How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise

Friday, February 12, 2010
I've been working on a solution for quite a while to securely deploy iPhones in the enterprise.  

This solution should work exactly the same way on the Apple iPad and should port over fairly easy to the Droid and other non-Microsoft ActiveSync-enabled phones, with some minor changes.

Update: I've tested these procedures on iPhone OS4 and everything works as expected. No changes need to be made to the existing procedures - it all works fine.

I'll be writing a 7 part series of articles that document all the steps. I'm sure there are other ways to do this, but I can assure you, none of them are documented. (Hint to Apple: This is not documentation, and neither is the iPhone Enterprise Deployment Guide.)

In the scenario I'll be documenting, the customer wants to configure Exchange ActiveSync to provide mobile access to email, calendars and contacts for iPhone users.  To make it more challenging (and slightly more complicated), the customer has Exchange 2003 mailbox servers with Exchange 2007 or 2010 Client Access Servers.

The requirements for deployment are such:
  • Only authorized ActiveSync users can access their Exchange email, contacts and calendars
  • Only authorized devices (iPhone 3GS or better, iPads) are allowed to use Exchange ActiveSync
  • Ability for users to configure/reconfigure ActiveSync for their iPhones over the air
  • Information stored on the iPhone must be encrypted
  • Capability to remotely wipe iPhones in the event of a security breach (wipes performed by end user or authorized administrator)
  • Easy roles-based administration
Summary of the Solution
ActiveSync will be configured to use Basic Authentication over SSL and require client certificates. An iPhone configuration profile will be created and "married" to each iPhone, preventing it from being used on any other iPhone than the one it is configured for. The profile will include the user certificate and its private key.  ActiveSync policies will be used to configure the iPhone to comply with corporate security policies.

The next step is to publish the same user certificate to each ActiveSync user in Active Directory. This will be used to enable certificate-based authentication for ActiveSync. I'll list a few ways that this can be done programmatically via scripts.

Finally, the user needs a way to install the profile. This will be done using a website that the user will open using Safari from the iPhone.

The solution requires a certificate of authority (CA) server that can generate a single user certificate. The CA can be an internal stand-alone or ADCS CA server. I prefer Windows Server 2008 R2 ADCS for the CA, but any CA will do.

More to Come...
I'll break each of these steps down in separate phases. There's a fair amount of detail in each step and I'll include troubleshooting and gotchas as I go through it, but this has worked out be a secure and easy to manage solution.

Articles in this series:
I've also created a complete PDF document version of all the phases here.