Integrate your Exchange ActiveSync (EAS) and Active Directory Certificate Services (AD CS) with Workspace ONE UEM to pass email to managed devices using certificates for authenticated access.

This diagram shows how certificate authentication is handled from the point where the user device enrolls into Workspace ONE UEM to when the user begins to receive email.

Prerequisites

Meet these requirements including setting up a certificate authority server, enabling Microsoft Exchange with ActiveSync, and selecting the option to install Client Certificate Mapping Authentication.
  • Set up an enterprise certificate authority server for Microsoft as opposed to a standalone certificate authority. A standalone certificate authority does not allow for the configuration and customization of templates.
    Important: Certificate Authorities can be set up on servers running a variety of operating systems. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy a client access server like ADCS in a production environment.
  • Microsoft Exchange with ActiveSync enabled.
  • Install Client Certificate Mapping Authentication on the Internet Information Services (IIS) on the Exchange ActiveSync server.

Procedure

  1. Set up a trust relaitionship between Active Directory and the Certificate Authority (CA), which is EAS with ADCS.
    1. On the Certificate Authority server, select Start > Run.
    2. Type MMC in the dialog box and press Enter to launch the Microsoft Management Console (MMC).
    3. Click File > Add/Remove Snap-ins from the MMC main menu.
    4. Select Enterprise PKI from the list of Available snap-ins and then select Add.
    5. Click OK.
    6. Right-click Enterprise PKI and select Manage AD Containers.
    7. Select the NT AuthCertificates tab and verify the Certificate Authority is listed. If not, select Add to add the Certificate Authority to the group.
    8. Click OK.
  2. Set permissions on Microsoft Exchange server.
    1. Configure the certificate authentication.
      1. On the Exchange server, select Start > Run.
      2. Type inetmgr in the dialog box to run Internet Information Services (IIS).
      3. Select the server in the Connections pane.
      4. Under IIS, double-click the Authentication icon.

      5. Select Active Directory Client Certificate Authentication and then select Enable.
    2. Set up the configuration editor.
      1. Select + to expand Site and then Default website to display all available configuration editors.
        1. If you are using MS Server 2008 R2 or later, the Configuration Editor icon appears; Select Microsoft-Server-ActiveSync and double-click on the Configuration Editor icon. Skip steps 1b & 1c, and go directly to step 2.
        2. If you are using Exchange servers older than 2008 R2, be familiar with the use of appcmd.exe and run it from the command prompt.
        3. Open a command prompt by selecting Start > Run. Type cmd in the dialog box and select OK. In the command prompt, type the following command:

          appcmd.exe set config "Microsoft-Server-ActiveSync" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost

          If you performed this step, then skip the remaining steps and advance to Setting up Secure Socket Layer (SSL).

      2. Navigate to system.webserver > security > authentication in the Section drop-down menu.
      3. Select clientCertificateMappingAuthentication.

      4. Select True from the drop-down menu on the Enabled option.
    3. If you only use certificate authentication, configure Secure Socket Layer (SSL).
      1. Select Microsoft-Server-ActiveSync, and then double-click the SSL Settings icon.

      2. Select Accept if other types of authentication are allowed. If only certificate authentication is allowed, then select the Require SSL check box and then select Required.
    4. Increase the value of the memory size parameter uploadReadAheadSize from 48 KB to 10 MB to account for an increased amount of data.
      1. Open a command prompt by selecting Start > Run.
      2. Type cmd in the dialog box and select OK.
      3. Enter the following commands:
        C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost
        C:\Windows\System32\inetsrv\appcmd.exe set config "Default Website" -section:system.webServer/serverRuntime /uploadReadAheadSize:"10485760" /commit:apphost

        If the name of the site has been changed in IIS, then replace Default Website with the new name in the second command.

