Exchange ActiveSync
Exchange ActiveSync lets users access corporate data stored in the Exchange server or any other EAS compliant server. Users can access information such as e-mails, contacts, calendar, and tasks even when they are offline. EAS can be configured to use SSL encryption to establish secure communication between the EAS host and the managed devices. Also, MDM lets you store and view e-mail attachments using the ManageEngine MDM app.
The User Principal Name(UPN) of the user should be added in the certifcate's Subject or Subject Alternative Name fields.
Policy Description
FEATURES | DESCRIPTION | ||||
---|---|---|---|---|---|
Account Name | You can specify a name for your Exchange ActiveSync account. This name is not mandatory and is only used for reference. | ||||
Exchange Host Type | Specify the type of the Exchange Server - whether it is Office 365 or Exchange On-Premises. | ||||
Exchange Server | Specify the details of the Exchange Server. If Exchange Host Type is selected as Office 365, then Exchange Server is pre-filled as outlook.office365.com else the server name has to be specified. | ||||
CONFIGURATION DETAILS | |||||
User Name | The username or login name usually consists of the user's name and domain-based suffix. Use %upn% to fetch the username mapped to the device. | ||||
Identity Certificate | Specify the Identity certificate to be used for EAS. If no certificate has been added yet, you can upload a certificate. | ||||
OAuth (supported for iOS 12 or later versions) | Enabling OAuth ensures that the Exchange client does not access the user's credentials. The users are redirected to Exchange Online to log into their account. | ||||
Domain (Can be configured only if Exchange Host Type is selected as Exchange On-Premises) | Enter the domain of the Exchange server. Use %domainname% to fetch the appropriate domain name mapped to the device. | ||||
E-mail Address (Can be configured only if Exchange Host Type is selected as Exchange On-Premises) | This is the e-mail address to be displayed on the 'From' field of the e-mail. Use %email% to fetch the appropriate e-mail addresses mapped to the devices. | ||||
Password (Can be configured only if Exchange Host Type is selected as Exchange On-Premises) | The password associated with the EAS Host account has to be specified here. If the password field is left empty, password is prompted once the profile is installed in the device. | ||||
ADVANCED SETTINGS | |||||
Prevent moving messages to other mail Accounts | Prevent users from moving mails to other mail accounts on their devices. This also restricts users from forwarding or replying to already moved mails using other mail accounts. | ||||
Block account usage from non-mail apps | Prevent the usage of Exchange mail account from non-mail apps such as Photos, Safari, etc. to send messages. | ||||
Use SSL for mail communication | Send all communication through Secure Sockets Layer. | ||||
Enable S/MIME to encrypt or decrypt Mails | Send outgoing mails using S/MIME encryption and receive incoming mails using S/MIME decryption. | ||||
Certificate for signing mails (encrypt outgoing mails) | Upload the required certificate to encrypt all outgoing mails. | ||||
Certificate to decrypt incoming mails | Upload the required certificate to decrypt all incoming mails. | ||||
Sync Calendar | You can configure Calendar sync in Exchange or allow users to configure it. | ||||
Sync Contacts | You can configure Contact sync in Exchange or allow users to configure it. | ||||
Sync Notes | You can configure Notes sync in Exchange or allow users to configure it. | ||||
Sync Mail | You can configure Mail sync in Exchange or allow users to configure it. | ||||
Mails to save offline | You can select the duration for which mails can be synced and saved offline. This cannot be configured when Sync Mail is set as Disable and Restrict modification | ||||
Sync Reminder | You can configure Reminder sync in Exchange or allow users to configure it. | ||||
Disable recent mail address sync (supported for iOS 6 or later versions) |
Disable syncing with the recently used e-mail address in iCloud. |
NOTE: By default, all the calendar, contacts, notes, and tasks are synced along with the mails, once the profile has been applied to the devices.
The Conditional Exchange Access is supported on native e-mail app for iOS.
Dynamic Variables :
The below mentioned dynamic variables retrieve the data of the users added during enrollment.
- %email% - Gets the appropriate e-mail address, mapped to the device form the enrollment details.
- %username% - Gets the appropriate user name, mapped to the device from the enrollment details.
- %domainname% - Gets the appropriate domain name, mapped to the device from the enrollment details.
Note: If the organization does not have any domain name, the above field can be left empty. - %upn% - Gets the appropriate user principal name, mapped to the device.
- %displayname% - Fetches the AD display name of the user to be invited.
- %firstname% - Fetches the first name of the user to be invited.
- %last_name% - Fetches the last name of the user to be invited.
- %middle_name% - Fetches the middle name of the user to be invited.
- If an Exchange account has been previously configured on the device, the same account cannot be configured using MDM.
- If the Add/ Modify account restriction has been applied to the device, the user is prompted to enter the password only once. If the user enters the wrong password, the profile has to be redistributed to prompt for password.
NOTE: Ensure that the maximum limit on the number of devices per mailbox is not breached while pushing Exchange Activesync profile.
Troubleshooting tips
I've changed passcode for the Exchange accounts of all users. But they're still able to access it as they've logged in previously. How do I ensure the user logs in with the new passcode?
- Open IIS on the server machine, where your Exchange Server is running.
- In the Connections pane, expand the Server node and click Application Pools.
- In the Application Pools page, select MSExchangeSyncAppPool and click on Recycle and follow the on-screen instructions to refresh the session tokens on the devices. Users whose password has been changed are prompted for the new password, as the old password cannot renew the session.
- When the Exchange account verification fails on the device, we need to check if the manual addition of account to the device works and also verify if the information pushed via profile and manual configuration are same in Settings->Account & Password->Policy Name.