said that it is a fault of the ActiveSync protocol itself since the ability to permanently attach a profile to a active sync mobile device does not exist (Android also suffers this same issue but to a greater degree).

    Even MobileMe appears to have the same problem: if you turn off MobileMe or remove the account, then remote access is removed as well.

    Using a passwork lock on the screen is a usable work around (and was a suggestion by Apple support), but does not prevent an authorized user from turning off the mail account either inadvertantly or maliciously.

    Thanks for the insight! I shall continue to persue other angles and I will be implementing your deployment steps outlined in this article this weekend (just for fun!)

    rq

    ReplyDelete
  9. Actually, it's because WinMo and iPhones are not email only single task devices. The Blackberry device is basically useless without email service. The iPhone and WinMo device is not.

    If a user should delete the EAS agreement, the Exchange email, calendar and contacts are deleted from the device anyway. At that point it becomes less of a security issue.

    ReplyDelete
  10. Hi Jeff,

    Can you confirm that every new device will have to have to be connected to the iPhone Configuration Utility to have a unique profile configured? Following this the user sets up their own account via the deployement website?

    Kind Regards

    ReplyDelete
  11. Hi Kalpesh,

    Yes, each iPhone will need to be physically connected and checked into the iPhone Configuration Utility. That's the way that the iPhone's unique device ID is captured in order to encrypt the unique iPhone configuration profile. Once the iPhone has been checked into the iCU and the profile is created, the rest of the process is done over the air from the iPhone.

    If it's impossible or difficult for you to physically check the iPhone into the iCU, you can have the user download the iCU and check their iPhone into it. Then have them send you the [long device id].deviceinfo file in the "%userprofile%\Local Settings\Application Data\Apple Computer\MobileDevice\Devices" folder of their computer.

    ReplyDelete
  12. Thanks for that Jeff,

    Great series of articles and should definitely be officially documented in some form or the other.

    Just a couple of questions:

    1. In Phase 1 we generate a PFX file to import into the ICU. But we dont seem to use it later on in the project. In Phase 3 we publish the Activesync.cer file (without the private key) to AD. As a result, the Certificate wasnt available in the ICU at Phase 4. I manually imported that file as a workaround. Have I missed a step?

    2. This is an open question. Does anyone know if we would be able to disable basic authentication with this implementation? My organisation has to be PCI compliant and our network scans report back a failure because we have Plain Text Authentication enabled on our Exchange servers. I tried to disable it after following this article but it just threw up authentication errors on the iPhone!

    Thanks again for this - its been a real help!

    ReplyDelete
  13. Kalpesh,

    The certificate and private key that are exported to a PFX file in Phase 1 are used when you want to create a new Mobile Messaging Administrator. Admins need to have both the cert and private key in their online personal certificates store to include in the iPhone configuration profiles (iCP). The new admin will need to double-click the PFX file and supply the password to import the cert and private key. I updated the documentation in Phase 1 to reflect this.

    The ActiveSyncUser.cer file published to AD in Phase 4 must match the cert and private key in the iPhone configuration profile for EAS client certificate authentication to work. It sounds like you created the iCP from a different computer (or user) from the one where the certificate was requested and installed. Import the PFX file so it can be used in the iCP creation.

    ActiveSync requires Basic authentication. There's no way around that - it's part of the code. The mitigation is that it's SSL encrypted and, in our case, requires client certificates. This provides two-factor authentication which is stronger than most online banks use. I would think this would satisfy any PCI audit.

    ReplyDelete
  14. Hi Jeff great article !

    in the section Reverse Proxy Scenarios - you state the reverse Proxy (ISA servers) needs to be configured to require client certificates and use Basic Authentication.

    Our ISA servers in the DMZ are not domain members and I believe client certs offload to ISA will not work.

    With the phones hitting reverse proxy first can authenication with client certs still first occur on the CAS servers?

    ReplyDelete
  15. Hi Mark,

    In your case, the client's EAS connection terminates at ISA. ISA then proxies the client's connection to the Exchange CAS servers to complete the EAS connection. That means that ISA needs to present the same client certificate that you installed on the iPhone.

    You create a listener on ISA for EAS that requires the iPhone client certificate. You then configure ISA to present the iPhone client certificate along with the basic auth credentials to the CAS.

    There is no need for ISA to be a domain member.

    ReplyDelete
  16. Jeff,

    Hi, thank you for taking the time to document this procedure.

