Email Profile
Configuration on
Devices with Existing
Email Profiles
System Center Configuration Manager
Introduction
Email profile and settings configuration for Mobile Device Management (MDM)
allows enterprises to deploy email profiles and restrictions so that workers can
access corporate email on their personal devices without any required setup.
If there is an existing email profile on the device that matches the credentials of
the profile that MDM is attempting to configure, this configuration will fail.
MDM cannot remove the existing email profile on the device. Therefore, that
profile will continue to exist instead of the MDM configured profile, and the
device may not be as secure as the corporation expected.
This whitepaper will outline the steps the IT Pro will need to take to track the
devices for which email profiles already exist and email profile configuration
fails, notify the users of these devices of their state, quarantine them from their
email accounts until the existing profile is removed, and finally, successfully
configure the MDM email profile onto these devices.
Note: This whitepaper applies to iOS and Windows Phone 8.1 devices only. The
Ensuring MDM email profiles section of this whitepaper outlines how to
mitigate the risk of users circumventing the steps of this whitepaper to
manually import a non-MDM email profile to access their email.
Requirements
System Center Configuration Manager 2012 R2 with a Windows Intune subscription, the
email profile configuration plugin, and the Exchange connector connected to an onpremises Exchange environment. Office 365 environments are not covered in this
whitepaper. Exchange connector requirements are listed here.
To perform the following procedures, the Exchange account you use must be delegated
the Exchange Server Administrator role and membership in the local Administrators
group.
You need access to a Certification Authority (CA) for client certificates. This can be a
public CA solution, individual certificates from a vendor, or an Active Directory Certificate
Services (AD CS) solution. In addition to the CA solution, the following requirements
must be met:

The user certificate must be issued for client authentication. The default User
template from an AD CS server will work in this scenario.

The User Principal Name (UPN) for each user account must match the Subject
Name field in the user's certificate.

All servers must trust the entire CA trust chain. This chain includes the root CA
certificate and any intermediate CA certificates. These certificates should be
installed on all servers that may require them, to include (but not limited to)
ISA/TMG/UAG server(s) and the Client Access Server (CAS).

The root CA certificate must be in the Trusted Root Certification Authorities
store, and any intermediate CA certificates in the intermediate store on all of
these systems. The root CA certificate, and intermediate CA certificates must
also be installed on the EAS device.

The user’s certificate must be associated with the user’s account in Active
Directory.
For more information about permissions, delegating roles, and the rights that are
required to administer Exchange Server, see Permission Considerations.
Steps
Step 1: Enable certificate based authentication in System Center
Configuration Manager
Certificated based authentication is necessary to allow for email profile provisioning
through System Center Configuration Manager.
To use System Center Configuration Manager to configure certificate-based
authentication, please follow the steps here: http://technet.microsoft.com/enus/library/dn261202.aspx
Step 2: Enable certificate based authentication in Exchange environment
By enabling certificate based authentication, administrators gain more control over who
can use Exchange ActiveSync (EAS). If users are required to obtain a certificate for EAS
access, and the administrator controls certificate issuance, access control is assured for
email profile configuration via MDM.
The Exchange administrator can enable certificate based authentication in one of two
ways – through the Exchange Management Console or through the Exchange
Management Shell.
To use the Exchange Management Console to configure certificate-based authentication
for Exchange ActiveSync:
1.
In the Exchange Management Console, expand Server Configuration, and then
click Client Access.
2.
In the result pane, click the Exchange ActiveSync tab.
3.
Select the Microsoft-Server-ActiveSync virtual directory.
4.
In the action pane, under Microsoft-Server-ActiveSync, click Properties.
5.
Click the Authentication tab.
6.
Clear the check box next to Basic authentication (password is sent in clear
text).
7.
Click Accept client certificates. This is because if certificate based
authentication is required now, all devices receiving email through the existing
email profiles will be cut off before the MDM configured profiles are ready to
be provisioned.
8.
Click Apply to save your changes, or click OK to save your changes and close
the Microsoft-Server-ActiveSync properties dialog box.
To use the Exchange Management Shell to configure certificate-based authentication for
Exchange ActiveSync:

Run the following command:
Set-ActiveSyncVirtualDirectory -Identity
:"ExchSrvr\Microsoft-Server-ActiveSync (Default Web
Site)" -BasicAuthEnabled:$false ClientCertAuth:"Required"
Step 3: Configure email profiles in Intune
Note: Step 3 should be completed immediately after step 2 so that once a user removes
the email profile that already exists on the device, they will immediately receive the
MDM configured profile.
Please follow the email profile configuration steps here:
http://technet.microsoft.com/en-us/library/dn554227.aspx. When configuring an email
profile through the Create Exchange ActiveSync Email Profile Wizard, in the
Configure Exchange ActiveSync settings step make sure that you choose Certificates
as the Authentication method.
After configuration of email profiles is complete, the following error will appear in
compliance monitoring reports for any device that has an email profile already set up on
the device (an alert will also be raised if the admin profile is configured to show one):

