Create an Exchange ActiveSync Configuration Profile for iPhones and iPads
One of the most common tasks when deploying iPhones and iPads into the enterprise is connecting them to the organization’s e-mail system. This is simple enough for one or two devices, but what happens when there are 10 or even 100 devices to deploy? In these instances, creating a configuration policy with the iPhone Configuration Utility will save you time and quite possibly a little sanity.
Quite often, the email systems being connected to are Microsoft Exchange based so connectivity through Exchange ActiveSync is the preferred method. Exchange ActiveSync offers a number of advantages over other mail connection methods such as IMAP or POP3/SMTP. One major consideration for enterprises is that Exchange ActiveSync allows remote wiping a configured device. If a user ever loses their device, you can remotely wipe all data on it simply and easily. This includes the devices’ AES encryption key, rendering any data that could be recovered unusable.
Today we’ll walk through creating an iOS device configuration profile to connect to e-mail through Exchange ActiveSync. To make this easy, I’ll use the free iPhone Configuration Utility from Apple.
Configure the General Payload
If you’re new to the iPhone Configuration Utility, or iPCU for short, now would be a great time to check out my previous article on the General Payload and creating a basic policy. For those comfortable with the iPCU, let’s forge ahead and launch the software. Click Configuration Profiles, and then click New on the toolbar. This creates a new profile and you should see the General Payload selected and its properties displayed.
Enter a Name, Identifier, Organization, Description, and Security option. For this example, I’ll enter “Petri Blog Exchange Demo” for the Name, an Identifier of “il.co.petri.exchange.demo,” the Organization to “Petri,” a description of “Example Exchange ActiveSync iOS configuration Profile,” and I’ll set the Security type to “Always.” This screenshot shows this General Payload configuration.
Start Configuring the Exchange Payload
Now we can move on to the nitty gritty! Click the Exchange ActiveSync Payload for your profile and then click the Configure button that appears:
The payload will have the account name set to “Exchange ActiveSync” by default. I recommend changing this to make things easier if you ever end up managing payloads configured to multiple Exchange servers. I’ll enter “Petri Blog Exchange” and move on to the Exchange ActiveSync Host field. This field is required and is either the DNS or IP address the device will use to find and connect to your mail server. As you can see, I’ve entered “mail.awesomewildstuff.com.”
The next four options are checkboxes. Will you allow the user to move mail between other mail accounts? If yes, click the checkbox for Allow Move, which is the default. If no, clear the checkbox. Do you want the user to send mail through this account from other apps on their device, such as Safari or iPhoto? If so, click the checkbox for Use Only In Mail. Does your company have an SSL certificate to secure remote connections? If yes, make sure the Use SSL checkbox is checked. Will you require the user to sign and encrypt outgoing email? If so, click the checkbox for Use S/MIME. A word of caution: using this option will require you to add certificates to the device most likely through the Credentials Settings payload.
I will leave the defaults, which have the Allow Move and Use SSL checkboxes selected, but the Use Only In Mail and Use S/MIME checkboxes not selected. You can see this in the previous screenshot.
Don’t Set User Information
In most cases, you will leave the next four fields blank. This allows you the flexibility to use the profile you’re creating not just once, but multiple times, configuring many users to connect to your Exchange Server. By leaving Domain, User, Email Address, and Password blank, the user will be prompted for this information when the profile is deployed to their device. This is exactly what I want for this example, so I’ve left all of the fields blank.
Choose How Much Mail to Sync
I’ve chosen to configure the device to sync two weeks of e-mail to the device. Other options available in the Past Days of Mail to Sync dropdown list include Unlimited, One day, Three days, One week, and One month.
In the current 3.4 release of the iPCU, the next option is Use SSL again. If you checked Use SSL earlier, check this box too, which is, like before, the default.. Otherwise leave this unchecked. I left Use SSL checked earlier so I’ll do so again.
The final two options relate to certificate based client authentication. If you have a certificate, select it here after you’ve entered it using the Credentials Settings payload. The Make Identity Certificate Compatible with iOS 4 option is important only if you’re using a certificate, and if this configuration profile will be used on devices running iOS 4.x instead of 5.x. If this is the case, check this box. Otherwise leave the box unchecked. When the box is checked, the certificate is embedded in the Exchange ActiveSync payload for backward compatibility. iOS 5.x, on the other hand, allows the certificate to remain embedded in the Credentials Settings payload, so the extra overhead of embedding in the Exchange ActiveSync payload is no longer required.
That’s it! Deploy the new profile to as many devices as desired. It will only require the user to enter their e-mail address, domain, username, and password to get their push e-mail configured and synchronizing. Remember, once they do this you’ll see the device registered to their account in your Exchange management tool. The type of tool varies by version of Exchange, but it’ll be there. Now you can perform a remote wipe, check the last sync status, and more, without ever touching the device.
Simplifying iOS Microsoft Exchange connectivity is a great start for managing iPhones and iPads in the enterprise. In future articles, I’ll continue to dive into how to add additional functionality to your iOS device configuration profiles.
More in Exchange Server
M365 Changelog: Safe Links Global Settings Migrated to Custom Policies
May 20, 2022 | Petri Staff
Microsoft to Ship Some Exchange Server Security Updates in .EXE Packages
May 11, 2022 | Rabia Noureen
M365 Changelog: Exchange Transport Rule Report moving to the new Exchange Admin Center (EAC) from the Security and Compliance Center
Apr 22, 2022 | Petri Staff
Hive Ransomware Group Attacks Vulnerable Microsoft Exchange Servers
Apr 22, 2022 | Rabia Noureen
M365 Changelog: (Updated) Change to mailbox forwarding behavior coming to Exchange Online
Apr 21, 2022 | Petri Staff
M365 Changelog: (Updated) Microsoft Defender for Office 365: Updates to URL Protection Report
Apr 21, 2022 | Petri Staff
Most popular on petri