ENS supports certificate-based authentication (CBA) and dual authentication. The dual authentication is a combination of basic authentication and certificate-based authentication. For ENS, you must configure the Boxer application with certificate-based authentication for Exchange server and enable certificate-based authentication for the EWS endpoint. ENS uses the same certificate that the Boxer application receives for the authentication purpose. ENS must ensure that the EWS endpoint can validate the certificates used by the Boxer application.

Prerequisites

Configure Boxer application with CBA and enable CBA for the EWS endpoint. For more information about configuring CBA for Workspace ONE Boxer, see the Workspace ONE Boxer Admin Guide documentation.

  1. Push the certificate with Boxer profile from the Workspace ONE UEM console to the Workspace ONE Boxer.
  2. Register your device with the ENS server and send the certificate from Workspace ONE Boxer.
  3. Send certificate from ENS to the Exchange server and establish the push subscription.

Configure ENS2 for Certificate-Based Authentication

When you configure ENS2 for Workspace ONE Boxer and want to use Certificate-Based Authentication (CBA) for authentication, you must follow the steps listed in this section for ENS2 to work with CBA.

  1. Configure Workspace ONE Boxer to use CBA. See the Configure Certificate-Based Authentication on the Exchange Server section in the Certificate-Based Authentication for ENS topic.
  2. Change the appropriate settings to ensure that CBA is supported for the EWS endpoint and for EAS on the on-premise Exchange Server. See the Using Office 365 with ENS2 and Certificate-Based Authentication section and the Configure Certificate-Based Authentication on the Exchange Server sections in the Certificate-Based Authentication for ENS topic.
  3. If you are using Secure Email Gateway V2 (SEG V2), see the Secure Email Gateway V2 guide for information on the changes that are required on the SEG server.

Configure Certificate-Based Authentication on the Exchange Server

You can enable certificate-based authentication (CBA) for Exchange Active Sync (EAS) on the Exchange Server (for TLS testing) by modifying specific values on the IIS server. Office 365 or Exchange online does not directly support certificate-based authentication. You must set up dual authentication, that is, modern authentication and CBA, to setup certificate-based authentication for Office 365. You must have Active Directory Federation Service (ADFS) setup to do certificate-based authentication. Office 365 authenticates through the modern authentication, and certificate is presented to the ADFS for authentication.

On the Boxer profile, modern authentication and certificate-based authentication needs to be enabled that is, AccountUseOauth must be enabled. See the Workspace ONE Boxer Admin Guide documentation for more details.

  1. From the IIS console, navigate to the EWS endpoint and ensure the EWS endpoint accepts the client certificates.

  2. For client certificates to be allowed on the Exchange server, the Exchange server must have Active Directory Client Certificate Authentication installed and enabled in IIS.

Using Office 365 with ENS2 and Certificate-Based Authentication

If you are using Office 365 and want to perform certificate-based authentication (CBA), you must enable certain settings in the Workspace ONE Boxer profile.

Office 365 or Exchange online does not directly support certificate-based authentication. You must set up dual authentication, that is, modern authentication and CBA, to set up certificate-based authentication for Office 365. You must have Active Directory Federation Service (ADFS) set up to perform certificate-based authentication. Office 365 authenticates through the modern authentication and certificate is presented to ADFS for authentication.

You must also enable modern authentication and certificate-based authentication using the AccountUseOauth setting in the Workspace ONE Boxer profile. See the Workspace ONE Boxer Admin Guide documentation for more details.

Supported EWS Authentication Methods with Office 365

The following EWS authentication methods are supported with Office 365:
  • OAuth 2.0 (Exchange Online only)
  • NTLM (Exchange On-premises only)
  • Basic (no longer recommended)
Refer to the relevant Microsoft Office 365 documentation for more details.