Jamf Nation Community

Yeah, our mail Configuration Profile actually pushes to the iPhone / iPad mail app, I don't mind that. I just can't figure out a way to prevent someone from just manually adding their phone, and bypassing MDM entirely.

It appears that Office 365 MDM can prevent it, but then I'm stuck not using Casper...

Well if you are able to maneuver a solution like I described (which I don't know if it's possible, it's all just conceptual) then you are definitely relying on Casper (it's just indirect). I assume the goal is to accomplish the objective, not so much how you go about getting there? Sometimes you do have to get a little creative....

This is more requirement design than implementation, but... Why does the user need to be prevented from accessing other email on the device?

No sorry, I don't mind if they have other mail. I want to allow Casper to install corporate mail on their device. But I don't want them to say, just use their Office 365 login / password to install mail on a different device. I am trying to figure out a way make sure that every device in the "wild" that a user adds our mail to is managed by MDM.

On any phone currently, if you go to Mail, Contacts, & Calendars. Select Exchange and put in your Office 365 credentials. You're getting your mail on the device, and it isn't in Casper. I can turn off Activesync, but that prevents Casper from installing too.

Setup a new ActiveSync that only allows connection to Exchange with certificates. Users will only be allowed to make a connection to Exchange from Managed device which get deploy a individual certificate from a Internal MS CA using SCEP and JAMF MDM (SCEP Configuration Profile). Hope that helps. We are in the process of testing it in our environment once we have a MS CA running on version 2012 instead of 2008 R2. It works just like the feature that MobileIron and AirWatch offer when setting up a Exchange Poxy.

Here is a good article on how to set it up.

The Benefits of Kerberos SSO: By Steve Goodman

Certificate-based Authentication is ideal for ActiveSync devices because, if like most organizations, your users have to change passwords regularly, this can cause confusion and even account lockouts each time users change their password. If you provision devices centrally, using certificates rather than password can allow administrators to make sure ActiveSync devices will work without user intervention once they are out in the field. Finally, using certificate-based authentication helps ensure that end-users don’t connect personal devices to your organization – although features like ActiveSync device policies and quarantine features can help with this too.

Of course it’s not all simplicity when it comes to certificate-based authentication – the provisioning process is more complicated as the certificate needs to be on the device and configured correctly; a well-setup Exchange organization using password-based authentication benefits from AutoDiscover to allow end-users to easily setup their own devices by just using their email address and account username and password.

In part one of this article we’ll look at what’s involved in configuring Exchange to allow certificate-based authentication for ActiveSync devices including:

· A quick overview of the certificate authority we’ll be using for this multi-part article.

· How to allow administrators to request certificates on behalf of end-users to simplify provisioning.

· Configuring the underlying IIS features on each Exchange Client Access Server.

· Creating a second IIS site to optionally allow certificate-based authentication to be in use within your Exchange organization at the same time as password-based authentication.

· And, finally - enabling certificate-based authentication for ActiveSync.

In the second part of this series, we’ll then look at how to deploy certificate-based authentication for two different mobile device types; iOS devices like the iPhone, iPad and iPod touch and Android devices using Nitrodesk’s TouchDown ActiveSync client.

Part 1: http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/configuring-certificate-based-authentication-exchange-2010-activesync-part1.html

Part 2: http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/configuring-certificate-based-authentication-exchange-2010-activesync-part1.html

http://mobilitydojo.net/2010/05/19/securing-exchange-activesync-with-client-certificates-lan-access/

RS4, I like where your head is at, that is perfect.

BUT...

I don't think I can do that using Office 365, that's only on prem Exchange as far as I can tell.

@danseals Yep, O365 can't do cert based auth for exchange.

You might want to look at Exchanges Allow/Block/Quarantine list.

I've some details about it here.

But it would have to be manually managed as the JSS does not currently have any automated tie in.

Yeah that's what I'm afraid of, essentially I would have to block all installs. Then manually approve those coming in through JSS as they happen.

Oh Microsoft... It annoys me that they have this functionality built into Office 365 MDM (and even more if you use MS Intune) but they don't allow any other MDM to replicate it.