Issues with enterprise activesync and certificate updates...

John Payne's picture

John Payne

Joined: Nov 26, 2013
No votes yet

We use x509 TLS certificates as part of our authentication to activesync. When the certificate renews, the way this works is the profile is removed from the device and re-added with the new credential.

Unfortunately, this means that the activesync account settings are reset to defaults (folders to sync, days, etc) as well as if the user had set the activesync as default account for mail, calendar, contacts.

Under the principle of least surprise, I'd like to force the activesync accounts to be default when provisioning or renewing. I haven't found any way of doing this with the standard AirWatch profile settings, so I was wondering if there's any MDM features I should be asking AirWatch for, or even if there's any custom XML that I can apply.

Top
AirWatch's picture

AirWatch

Joined: Sep 23, 2013
WWW

Issues

Your rating: None

Hello John,

Unfortunately, AirWatch does not currently provide this. Since certificates are tied to a profile, renewing that certificate requires replacing that profile, and that requires replacing all associated settings with that profile.

Apologies for the late response. Please let us know if there is anything we can answer or assist with in the future.

Top
John Payne's picture

John Payne

Joined: Nov 26, 2013

Not AirWatch specific

Your rating: None

I know it's not something native to airwatch, but my question was really twofold:

1. Does Apple have any custom XML that would allow us to set default accounts after the profile is installed
2. How are other MDM vendors dealing with this issue?

Top
mladen.hajak's picture

mladen.hajak

Joined: Sep 19, 2013
WWW

Easy solution

Your rating: None

Hello John,

The lifetime of the mobile device is not more then 2 years in average, so it is not big security risk if you issue the user certificate for ActiveSync with 2 years validity (or even 3 years). If the device is retired or given to someone else, lifecycle management will take care and activesync profile with cert will be automatically removed, and the certificate will be revoked by ProMDM, so no risk in that scenario.

Top
John Payne's picture

John Payne

Joined: Nov 26, 2013

too many assumptions

Your rating: None

I personally would not dare to guess at a company's risk tolerance.

Revocation has many dependancies, not least that the server actually checks revocation.

Longer validity periods mean bigger CRLs which means more chance that revocation checking will fail.

There's a move towards short lived certificates on the server side, and seemless provisioning like the kind promised by MDM would go a long way on the client side too:
http://www.w2spconf.com/2012/papers/w2sp12-final9.pdf

And I'd love to live in a world where all retired devices or those given to someone else were absolutely known by the MDM to have been transitioned.

Top

Who is online?

There are currently 0 admins, 0 users and 96 guests online. Connected users: .

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Recent Activity