Comments on The EXPTA {blog}: How to Securely Deploy iPhones with Exchange Activ...

Hallo Jeff, I just got over your tutorial while I...

2011-08-10T22:42:05.239-07:00

Hallo Jeff,

I just got over your tutorial while I was searching for a possibility to deploy user-certificates on our iPhone devices. I do not use certificate based ActiveSync in my Exchange 2010 though (not yet). But I some small questions, because I seem to misunderstand some points of your tutorial.

1.) Every User requests his certificate himself at the ActiveDirectory CA, via CertSRV. After the Admin accepts this requests, the user can download his complete cert on his computer.
From there he exports it completeley, with private key. Because the Public AND private key need to be imported in his iPhone profile. Correct?
2.) I start the ICU with my administration user. Not with the user I'd like to set up? correct?
3.) What do I have to do with the certificate for the admin user?

Greetings
Florian

Hi Jeff, Thanks a lot for such a great article. ...

2011-08-08T10:37:28.013-07:00

Hi Jeff,

Thanks a lot for such a great article.

I have one question. Do you have any idea why iPCU supports only PKCS12 (and not a SCEP) for Exchange Certificate Based authentication?

As I understand server side requires only certificate (public key). Private key can be on the iPhone and don't need to be shared with any other parts of the system.

Am I missing something?

Regards,
Victor

Awesome post! A couple of people memtioned not bei...

2011-06-07T14:56:11.989-07:00

Awesome post!
A couple of people memtioned not being able to import the certificate into the ICU - getting the Certificate Exception error. I got this tto, despite having the full cert chain imported. I got around it be re-importing the certificate, but this time I checked the "Mark this key as exportable..." box during the import. That seemed to do the trick.

Also, my Cert Authority didn't allow me to enter the username etc for a user cert (even when going through the Advanced cert request). Instead it would enroll in the currently logged on uesers name, so I created a duplicate of the User cert, set the details in the Subject Name tab to "Supply in the Request". Ensure the Issuance Requirements tab has "CA certificate Manager approval" checked, and things should be all-good.
Cheers
Robert

Yes, you can. It will work fine on multiple devic...

2011-05-11T13:39:09.416-07:00

Yes, you can. It will work fine on multiple devices.

Hi Jeff, what if the user has multiple devices (ip...

2011-05-11T10:10:22.533-07:00

Hi Jeff,
what if the user has multiple devices (iphone + ipad) but only one login to Exchange? I can't use the same ACtivesync profile can I?

Hi Jeff, thanks for the reply, It's working no...

2010-11-09T03:37:54.251-08:00

Hi Jeff, thanks for the reply, It's working now. (I'm sure I did reply before and said thanks.)

I have a follow-up question, I tried to install the ActiveSync profile (username.mobileconfig) in my iPAD using iCU and email attachment but I got the following message:

An error occured while contacting server
Without verifying the account, no information will be downloaded when the installation finishes.

In my iPhone, I can install the ActiveSync profile using the iCU, but when I try to load the EAS mail client, I got the following error message:

'Cannot connect to mail server'.

I don't have any problem if I configure the EAS Mail client manually, except that I have problems sending/forwarding email with attachment >100kb.

We are using Exchange 2007 SP1 with TMG 2010 SP1 in the DMZ.

I'm wondering if this is an Apple bug or Microsoft, or something wrong in our configuration.

BTW, I'm having a problem publishing the EAS website externally. I haven't tried it in our office WiFi, since I worked remotely.

Hi Bobby, It sounds like you don't have the e...

2010-10-19T17:41:09.844-07:00

Hi Bobby,

It sounds like you don't have the entore certificate chain installed on your home PC. You either need to do one of the following:

1. Import the root CA's cert into the computer's Trusted Root Certification Authorities.

2. Export the user cert and private key again, this time selecting the "Include all certificates in the certification path if possible" checkbox.

When you view the Certificate Path of the user cert you should see both the user cert and the root CA's cert with no red X's.

Hi Jeff, I do have the same issue as Mark, where ...

