Active Sync Profiles for Certificate Based Authentication with Exchange

Hi everyone,
we are using SMC 7 and it works fine in the moment regarding ActiveSync Profiles with a user/password combo. But we are in the process of rolling out smartcards for our userbase. This makes the user/password combo impossible.

We now have to use certificate based authentication (cba) for Exhange 2013 active sync and i have some questions about that topic
regarding the overall config.

1. We have setup a MS SCEP (NDES) Server for generating the certificates from our MS PKI for
the mobiles over SMC
Q: which certificate template should we use as base, and what should we change in the template?

2. We have configured SCEP in SMC pointing to the NDES Server
Q: what should we configure in the SCEP Profile.
   I think the Subject should be the user UPN ""
   Do i need the SAN fields?

3. Does Android Support such a config in the active sync profile?
   I know that iPhones could handle cba without user password, but Android?
   We have Samsung and Sony mobiles.
In my first tests with a Sony Mobile (Android 7) our root certs are on the phone, but the scep cert from the active sync profile is not on the phone. But in our pki it was issued.

Many thanks in advance for any answer that helps!


  • 1. is Solved

    2. is Solved

    3. With iPhones it is working fine, they get the certificate over scep and mail is running fine without password just with the certificate. On my Sony i could not get get scep certificate on the Phone. On which Devices is this working?

    On Sony i have to manually put the certificate on the Phone and i must use another mail app (Boxer) where i could configure a mailprofile without passwort just with the cert.

  • In reply to PeterRist:

    Hello Peter,

    For 3rd problem: I tested on LG G3, Sony Xperia and HTC One devices. And I can get SCEP Certificates from server to devices. Maybe you can upgrade your MDM software to 7.0.10 version.

    Please share your test results for MDM...

    Best regards...

    Ali Erdem Sunar

    Sophos Certified Engineer

  • In reply to Ali Erdem Sunar:

    Hello Ali,
    Server is at 7.0.10 .

    Tested again with the Sony Z5 compact:
    Profile is setup like this:
    - Step 1: Pushing our Root CA and Issuing CA certificates to the mobile = working
    - Step 2: SCEP step (i see the request passing in the WAF-Log of the UTM)
    - Step 3: Active Sync Account with the cert from the SCEP step and the corresponding Root CA cert = The Mobile Control App is asking for the Exchange password. This should not happen, we dont want a User/Password combo we want full CBA Auth.
    = No client cert and no ActiveSync Account on the mobile

    The same steps are working fine on a iPhone

    I will test it with Samsung S6 and S7 and share the results.

    Cheers Peter

  • In reply to PeterRist:

    Dear Peter,

    It's looking certificate access problem. I sent a PM to you. I will be in touch on skype for help you.

    Best Regards...

    Ali Erdem Sunar

    Sophos Certified Engineer

  • I was curious if you had some quick instructions for setting this up? 

    I'm looking to do the same thing.

  • In reply to PeterRist:

    Hello Peter,


    What were the solutions for 1 and 2