Jump to content
noorigin

MDM iOS Exchange setup

Recommended Posts

We Use: 

ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)

 

Update module 1072 (20180813)
Translation support module 1740 (20190418)
Configuration module 1663.15 (20181129)
SysInspector module 1274 (20180918)
SSL module 1028.1 (20190327)
Push Notification Service module

1053 (20190321)

 

I need help setting up the exchange ActiveSync policy for iOS. I am confused with the variables I am supposed to be using. We use a hosted exchange (in the cloud). ESMC is synced to AD. What I am confused about is which variable do I use for Account name, user, and Email address. Currently I have Account name = ${mail}, User=${exchange_login/...}, and Email Address= $email_address/...} and it is not working. I cant seem to find any document on which variables apply to what or what they are for so these are just shot in the dark guesses on my part. 

Share this post


Link to post
Share on other sites
Posted (edited)

Hello,

The attributes are configured in the synchronization task. Then each device needs to have a user assigned. Such variables are then replaced in configuration delivered into the phone.

If a user is not assigned or attribute synchronized (or defined manually) block of configuration (exchange mailbox etc...) is actually removed from the device configuration profile.

Meaning that attributes synchronized asA0.png

Are available in policy as

A1.png

Which synchronized attribute should map to what really depends on Your AD schema.

HTH

Edited by Mirek S.
Better-ify

Share this post


Link to post
Share on other sites
Posted (edited)

Oliver, thanks, but that is the guide I have been using.

 

Mirek, thats more along the lines of what I was looking for. So when i go to edit the AD_UserSync task and get to the exchange accounts part it wants a name (required entry). Same place you have a0 in the above screenshot. What is that part for, what needs to go in that field? 

Edited by noorigin

Share this post


Link to post
Share on other sites
Posted (edited)

Hello,

The "Name" (in my example a0) is essentially just identification for You (so put there whatever makes sense to You). Assume You wanted multiple exchange or VPN (etc...) configurations, You would need to address them in policy editor somehow. I also think (unsure would have to check code), iOS configuration profile is filled only if all attributes specified in policy editor are non-empty.

Imagine user = set of attributes.
user1 = {
  exchange {
    mydomain {
      email = "my@email.com"
      login = "me"
    }
    myshadowdomain {
      email = "othermy@email.com"
      login = "otherme"
    }
  }
}

Such attributes are then available in policy editor in a slightly different format of exchange_email/mydomain or exchange_email/myshadowdomain. (Where mydomain and myshadowdomain are Name). This is not only for multiple configurations, but also as MSP support where multiple companies are managed in one ESMC.

TBH seeing this I'm unsure why we did it this way as both hierarchical "exchange/mydomain/email" or flat list makes more sense.

HTH

Edited by Mirek S.
Clarification

Share this post


Link to post
Share on other sites

I still cannot get this to work. I get "Error during policy application on device" in ESMC alert. Is there a log somewhere I could be looking at to give me some clues where this is all going wrong?

Share this post


Link to post
Share on other sites

Found this in trace.log under C:\ProgramData\ESET\RemoteAdministrator\MDMCore\Logs

2019-05-28 17:11:30 W [14516]   Command d992115e-ef6d-4446-bea5-e41af8484ae4 has caused the device to reply with an Error: <?xml version="1.0" encoding="UTF-8"?><plist version="1.0"><dict><key>CommandUUID</key><string>d992115e-ef6d-4446-bea5-e41af8484ae4</string><key>ErrorChain</key><array><dict><key>ErrorCode</key><integer>1000</integer><key>ErrorDomain</key><string>MCProfileErrorDomain</string><key>LocalizedDescription</key><string>The profile “ESET MDM Configuration” is invalid.</string><key>USEnglishDescription</key><string>The profile “ESET MDM Configuration” is invalid.</string></dict><dict><key>ErrorCode</key><integer>1007</integer><key>ErrorDomain</key><string>MCProfileErrorDomain</string><key>LocalizedDescription</key><string>The payloads in this profile do not have unique UUIDs.</string><key>USEnglishDescription</key><string>The payloads in this profile do not have unique UUIDs.</string></dict></array><key>Status</key><string>Error</string><key>UDID</key><string>7bcf581d43790017538660cd371cdbb5b1b796fc</string></dict></plist>
 

Not sure exactly, shot in the dark here, but does that indicate the variables/attributes are not getting pulled from AD, hence no UUID's? Or do I have something wrong in the exchange domain field?

Share this post


Link to post
Share on other sites
Posted (edited)

"Error during policy application on device" means device declined configuration profile for some reason - there is sadly no standard way how this is reported in ESMC, nor does Apple tell us anything specific. What you posted actually points out there is issue with UUID generation inside conversion between our and Apple format.

We will have to check conversion into configuration profile - it's possible there were some changes which broke this functionality on newer iOS or with Your use-case.

Please test this without using user attributes (just put in real values and apply on phone instead), to check if issue persists.

We will need iOS version, exported policy, used user attributes (if there are for example special characters...), MDM version and configuration module version on MDM. Please create support ticket (and tell Your distributor to directly forward it to MDM team as there is most likely nothing they can do), or post here (secrets in attachment, only eset stuff can see those)

Bad news is this is probably bug, good news is we can probably fix it faster than standard ESMC release cycles as most code related to this functionality is in updateable module.

As a side note, we did not manage to reproduce the issue. So to check we will need above specified.

Edited by Mirek S.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...