2010-10-19T17:31:22.839-07:00

Hi Jeff,

I do have the same issue as Mark, where I try to setup my home PC with iCU,when I try to add the user certificate to the ActiveSync profile it displayed an error "certificate exception: key not valid for use in specified state", that is, after I enter and verified the password of the user certificate.
My home PC has Windows 7. I also tried it in my other PC which running XP SP3, which generates the same error message.

I tried to run it in my office desktop which is a part of the AD domain, and it works fine. My home PC's are all standalone/workgroup. Does Domain memebership matters? I assume it doesn't.

Jeff, Thank You that worked. I would have never...

2010-09-10T13:03:28.106-07:00

Jeff,
Thank You that worked. I would have never figured that out

Hi Sean, I had the same issue with the latest ver...

2010-09-10T12:26:56.310-07:00

Hi Sean,

I had the same issue with the latest version of iCU, and it appears to be a bug. If I copied the profile I just created, I was able to enable it on the copy. Then I deleted the first one I created.

For some reason when I build the ActiveSync Profil...

2010-09-10T12:22:39.707-07:00

For some reason when I build the ActiveSync Profile, I cannot select the Include Authentication Credential Passphrase option. It is greyed out. Everything works fine up until that point. Can you tell me why I am having this issue.

NICE work, Sysadminlab.net! Thanks for sharing th...

2010-06-30T14:08:58.104-07:00

NICE work, Sysadminlab.net! Thanks for sharing this.

Now when iPhone 4.0 has been released I tested all...

2010-06-30T14:07:12.310-07:00

Now when iPhone 4.0 has been released I tested all the ActiveSync policies to see which ones that worked. Here's a summary: http://www.sysadminlab.net/activesync/iphone-os-4-and-exchange-activesync-policies-what-really-works

Hi Mark, It sounds like you don't have the pr...

2010-06-18T09:36:19.662-07:00

Hi Mark,

It sounds like you don't have the private key installed for the user on the second desktop. Try exporting the user cert and private key again from the first desktop to a PFX file and reimporting it on the second desktop.

Jeff, I have an issue where I set up a second des...

2010-06-17T22:33:23.311-07:00

Jeff,

I have an issue where I set up a second desktop in a remote location (so iphone can be provisioned there) and when I go to add the cert to the activeSync mobile profile it generates an error "certificate exception: key not valid for use in specified state"

I generate the same config on mine here and it works fine (although I dont have the device here) - same cert

Any ideas????

Right now, just in the iPhone configuration profil...

2010-05-11T12:19:47.006-07:00

Right now, just in the iPhone configuration profile.

Kevin, are you configuring the setting in an iPhon...

2010-05-11T11:03:24.129-07:00

Kevin, are you configuring the setting in an iPhone configuration profile or using an EAS policy?

When applying a baseline profile on the iPhone tha...

2010-05-11T10:59:41.316-07:00

When applying a baseline profile on the iPhone that is intended to restrict the passcode timeout to 1 hour, it doesn't appear to limit it to the 1 hour setting. After installing the profile, I can still set the timeout value to 4 hours. Is there a way to restrict that, or am I missing something?

BTW: this article series is great, very helpful!

This solution only requires the user to enter thei...

2010-03-02T15:22:39.951-08:00

This solution only requires the user to enter their Active Directory password once, when installing the iPhone profile. The user will NEVER need to know or enter the certificate password. ActiveSync will never lock the user out.

BTW, Exchange ActiveSync clients cannot handle password expiration notification messages. Additionally, you cannot change an expired password by using an Exchange ActiveSync client.

Hi, I was hoping to see how to configure iPhone ...

2010-03-02T15:15:01.563-08:00

Hi,

I was hoping to see how to configure iPhone and certificates on the device so that user doesn't have to enter their AD username and password to sync with Exchange. The challenge we have is that company policy dictates password to be changed every 60 days, and if the iPhone uses UN/Pass credentials to get to Exchange it will lock the account out (unless user remembers to change his AD password in iPhone as well, which we all know is not something we should rely on).

Thanks