    We have a Exchange 2007 setup (CCR / 2 CAS servers) and ISA 2006 using FBA to authenticate our users for OWA.

    I am a bit confused with the ISA configuration in regard to the private certs and the listeners.

    Do I have to import in each individual private cert into the ISA server? Is there a unique listener that needs to be setup? i thought only 1 cert can be bound to a listener in ISA.

    Our ISA server is part of AD.

    If you please elaborate on the ISA configuration, it would be most appreciated.

    ReplyDelete
  17. Hi Jason,

    You only need to use one cert on the ISA server. It's the same one you use on the iPhones. The listener should be configured to require a user certificate (the iPhone user cert) and authenticates with the CAS servers using the same certificate. This only works when your ISA server or array is a member of a domain.

    I haven't set this up with ISA 2006, but it should be pretty straight forward. Take a look at http://technet.microsoft.com/en-us/library/bb794722.aspx.

    ReplyDelete
  18. Jeff,

    Thanks for the quick reply. The main issue I can see with ISA2006 is that OWA required Forms Based Authentication for Port 443 as the Listener. From what I understand, Active-sync is hard coded to 443. If I try to setup a listener with the user cert, ISA complains that you cannot have 2 listeners on the same port/IP address.

    Perhaps as a workaround I could register another name such as 'activesync.company.com' registered to a different IP address which would allow a unique listener. Another potential issue is that it does not appear I can import in a user cert into the listeners in ISA, only a web server cert.

    If anyone reading these posts has successful set this up with ISA 2006, any hints/tips would be most appreciated.

    ReplyDelete
  19. My colleague, Michael Noel, recommended reading http://www.isaserver.org/tutorials/Publish-Microsoft-Exchange-Active-Sync-EAS-ISA-Server-2006-Part1.html

    ReplyDelete
  20. Jeff,

    I've implemented your solution - thanks for the info - well done !

    Would I be correct in saying that the user cert and Domain password are stored on the iPhone and you could call that 2 factor?

    Cheers

    ReplyDelete
  21. Two-factor authentication is something you have (the client certificate) and something you know (the user password). The cert is installed on the iPhone in the iPhone profile. The password is entered by the user when they configure ActiveSync.

    ReplyDelete
  22. Jeff,

    Great article, you might be interested in this if you haven't seen it:

    http://mobilitydojo.net/2010/05/19/securing-exchange-activesync-with-client-certificates-lan-access/

    and

    http://mobilitydojo.net/2010/05/20/securing-exchange-activesync-with-client-certificates-wan-access/

    I don't see why it won't work for iPhones, however there is the hassle factor of creating iPhone profiles for each user wheras your solution avoids that but has two-factor authentication - both solutions have their merits imo.

    ReplyDelete
  23. Is it possible to expand the use of this infrastructure so you can also allow users with Windows Mobile or other devices to connect but control their access and the devices they use?

    ReplyDelete
  24. This solution will work with any mobile device that supports Exchange ActiveSync and user certificates for authentication.

    Because we embed the user certificate in the iPhone profile, we control which devices and users can access ActiveSync. Windows Mobile doesn't support embedding the user cert, so there's nothing to prevent an EAS user from "sharing" the user cert with an unauthorized user or device.

    ReplyDelete
  25. Is there anyway that you can prevent the EAS user from "Sharing" the user cert with an unauthorized user or device?

    ReplyDelete
  26. The user cannot share the user cert because it's embedded into the iPhone configuration profile. It can only be removed, not shared. Each profile is married to a specific iPhone.

    ReplyDelete
  27. Hi Jeff

    Very good article, and something that Apple should provide themselves - if they seriously expect SME's to adopt the iPhone, then most SME's will want to do it in a secure way that they can trust - which makes this article very relevant.

    I have managed to go wrong somewhere, because I receive the message:

    'cannot authenticate to the server because the certificate is not valid' on my test iphone.

    Where do you think that it is most likely that I have gone wrong?

    Thanks,

    Andrew (IT Admin, Glasgow, Scotland)

    ReplyDelete
  28. Jeff,
    Thanks for the good information. Is there a way for android to use client certificates with the native mail, calendar applications and activesync? All I have found are third party apps like Touchdown that allow you do this. Appreciate any input on this as android usage in the office is growing faster than any other phone OS.
    -Brendan

    ReplyDelete
  29. Jeff,
    Great writeup by the way. I must say this has been the best I've seen out on the net for this hands down. With that said, I have finished following everything mentioned in this post. The only problem I am having now is well... I am unable to get my mail. When I click on the mail icon on the iphone it says Cannot Get Mail The connection to the server failed. I honestly followed everything you stated step by step. Would you happen to know what is possibly causing this?

