Email Profile Configuration on Devices with Existing Email Profiles
System Center Configuration Manager
Introduction
Email profile and settings configuration for Mobile Device Management (MDM) allows enterprises to deploy email profiles and restrictions so that workers can access corporate email on their personal devices without any required setup.If there is an existing email profile on the device that matches the credentials of the profile that MDM is attempting to configure, this configuration will fail. MDM cannot remove the existing email profile on the device. Therefore, that profile will continue to exist instead of the MDM configured profile, and the device may not be as secure as the corporation expected.
This whitepaper will outline the steps the IT Pro will need to take to track the devices for which email profiles already exist and email profile configuration fails, notify the users of these devices of their state, quarantine them from their email accounts until the existing profile is removed, and finally, successfully configure the MDM email profile onto these devices.
Note: This whitepaper applies to iOS and Windows Phone 8.1 devices only. The Ensuring MDM email profilessection of this whitepaper outlines how to mitigate the risk of users circumventing the steps of this whitepaper to manually import a non-MDM email profile to access their email.
Requirements
System Center Configuration Manager 2012 R2 with a Windows Intune subscription, the email profile configuration plugin, and the Exchange connector connectedto an on-premises Exchange environment. Office 365 environments are not covered in this whitepaper. Exchange connector requirements are listed here.
To perform the following procedures, the Exchange account you use must be delegated the Exchange Server Administrator role and membership in the local Administrators group.
You need access to a Certification Authority (CA) for client certificates. This can be a public CA solution, individual certificates from a vendor, or an Active Directory Certificate Services (AD CS) solution. In addition to the CA solution, the following requirements must be met:
- The user certificate must be issued for client authentication. The default User template from an AD CS server will work in this scenario.
- The User Principal Name (UPN) for each user account must match the Subject Name field in the user's certificate.
- All servers must trust the entire CA trust chain. This chain includes the root CA certificate and any intermediate CA certificates. These certificates should be installed on all servers that may require them, to include (but not limited to) ISA/TMG/UAG server(s) and the Client Access Server (CAS).
- The root CA certificate must be in the Trusted Root Certification Authorities store, and any intermediate CA certificates in the intermediate store on all of these systems. The root CA certificate, and intermediate CA certificates must also be installed on the EAS device.
- The user’s certificate must be associated with the user’s account in Active Directory.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server, see Permission Considerations.
Steps
Step 1: Enable certificate based authentication in System Center Configuration Manager
Certificated based authentication is necessary to allow for email profile provisioning through System Center Configuration Manager.
To use System Center Configuration Manager to configure certificate-based authentication, please follow the steps here:
Step 2: Enable certificate based authentication in Exchange environment
By enabling certificate based authentication, administrators gain more control over who can use Exchange ActiveSync (EAS). If users are required to obtain a certificate for EAS access, and the administrator controls certificate issuance, access control is assured for email profile configuration via MDM.
The Exchange administrator can enable certificate based authentication in one of two ways – through the Exchange Management Console or through the Exchange Management Shell.
To use the Exchange Management Console to configure certificate-based authentication for Exchange ActiveSync:
- In the Exchange Management Console, expand Server Configuration, and then click Client Access.
- In the result pane, click the Exchange ActiveSync tab.
- Select the Microsoft-Server-ActiveSync virtual directory.
- In the action pane, under Microsoft-Server-ActiveSync, click Properties.
- Click the Authentication tab.
- Clear the check box next to Basic authentication (password is sent in clear text).
- Click Accept client certificates. This is because if certificate based authentication is required now, all devices receiving email through the existing email profiles will be cut off before the MDM configured profiles are ready to be provisioned.
- Click Apply to save your changes, or click OK to save your changes and close the Microsoft-Server-ActiveSync properties dialog box.
To use the Exchange Management Shell to configure certificate-based authentication for Exchange ActiveSync:
- Run the following command:
Set-ActiveSyncVirtualDirectory -Identity :"ExchSrvr\Microsoft-Server-ActiveSync (Default Web Site)" -BasicAuthEnabled:$false -ClientCertAuth:"Required"
Step 3: Configure email profiles in Intune
Note: Step 3 should be completed immediately after step 2 so that once a user removes the email profile that already exists on the device, they will immediately receive the MDM configured profile.