Error code: -2016346112

Error type: Setting Discovery Error

Error ID: 0x87D1000
Step 4: Send email to users with existing email profile to inform them that
they need to remove that profile
As a courtesy, the administrator should send reoccurring emails to all users informing
them of the following steps, which they will need to take to continue to receive email:
1.
Since users currently have an email profile on their device that matches the
profile that will be MDM configured, they will need to remove this profile from
their device.
2.
After removing their profile, they need to directly enroll into Windows Intune so
that the administrator can configure an MDM profile for them.
The emails should also specify a grace period that the user has until their email
is blocked and they no longer will receive corporate email on their profile. After
step 3 of this whitepaper is complete, and once a user removes the existing
email profile from their device and enrolls into Windows Intune, they will
automatically receive the MDM configured email profile along with its
configuration settings.
Step 5: [Optional] After the grace period from step 3 expires, block all
remaining devices that have an existing email profile
Using the Exchange connector, issue a quarantine to all devices that still have an existing
email profile. This step is optional, because step 5 will block these devices from using
the existing profile on the device.
The advantage of completing this step is that a mobile device that is blocked because of
a device access setting that you configured will not be allowed to connect to the
Exchange server, and will receive HTTP 403 Forbidden errors. The user will receive an
email message from the Exchange server telling them that the mobile device was
blocked from accessing their mailbox. The user will not be able to read the email
message on the blocked mobile device. You can add customized text to this message to
provide instructions for users whose devices are blocked through the Set User
Notification task.
To use the Exchange Connector to block remaining devices until the existing profile is
removed:
1.
In the System Center 2012 R2 Configuration Manager Administrator console,
navigate to Assets and Compliance.
2.
Expand Overview, and then click Devices.
3.
For all devices marked with the Exchange logo (these are devices that are
connecting with Exchange through an existing email profile) that expect to have
an MDM email profile configured, right click the device, expand Exchange
ActiveSync Access, then click Block. This is shown in the screen capture
below.
Step 6: After the grace period from step 3 expires, configure Exchange
environment to require certificate based authentication
This will block all EAS activity on the devices with existing email profiles until the profile
is removed, the device enrolls into Windows Intune, and finally receives the configured
email profile from MDM. This will also require all future email profiles to be configured
in this fashion.
Important: This step will block email profile configuration on Windows Phone 8 devices,
since Windows Phone 8 does not support certificate based authentication.
To use the Exchange Management Console to configure certificate-based authentication
for Exchange ActiveSync:
1.
In the Exchange Management Console, expand Server Configuration, and then
click Client Access.
2.
In the result pane, click the Exchange ActiveSync tab.
3.
Select the Microsoft-Server-ActiveSync virtual directory.
4.
In the action pane, under Microsoft-Server-ActiveSync, click Properties.
5.
Click the Authentication tab.
6.
Ensure that the check box next to Basic authentication (password is sent in
clear text) is clear.
7.
Click Require client certificates. Certificates are required now because at this
point, all devices receiving email through the existing email profiles should be
cut off since the MDM configured profiles are ready to be provisioned.
8.
Click Apply to save your changes, or click OK to save your changes and close
the Microsoft-Server-ActiveSync properties dialog box.
Ensuring MDM email profiles
The steps above force users to enroll for MDM in order to get mail through Exchange
ActiveSync. However, there is a possibility that users could get a non-MDM certificate
from another device and import it manually. This can be mitigated by the following
configurations:
1. Configure Exchange to trust certificates from a specific Root Certification
Authority (CA), and put that CA behind Network Device Enrollment Service
(NDES). This is achievable by adding the Root CA’s certificate to the Exchange
server’s Root CA certificate store.
Note: Users may still be able to export/import certificates from other devices
enrolled through Windows Intune.
2.
In addition to the above step, configure Simple Certificate Enrollment Protocol
(SCEP) profiles to protect certificates with Trusted Platform Module (TPM),
which blocks the ability to export a certificate. This can be achieved through
the Create Certificate Profile Wizard in the System Center 2012 R2
Configuration Manager Administrator console, under SCEP Enrollment. Make
sure Install to Trusted Platform Module (TPM) otherwise fail is selected.
Note: Step 2 is supported on Windows Phone 8.1 only.