    ReplyDelete
  30. Thanks, Sean! My guess is that there's a mistake in the iPhone Configuration Profile. Double-check the Exchange ActiveSync payload values. Is the Exchange ActiveSync Host correct? Is Use SSL enabled?

    ReplyDelete
  31. For the Exchange ActiveSync Host I have the FQDN of the Exchange Client Access Server. For Example Servername.companyname.com SSL is enabled I have the user name in there allong with the email address username@companyname.com and the password field is left blank. Under Authentication Credential Name I have my imported certificate the one which requires you enter the password you provided in I believe phase 1 and of course the Include Authentication Credential Passphrase option checked. Am I missing anything here?

    ReplyDelete
  32. Sean, you need to troubleshoot where it's breaking. Does the normal EAS config work when client certs are not required? Are you using a reverse proxy, like TMG or ISA?

    ReplyDelete
  33. Jeff,
    The normal EAS configuration works fine when I turn off require client certificates on my CAS. I am able to retrive my email on the iphone without a problem. Now the only cert in use during this is one that I have from Verisign for SSL traffic. It is the one used for OWA for our webmail users in our environment. I do not have a reverse proxy like TMG or ISA. I only have a Cisco ASA as a firewall but if SSL is already allowed I don't see that being an issue. I am thinking it has to do with the cert somehow but i don't know what to look for. I followed everything you posted and everything seemed to work up until this point. Now I am stuck.

    ReplyDelete
  34. OK, we know that EAS functions OK. Which version of Exchange are you running? Send me an email (jeff at expta dot com) and we'll take this offline.

    ReplyDelete
  35. Hi Jeff,

    Thank you for this awesome set of instructions.

    However I'm still experiencing issues publishing Exchange 2007 SP2 ActiveSync with a TMG server in a DMZ (not on the Domain). I've set the Listener to require client certificates and set HTTP Authentication with Basic checked. The CAS box has Require client certificate checked and SSL enabled. It should work, but it isn't. Any chance of creating a Step 7 to fully explain this scenario?

    Thanks.

    ReplyDelete
  36. Hello Jeff,
    Greetings from Melbourne, Australia. Thank you very much for your great article series. It was very useful and I could make it all work as you stated.

    One other challenge for me is to connect Iphone to our wireless network using NPS and certificate authentication. I have tried a lot but no win.

    Any help/advice is much appreciated.
    Thanks & regards
    George Thomas
    Email: george.thomas@bigpond.com

    ReplyDelete
  37. This is a great set of articles, and goes a long way to simplfying the complexity of configuring iOS devices with certificate auth.

    However, I think it's fair to say I would never be comfortable implementing this solution in an enterprise where devices number in the 100s or 1,000s.

    The process of requesting certificates is manual, plus you have to manage the private key (passwords) for these files so they can be integrated into iPCU. In addition, once the profile is deployed, you then have to manage the renewal of these certificates when the certificate expires (eg. every 12 months or so). Recalling the entire fleet or managing the deployment of a new profile across thousands of machines would get tiresome fairly quickly.

    In addition, you made mention of the reverse proxy scenarios. It's worth pointing out you can do the authentication of the client certificates directly on the ISA/TMG servers (in the DMZ), but they need to be joined to the AD domain..... which are a lot aren't.

    Alternatively, you can proxy the auth request to the CAS servers on the internal network as you've suggested, but a lot of enterprises would prefer the entire authentication to take place in the DMZ... not on the internal network.

    I like the solution at a high-level. I'd just prefer a 3rd party offering that automates some of the manual steps.... and generally tidies it up. Does anyone know of one?

    Regards,

    James Frost.

    ReplyDelete
  38. Hello Jeff: We have deployed your solution in production and it works very well. It is best to use Standalone CA as ActiveSyncUser certificates are valid for one year where as certificates issued by Enterprise CA are valid for 5 weeks.

    What is your recommendation to deploy new certificates to iPhones when the certs expire? Should we have to go through the same installation process again?

    Thanks for your great work!!
    George Thomas/Melbourne/Australia

    ReplyDelete
  39. Hi Jeff,

    One year on, still going ok. But I've noticed that our ActivesyncUser.cer cert expires on 15/05/2011!

    What happens after then? Will we have to reconfigure all our devices?

