How to Securely Deploy iPhones with Exchange ActiveSync - Phase 6 - End-User Deployment of the ActiveSync Profile

Wednesday, March 3, 2010
This is the seventh and last post in my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise. To read an overview of the solution click here.  In this phase I will demonstrate the steps and procedures that the end-user will perform to configure their iPhone for ActiveSync.  I will also cover some advanced reverse proxy configurations, such as using Microsoft Threat Management Gateway (TMG), ISA, Tivoli Access Manager (TAM), etc.

As a review, the infrastructure has been built and the necessary software and certificates have been installed and configured.  Members of the ActiveSync Administrators group configure iPhone Configuration Profiles, one per iPhone, which includes the user's ActiveSync configuration settings and the ActiveSyncUser user certificate.  Each iPhone Configuration Profile (iCP) is married to the iPhone and exported to the EAS share, which is also a website virtual directory on the CAS server.  The iCP is named for the user for which it is intended (i.e., jqsmith.mobileconfig).

In this final phase, the user authenticates to the EAS website using Safari from the iPhone.  The iPhone automatically downloads the iCP that matches the username.

Here are the steps in detail:

The user is instructed to tap Safari on the iPhone and navigate to (where is the public FQDN for the CAS server).  The user logs into the Secure Website using the user's AD logon name and password, as shown:

After successfully logging in, the iPhone will download the user-specific ActiveSync Configuration Profile, as shown.

The green Verified indication signifies that the profile was encrypted and signed for this device.

If the user taps More Details on the profile, the details of the configuration profile are displayed showing the ActiveSync server and the email address used in the configuration profile, as shown.  Note that the user cannot tell that a user certificate is embedded in the configuration profile.

Back on the Install Profile screen, tap Install and Install Now to begin installing the profile.

Note that the iPhone only supports one Exchange ActiveSync profile at a time (I sincerely hope this changes in the near future).  If the user already has Exchange ActiveSync configured, the iPhone will display the warning, "Can't install Profile. Only one Exchange account can be set up at a given time."  Remove the existing ActiveSync settings and begin the process again.

If the iPhone already has a passcode configured, the user will need to enter it at this time to begin installing the profile.

During installation of the profile the user is prompted for his/her AD password to connect to their mailbox, as shown:

Enter the AD password, tap Return, and then tap Next to complete installation of the profile.  When the profile has been successfully installed, tap Done.  The user can now close Safari.

If a device lock passcode has been configured in the Exchange ActiveSync Policy, the iPhone will display a message that the user must accept the new policy.  It will then prompt the user for a passcode using the complexity requirements specified in the EAS policy.

It may take a few minutes to complete synchronizing the user's email, calendar, contacts and tasks for the first time.

If at any time in the future the user needs to re-install the ActiveSync Profile on the iPhone (for example, after a hardware reset or software restore), simply follow these steps again.

Removing the ActiveSync Profile
If the user wants to remove the ActiveSync Profile, follow these steps.  Removing the ActiveSync profile also removes the user certificate from the iPhone.

Tap Settings on the iPhone home screen and then tap General.  Scroll to the bottom and tap Profiles.  Tap the profile to remove and then tap Remove.  If the iPhone has a passcode configured, it must be entered to remove the profile.

Reverse Proxy Scenarios
Some environments secure their Client Access Servers from direct Internet communication using Microsoft ISA, Threat Management Gateway (TMG) server, or another reverse proxy solution.

In these scenarios, the public ActiveSync connection and authentication is made at the reverse proxy.  The reverse proxy then proxies the authentication to the internal CAS server(s).  The CAS servers, themselves, act as reverse proxies to the mailbox servers.

With an environment such as this, you need to install the certificate and private key on the reverse proxy server(s).  The reverse proxies need to be configured to require client certificates and use Basic Authentication.  They must then pass the certificate, username, password to the CAS servers to complete the connection.  This diagram should help.

I hope this series helps you with the deployment of iPhones in your Exchange ActiveSync environment.  I welcome your comments.

This concludes my series, How to Securely Deploy iPhones with Exchange ActiveSync in the Enterprise.

Other articles in this series: