This solution should work exactly the same way on the Apple iPad and should port over fairly easy to the Droid and other non-Microsoft ActiveSync-enabled phones, with some minor changes.
Update: I've tested these procedures on iPhone OS4 and everything works as expected. No changes need to be made to the existing procedures - it all works fine.
I'll be writing a 7 part series of articles that document all the steps. I'm sure there are other ways to do this, but I can assure you, none of them are documented. (Hint to Apple: This is not documentation, and neither is the iPhone Enterprise Deployment Guide.)
In the scenario I'll be documenting, the customer wants to configure Exchange ActiveSync to provide mobile access to email, calendars and contacts for iPhone users. To make it more challenging (and slightly more complicated), the customer has Exchange 2003 mailbox servers with Exchange 2007 or 2010 Client Access Servers.
The requirements for deployment are such:
- Only authorized ActiveSync users can access their Exchange email, contacts and calendars
- Only authorized devices (iPhone 3GS or better, iPads) are allowed to use Exchange ActiveSync
- Ability for users to configure/reconfigure ActiveSync for their iPhones over the air
- Information stored on the iPhone must be encrypted
- Capability to remotely wipe iPhones in the event of a security breach (wipes performed by end user or authorized administrator)
- Easy roles-based administration
ActiveSync will be configured to use Basic Authentication over SSL and require client certificates. An iPhone configuration profile will be created and "married" to each iPhone, preventing it from being used on any other iPhone than the one it is configured for. The profile will include the user certificate and its private key. ActiveSync policies will be used to configure the iPhone to comply with corporate security policies.
The next step is to publish the same user certificate to each ActiveSync user in Active Directory. This will be used to enable certificate-based authentication for ActiveSync. I'll list a few ways that this can be done programmatically via scripts.
Finally, the user needs a way to install the profile. This will be done using a website that the user will open using Safari from the iPhone.
The solution requires a certificate of authority (CA) server that can generate a single user certificate. The CA can be an internal stand-alone or ADCS CA server. I prefer Windows Server 2008 R2 ADCS for the CA, but any CA will do.
More to Come...
I'll break each of these steps down in separate phases. There's a fair amount of detail in each step and I'll include troubleshooting and gotchas as I go through it, but this has worked out be a secure and easy to manage solution.
Articles in this series:
- Phase 1 - Building the ADCS server and Generating Certificates
- Phase 2 - Configuring ActiveSync and Active Directory
- Phase 3 - Publishing User Certificates to Active Directory
- Phase 4 - Creating the iPhone Configuration Profile
- Phase 5 - Creating the Web Site for iPhone Profile Deployment
- Phase 6 - End-User Deployment of the ActiveSync Profile