    ReplyDelete
  40. Hi George and Kal,

    Both of your questions are related. My earlier testing showed that the certificates need to be updated in AD and on the devices. That's why I recommend using certificates with very long expirations (5-10 years). Most people will update their phones before then.

    ReplyDelete
  41. Thanks Jeff for the useful articles.
    I've managed to get most of this working, however I'm using Exchange 2010 and FTMG which has presented it's own challenges. Configuring FTMG and Exchange 2010 for Kerberos Constrained Delegation doesn't get much time on the Technet website. There is plenty of good info out there for ISA 2006 from Technet and Thomas Schindler, but if anyone knows where to locate good info for FTMG, please let me know.

    I get an error on my TMG saying "12302 The server denied the specified Uniform Resource Locator (URL). The iPhone says it was unable to connect to the server.
    As a test, I created a second listener and publishing rule that uses this listener. They are configured to require SSL, and client certs. Authentication delegation is set to Kerberos Constrainied Delegation and the SPN is http/mymailserver.mydomain.com. The Test Rule button works. The listener uses a cert with my external DNS name (ame cert used for OWA etc which do work on a different listener), and authentication is set to SSL Client Certificate Authentication. If I click Advanced, only the SSL client certificate timeout checkbox is ticked. (if I check Require SSl client certificate, my ActiveSync connection fails and TMG logs say that the client needs a valid certificate, however I have put a cert in th config profile (with private key) and copied same cert (without private key) to the user's AD account).

    If you have any ideas that you think may help, or if anyone knows of somewhere with instructions for TMG and Exchange 2010, I'd love to hear.

    Cheers

    Rob

    ReplyDelete
  42. We are interested in setting up EAS on iPhones using client certificates, however as a general rule we do not allow private keys to leave the device that generated them.

    To get around this on our iPhones, we currently use SCEP to enroll certs directly on the devices for 802.11x access. Ideally, we'd like to use this cert that is already in the iPhone's certificate store for EAS as well. However, I'm having trouble finding a way to tell the iPhone to use that cert. Any suggestions?

    Jeff

    ReplyDelete
  43. Hi Jeff,
     
    The Apple iPhone Configuration Utility requires that the user certificate includes the private key.  There's no way around this in any current version of the utility.

    ReplyDelete
  44. Jeff, this looks very interesting. Does any reader know whether there is a way to use OTA deployment to deploy mandatory security policies to the iPad? Our IT department reported back to me that the user was always given a choice as to whether to accept the policy. Clearly, to enforce mandatory policy, the user should not be given a choice.

    As we have only 20 devices, we do not wish the expense or overhead of a mobile management solution. We'd just like to work with the Microsoft IIS/Exchange/Sharepoint infrastructure we've got.

    Thanks.

    ReplyDelete
  45. If they do not accept the policy they will not be able to connect!

    ReplyDelete
  46. Hi Jeff, thanks for the writeup, it works great.

    I've tried to use the ActiveSyncUser.cer or pfx on an Android 2.2 device. The certificate was installed ok but ActiveSync won't work. Would you happen to know what to check?

    all the iphone users have no problem.

    ReplyDelete
  47. Sorry, I can't help you with Android devices. They all implement (or not) EAS differently. Basically, it should work as long as you have installed the client cert on the device and can configure your email settings to use that certificate. I'm not sure you can get Android to do that.

    ReplyDelete
  48. btw, I've tried it with iphone configuration util 3.4. Everything seems fine but the phone would not connect to Exchange at all even all the profiles installed correctly.

    I had to put 3.3 back, re-export the activesync profile, etc to make it work.

    Anyone else experiences this?

    ReplyDelete
  49. Thank you for this Jeff.

    Question. Is there a way to deploy the certificates to the phones without ICU? Just by sending it in an email? Also, do you use the .pfx cert for the client phones, or the .cer?

    Thank you. Gino DiCarlo

    ReplyDelete
  50. Hi Gino,

    You must deploy the certificate with ICU. That's the way that the iPhone will use that certificate with the exchange ActiveSync profile.

    You must deploy the CER file with the iPhone, the PFX file is for the ICU.

    ReplyDelete
  51. Hi Jeff,

    2012 and your article is still very useful! Congratulations.

    Our problem is with the passwords. We define an expiration time of 1 month for the user's passwords in AD. Each time the password is expired and user change it, if they don't do the same in the iPhone/iPad (relatively fast) the account is blocked because of the attemps to connect of the device with Exchange.

    Is there a way to avoid change password manually in the device if it is changed yet?

