MDM iOS Exchange setup

[noorigin 3]

We Use: 

ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)

 

Update module	1072 (20180813)
Translation support module	1740 (20190418)
Configuration module	1663.15 (20181129)
SysInspector module	1274 (20180918)
SSL module	1028.1 (20190327)
Push Notification Service module	1053 (20190321)

 

I need help setting up the exchange ActiveSync policy for iOS. I am confused with the variables I am supposed to be using. We use a hosted exchange (in the cloud). ESMC is synced to AD. What I am confused about is which variable do I use for Account name, user, and Email address. Currently I have Account name = ${mail}, User=${exchange_login/...}, and Email Address= $email_address/...} and it is not working. I cant seem to find any document on which variables apply to what or what they are for so these are just shot in the dark guesses on my part. 

[Oliver 9]

Hello, 

 this is described  in the product documentation: https://help.eset.com/esmc_admin/70/en-US//?admin_pol_for_ios_mdm.html  

[Mirek S. 18]

Hello,

The attributes are configured in the synchronization task. Then each device needs to have a user assigned. Such variables are then replaced in configuration delivered into the phone.

If a user is not assigned or attribute synchronized (or defined manually) block of configuration (exchange mailbox etc...) is actually removed from the device configuration profile.

Meaning that attributes synchronized as

Are available in policy as

Which synchronized attribute should map to what really depends on Your AD schema.

HTH

Edited May 28, 2019 by Mirek S.
Better-ify

[noorigin 3]

Oliver, thanks, but that is the guide I have been using.

 

Mirek, thats more along the lines of what I was looking for. So when i go to edit the AD_UserSync task and get to the exchange accounts part it wants a name (required entry). Same place you have a0 in the above screenshot. What is that part for, what needs to go in that field? 

Edited May 28, 2019 by noorigin

[Mirek S. 18]

Hello,

The "Name" (in my example a0) is essentially just identification for You (so put there whatever makes sense to You). Assume You wanted multiple exchange or VPN (etc...) configurations, You would need to address them in policy editor somehow. I also think (unsure would have to check code), iOS configuration profile is filled only if all attributes specified in policy editor are non-empty.

Imagine user = set of attributes.
user1 = {
  exchange {
    mydomain {
      email = "my@email.com"
      login = "me"
    }
    myshadowdomain {
      email = "othermy@email.com"
      login = "otherme"
    }
  }
}

Such attributes are then available in policy editor in a slightly different format of exchange_email/mydomain or exchange_email/myshadowdomain. (Where mydomain and myshadowdomain are Name). This is not only for multiple configurations, but also as MSP support where multiple companies are managed in one ESMC.

TBH seeing this I'm unsure why we did it this way as both hierarchical "exchange/mydomain/email" or flat list makes more sense.

HTH

Edited May 28, 2019 by Mirek S.
Clarification

[noorigin 3]

I still cannot get this to work. I get "Error during policy application on device" in ESMC alert. Is there a log somewhere I could be looking at to give me some clues where this is all going wrong?

[noorigin 3]

Found this in trace.log under C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Logs

2019-05-28 17:11:30 W [14516]   Command d992115e-ef6d-4446-bea5-e41af8484ae4 has caused the device to reply with an Error: <?xml version="1.0" encoding="UTF-8"?><plist version="1.0"><dict><key>CommandUUID</key><string>d992115e-ef6d-4446-bea5-e41af8484ae4</string><key>ErrorChain</key><array><dict><key>ErrorCode</key><integer>1000</integer><key>ErrorDomain</key><string>MCProfileErrorDomain</string><key>LocalizedDescription</key><string>The profile “ESET MDM Configuration” is invalid.</string><key>USEnglishDescription</key><string>The profile “ESET MDM Configuration” is invalid.</string></dict><dict><key>ErrorCode</key><integer>1007</integer><key>ErrorDomain</key><string>MCProfileErrorDomain</string><key>LocalizedDescription</key><string>The payloads in this profile do not have unique UUIDs.</string><key>USEnglishDescription</key><string>The payloads in this profile do not have unique UUIDs.</string></dict></array><key>Status</key><string>Error</string><key>UDID</key><string>7bcf581d43790017538660cd371cdbb5b1b796fc</string></dict></plist>
 

Not sure exactly, shot in the dark here, but does that indicate the variables/attributes are not getting pulled from AD, hence no UUID's? Or do I have something wrong in the exchange domain field?

[Mirek S. 18]

"Error during policy application on device" means device declined configuration profile for some reason - there is sadly no standard way how this is reported in ESMC, nor does Apple tell us anything specific. What you posted actually points out there is issue with UUID generation inside conversion between our and Apple format.

We will have to check conversion into configuration profile - it's possible there were some changes which broke this functionality on newer iOS or with Your use-case.

Please test this without using user attributes (just put in real values and apply on phone instead), to check if issue persists.

We will need iOS version, exported policy, used user attributes (if there are for example special characters...), MDM version and configuration module version on MDM. Please create support ticket (and tell Your distributor to directly forward it to MDM team as there is most likely nothing they can do), or post here (secrets in attachment, only eset stuff can see those)

Bad news is this is probably bug, good news is we can probably fix it faster than standard ESMC release cycles as most code related to this functionality is in updateable module.

As a side note, we did not manage to reproduce the issue. So to check we will need above specified.

Edited May 29, 2019 by Mirek S.