Before your enterprise email server can securely pass email to the user’s device, you need to configure your email server to recognize the user’s device and trust it is the authorized user of that device.
Set up a Trust Relationship between Directory Services and the Certificate Authority
Establish trust between the certificate authority (CA) and directory services such that it can authenticate the certificate stored in the user’s directory account.
For instance, establishing such a trust for Microsoft Active Directory would entail these steps.
- Open your system administrator software tool’s console (e.g., MMC)
- Add the particular snap-ins (e.g., Enterprise PKI)
- Associate the snap-in with the desired certificate authority.
Next, complete each following step in sequence.
Configure the Exchange ActiveSync server for Certificate-based Authentication
Set up permissions for your users to be able to access your enterprise email server using certificate authentication. For example, in order to accomplish this on a Microsoft Exchange server.
- Open the tool you use (e.g., IIS) to choose the authentication method being used by your enterprise email server.
- Choose to only allow authentication through identity certificates (e.g., Active Directory Client Certificates)
- Configure your email server to require Secure Socket Layer (SSL).
- Increase the cache memory of your internet server (e.g., IIS) to accommodate the increased demands of using certificate authentication.
Configure Certificate Authority and Certificate Template in Workspace ONE UEM
Once you have configured certificate authentication to your email infrastructure, enable Workspace ONE UEM to request the end-user identity certificates used for authentication from your certificate authority.
- Navigate to Devices > Certificates > Certificate Authorities and configure the certificate authority that was used to generate the user’s certificate.
- Choose the Authority Type used by your enterprise.
- Add the certificate authority to the Workspace ONE UEM console.
- Add a certificate template that associates the certificate authority used to generate the user’s certificate.
- Transfer the certificate to the Workspace ONE UEM console.
- Assign the certificate to a particular user or organization group.
For more information,
Create a Profile for Exchange ActiveSync
The final step is to configure the Workspace ONE UEM console to create and deploy the user’s profile to push email to the user’s device.
- Navigate to Devices > Profiles.
- Configure the Credentials screen to define the certificate authority that created the user’s certificate and the certificate template associated to that certificate authority’s certificate.
- Configure the Exchange ActiveSync screen to publish the user’s profile to the device by configuring your enterprise email server and security protocol (e.g., SSL) with the user’s email address and payload certificate.
- Push the user’s profile and certificate to the user’s device.
- Have the user authenticate and connect to your enterprise email server and begin receiving email.
For more information,