    Thanks in advance.

    ReplyDelete
  52. Juan,

    you can deploy individual certs for each user and that will bypass the password change but there are other drawbacks to that - #1 they may not be able to email attachements.

    #2 I have not found an automated method of deploying profiles with individual certificates.

    and for Gino

    you can email the configuration profile to people and they can just click on it to install it. I have done this many times, you just need to have some other email account on the phone already.

    BW

    ReplyDelete
  53. BW and/or Jeff - can you expound on this notion to "deploy individual certs for each user" in order to avoid the need to have users enter their AD password on their iPhone every time the password expires?

    We are a small business and have a fairly liberal password expiry policy (6 months), but even then without fail I get a number of calls every six months from users who complain that their iphone stopped downloading e-mail. With iOS 5.01 (and maybe 5.0 too--not sure) there also seems to be a bug where when the AD password expires and is changed, the iPhone will pop up with the authentication dialog but will not accept the new password. Hitting OK or cancel on the dialog keeps bringing the dialog back up endlessly. The only way to resolve the issue is to power off the iphone by holding the power button, powering back on, then the exchange auth dialog comes back up and will accept the new password.

    Basically, it's a royal PITA--I can't imagine the hassle involved with larger outfits that have even shorter expiry periods. I was really excited to find this article as deploying user certificates _in lieu of_ passwords sounded like an ideal solution. With a secure deployment stragegy, plus the ability to revoke the certificate if the employee is terminated or the phone is lost/stolen--it would still provide users secure access to their exchange account without requiring them to constantly update their AD password on the device.

    But after reading some of the comments on the various parts of this article, it now seems evident that the only thing this method accomplishes is restricting who can use activesync in the first place. In other words, the certificate just allows you to get to the point where you can authenticate to EAS via user name and password--it doesn't eliminate the need to enter (and keep current) the user's AD password.

    I've done some googling and haven't as of yet found any alternative to making non-tech savvy users jump through hoops in order to keep syncing with ActiveSync when their AD password expires or is changed. One other issue we have is users who are out in the field and only have an iPhone--they don't have an office with a Windows PC they can use to change their expired password. So I have had to walk them through logging into OWA just to do it--then go through the rigmarole of changing it on their iPhone.

    Aside from eliminating the password expiry policy altogether (which seems 100% contrary to every best practice I have seen) is there really no other solution here? Is there a really good argument to be made as to why MS doesn't seem to allow certificate-based authentication for EAS in lieu of user name/password? ActiveSync has been around for the better part of a decade now--its continued reliance on basic authentication is somewhat perplexing to me.

    Anyone found any ways around this or happy mediums? I'm willing to try just about anything at this point.

    Thanks! It is a great walkthrough--just disappointed that it doesn't solve the problem I want solved :)

    ReplyDelete
  54. OK I am happy to say I got this working with help from the mobilitydojo links above and also a crucial step from this site:

    http://certcollection.org/forum/topic/108261-certificate-based-authentication-exchange-2010-windows-2008-r2-iis-75/

    I did have to log in as each user to request a user certificate. I also duplicated the user certificate template and made the copy have a 5-year expiration (rather than 2 years for a traditional user cert). I have 30 users and it was a pain to do get the certificates but this is a new server/AD domain so I didn't have to hack anyone's passwords.

    What makes it slick is using Mac OS X Lion Server's Profile Manager app, which pushes out the profile to authorized devices. The best part is I never have to enter the user's password anywhere--the user certificate does all of the authentication.

    What I will do in the event of a lost device (after wiping it) is just revoke the user cert and re-issue a new one, step the user through exporting it and get it set back into Profile Manager.

    If an employee leaves or is terminated then I will wipe their device, revoke the certificate and that's it.

    I am still concerned though about BW's point about problems emailing attachments. Will need to do some research and testing of that scenario. But so far I am extremely pleased with how cool this is.

    Thanks for the great tutorial Jeff--that gave me the inspiration to attempt this.

    ReplyDelete
  55. Hi Jeff,

    Article is simply wonderful!
    We have successfully set up ertificate based authentication for Windows Mobile devices (TMG + Exchange 2010). But we can not install the certificate on the iPad device with iCU. We install iCU version 3.6.0.295 and don't see the Authentication Credential Name option in Exchange ActiveSync configuration profile. Instead, there is an option Identity Certificate, but it is not active! Has anyone encountered a similar problem?

    Alexey (IT administrator, Ukraine)

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.