      4. Perform an IIS reset by entering the following command:

        iisreset

  3. Configure the CA and the certificate template in Workspace ONE UEM.
    1. Configure the CA.
      1. Log in to the Workspace ONE UEM console as a user with Workspace ONE UEM admin privileges.
      2. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities > Certificate Authorities tab.
      3. Click Add.
      4. Enter details about the CA.
        Option Description
        Name Enter any name that helps identify the CA.
        Authority Type Microsoft ADCS
        Protocol ADCS
        Server Hostname Enter the URL for the server in the format https://{servername}/certsrv/adcs/.

        The URL can also have HTTP but it must include the trailing /.

        Authority Name Enter the name of the certificate authority that the ADCS endpoint is connected to. This can be found by launching the Certification Authority application on the certificate authority server.
        Authentication Service Account
        User name Enter the username of the ADCS Admin Account with sufficient access to allow Workspace ONE UEM to request and issue certificates.
        Password Enter the password of the ADCS Admin Account with sufficient access to allow Workspace ONE UEM to request and issue certificates.
      5. Click Save.
    2. Configure the certificate template.
      1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities > Request Templates tab.
      2. Click Add.
      3. Enter the following details about the template in the remaining fields.
        Option Description
        Name Enter a name that helps identify the certificate template.
        Certificate Authority Select the AD CS certificate authority created earlier.
        Subject Name Enter text that is the Subject of the certificate. The network admin can use it to determine who or what device received the certificate.

        A typical entry in this field is CN=WorkspaceONEUEM.{EnrollmentUser} or CN={DeviceUid} where the {} fields are Workspace ONE UEM lookup values.

        Private Key Length This length is typically 2048 and should match the setting on the certificate template that is being used by ADCS.
        Private Key Type Select Signing and Encryption.
        SAN Type Include one or more Subject Alternate Names (SANs) with the template.

        This is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry field. Each field supports lookup values.

        Automatice Certificate Renewal Enabled

        Has certificates using this template automatically renewed prior to their expiration date. If enabled, specify the Auto Renewal Period in days.

        Enable Certificate Revocation Select the check box to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.
        Publish Private Key Enable this option for Lotus Domino configurations.
        Force Key Generation on Device Fenerates a public and private key pair on iOS devices, improving performance and security.
      4. Click Save.
  4. Create and deploy a Workspace ONE UEM profile that pushes the Exchange Server settings to the device. This profile contains the information necessary for the device to connect to Exchange, as well as the certificate that the device uses to authenticate.
    1. Navigate to Devices > Profiles > List View.
    2. Click Add.
    3. Click the applicable device platform to launch the Add a New Profile dialog.
    4. Configure the General settings for the profile. The General settings determine how the profile is deployed and who receives it as well as other overall settings.
    5. Select Credentials from the profile options at left and then select Configure.
    6. Select Define Certificate Authority from the Credential Source drop-down menu.
    7. Select the certificate authority you created previously from the Certificate Authority drop-down menu.
    8. Select the certificate template you created previously from the Certificate Template drop-down menu.
    9. Select Exchange ActiveSync from the profile options at left and then select Configure.
    10. Configure the Exchange ActiveSync.
      1. Enter an account name in the Account Name field. This is the name that displays on the device to indicate which email account is active so it should be accurately descriptive.
      2. Enter the Exchange ActiveSync host in the Exchange Active Sync Host data entry field. This is the actual endpoint of the mail server.

        Do not include http:// or https:// at the beginning or /Microsoft-server-activesync at the end.

      3. Ensure the Use SSL checkbox is selected. Authentication using certificates fails over a non-SSL connection.
      4. Deselect the Use S/MIME checkbox if enabled by default.
      5. The Domain data entry field should contain the email domain for the user account.
      6. The Username data entry field should contain the email address of the user when on the device.
      7. The Email Address text box should contain the email address of the user when on the device

        Domain, Username, and Email Address can be obtained using Lookup Values which will retrieve the text stored in the applicable field of the User Profile.

      8. Select the credential you created previously from the Payload Certificate drop-down menu.
    11. Click Save or select Save and Publish to publish this profile to a device.