Please follow the email profileconfiguration steps here: When configuring an email profile through the Create Exchange ActiveSync Email Profile Wizard, in the Configure Exchange ActiveSync settings stepmake sure that you chooseCertificates as the Authentication method.
After configuration of email profiles is complete, the following error will appear in compliance monitoring reports for any device that has an email profile already set up on the device (an alert will also be raised if the admin profile is configured to show one):
- Error code: -2016346112
- Error type: Setting Discovery Error
- Error ID: 0x87D1000
Step 4: Send email to users with existing email profile to inform them that they need to remove that profile
As a courtesy, the administrator should send reoccurring emails to all users informing them of the following steps, which they will need to take to continue to receive email:
- Since users currently have an email profile on their device that matches the profile that will be MDM configured, they will need to remove this profile from their device.
- After removing their profile, they need to directly enroll into Windows Intune so that the administrator can configure an MDM profile for them.
The emails should also specify a grace period that the user has until their email is blocked and they no longer will receive corporate email on their profile. After step 3 of this whitepaper is complete, and oncea user removes the existing email profile from their device and enrolls into Windows Intune, they will automatically receive the MDM configured email profile along with its configuration settings.
Step 5: [Optional] After the grace period from step 3 expires, block all remaining devicesthat have an existing email profile
Using the Exchange connector, issue a quarantine to all devices that still have an existing email profile. This step is optional, because step 5 will block these devices from using the existing profile on the device.
The advantage of completing this step is that a mobile device that is blocked because of a device access setting that you configured will not be allowed to connect to the Exchange server, and will receive HTTP 403 Forbidden errors. The user will receive an email message from the Exchange server telling them that the mobile device was blocked from accessing their mailbox. The user will not be able to read the email message on the blocked mobile device. You can add customized text to this message to provide instructions for users whose devices are blocked through the Set User Notification task.
To use the Exchange Connector to block remaining devices until the existing profile is removed:
- In the System Center 2012 R2 Configuration Manager Administrator console, navigate to Assets and Compliance.
- Expand Overview, and then click Devices.
- For all devices marked with the Exchange logo (these are devices that are connecting with Exchange through an existing email profile) that expect to have an MDM email profile configured, right click the device, expand Exchange ActiveSync Access, then click Block. This is shown in the screen capture below.
Step 6: After the grace period from step 3 expires, configure Exchange environment to require certificate based authentication
This will block all EAS activity on the devices with existing email profiles until the profile is removed, the device enrolls into Windows Intune, and finally receives the configured email profile from MDM. This will also require all future email profiles to be configured in this fashion.
Important: This step will block email profile configuration on Windows Phone 8 devices, since Windows Phone 8 does not support certificate based authentication.
To use the Exchange Management Console to configure certificate-based authentication for Exchange ActiveSync:
- In the Exchange Management Console, expand Server Configuration, and then click Client Access.
- In the result pane, click the Exchange ActiveSync tab.
- Select the Microsoft-Server-ActiveSync virtual directory.
- In the action pane, under Microsoft-Server-ActiveSync, click Properties.
- Click the Authentication tab.
- Ensure that the check box next to Basic authentication (password is sent in clear text) is clear.
- Click Require client certificates. Certificates are required now because at this point, all devices receiving email through the existing email profiles should be cut off since the MDM configured profiles are ready to be provisioned.
- Click Apply to save your changes, or click OK to save your changes and close the Microsoft-Server-ActiveSync properties dialog box.
Ensuring MDM email profiles
The steps above force users to enroll for MDM in order to get mail through Exchange ActiveSync.However, there is a possibility that users could get a non-MDM certificate from another device and import it manually. This can be mitigated by the following configurations:
- Configure Exchange to trust certificates from a specific Root Certification Authority (CA), and put that CA behind Network Device Enrollment Service (NDES). This is achievable by adding the Root CA’s certificate to the Exchange server’s Root CA certificate store.
Note: Users may still be able to export/import certificates from other devices enrolled through Windows Intune.
- In addition to the above step, configure Simple Certificate Enrollment Protocol (SCEP) profiles to protect certificates with Trusted Platform Module (TPM), which blocks the ability to export a certificate. This can be achieved through the Create Certificate Profile Wizard in the System Center 2012 R2 Configuration Manager Administrator console, under SCEP Enrollment. Make sure Install to Trusted Platform Module (TPM) otherwise fail is selected.
Note: Step 2 is supported on Windows Phone 8.1 only.