Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
Hi everyone,we are using SMC 7 and it works fine in the moment regarding ActiveSync Profiles with a user/password combo. But we are in the process of rolling out smartcards for our userbase. This makes the user/password combo impossible.
We now have to use certificate based authentication (cba) for Exhange 2013 active sync and i have some questions about that topicregarding the overall config.1. We have setup a MS SCEP (NDES) Server for generating the certificates from our MS PKI forthe mobiles over SMCQ: which certificate template should we use as base, and what should we change in the template?2. We have configured SCEP in SMC pointing to the NDES ServerQ: what should we configure in the SCEP Profile. I think the Subject should be the user UPN "CNfirstname.lastname@example.org" Do i need the SAN fields?3. Does Android Support such a config in the active sync profile? I know that iPhones could handle cba without user password, but Android? We have Samsung and Sony mobiles. In my first tests with a Sony Mobile (Android 7) our root certs are on the phone, but the scep cert from the active sync profile is not on the phone. But in our pki it was issued.Many thanks in advance for any answer that helps!Peter
1. is Solved
2. is Solved
3. With iPhones it is working fine, they get the certificate over scep and mail is running fine without password just with the certificate. On my Sony i could not get get scep certificate on the Phone. On which Devices is this working?
On Sony i have to manually put the certificate on the Phone and i must use another mail app (Boxer) where i could configure a mailprofile without passwort just with the cert.
In reply to PeterRist:
For 3rd problem: I tested on LG G3, Sony Xperia and HTC One devices. And I can get SCEP Certificates from server to devices. Maybe you can upgrade your MDM software to 7.0.10 version.
Please share your test results for MDM...
Ali Erdem Sunar
Sophos Certified Engineer
In reply to Ali Erdem Sunar:
Hello Ali,Server is at 7.0.10 .
Tested again with the Sony Z5 compact:Profile is setup like this:- Step 1: Pushing our Root CA and Issuing CA certificates to the mobile = working- Step 2: SCEP step (i see the request passing in the WAF-Log of the UTM)- Step 3: Active Sync Account with the cert from the SCEP step and the corresponding Root CA cert = The Mobile Control App is asking for the Exchange password. This should not happen, we dont want a User/Password combo we want full CBA Auth.= No client cert and no ActiveSync Account on the mobileThe same steps are working fine on a iPhone
I will test it with Samsung S6 and S7 and share the results.
It's looking certificate access problem. I sent a PM to you. I will be in touch on skype for help you.
I was curious if you had some quick instructions for setting this up?
I'm looking to do the same thing.
What were the solutions for 1 and 2