We use x509 TLS certificates as part of our authentication to activesync. When the certificate renews, the way this works is the profile is removed from the device and re-added with the new credential.
Unfortunately, this means that the activesync account settings are reset to defaults (folders to sync, days, etc) as well as if the user had set the activesync as default account for mail, calendar, contacts.
Under the principle of least surprise, I'd like to force the activesync accounts to be default when provisioning or renewing. I haven't found any way of doing this with the standard AirWatch profile settings, so I was wondering if there's any MDM features I should be asking AirWatch for, or even if there's any custom XML that I can apply.
Unfortunately, AirWatch does not currently provide this. Since certificates are tied to a profile, renewing that certificate requires replacing that profile, and that requires replacing all associated settings with that profile.
Apologies for the late response. Please let us know if there is anything we can answer or assist with in the future.
I know it's not something native to airwatch, but my question was really twofold:
1. Does Apple have any custom XML that would allow us to set default accounts after the profile is installed
2. How are other MDM vendors dealing with this issue?
The lifetime of the mobile device is not more then 2 years in average, so it is not big security risk if you issue the user certificate for ActiveSync with 2 years validity (or even 3 years). If the device is retired or given to someone else, lifecycle management will take care and activesync profile with cert will be automatically removed, and the certificate will be revoked by ProMDM, so no risk in that scenario.
I personally would not dare to guess at a company's risk tolerance.
Revocation has many dependancies, not least that the server actually checks revocation.
Longer validity periods mean bigger CRLs which means more chance that revocation checking will fail.
There's a move towards short lived certificates on the server side, and seemless provisioning like the kind promised by MDM would go a long way on the client side too:
And I'd love to live in a world where all retired devices or those given to someone else were absolutely known by the MDM to have been transitioned.