The most common reason for locked user accounts are saved passwords for e-mail access on mobile devices. Whenever users change their Active Directory password, their accounts will get locked by mobile e-mail clients, trying to authenticate with the old password.

By utilizing certificates for mobile e-mail authentication, corporations can combine security increase with the ease of use which users appreciate. In the migration phase to certificate based security, multiple authentication methods can be turned on in the same time to ensure that nobody is locked out of e-mail services.

How is it supposed to work?

The target is to automate and streamline unique certificate generation and delivery for each device, after it has been registered by an authenticated user. This can be reached by integration between Active Directory (AD), Certification Services (CA), E-mail system and the Mobile Device Management (MDM) system. 

The high level workflow can look as follows:

  1. The user installs the MDM agent on his device and authenticates with this AD credentials
  2. The MDM system sends a certificate generation request to the enterprise CA
  3. The enterprise CA generates a unique certificate for the device and includes the registering user's ID
  4. The MDM system retrieves the certificate and pushes it to the device, together with an Exchange Active Sync (EAS) configuration profile for the registering user
  5. The devices installs the certificate and sets up the EAS account for the user
  6. The device can sync e-mails, calendar and contact items, as long as the certificate is valid and has not been revoked. Users can change their AD passwords without effecting e-mail synchronization to their mobile devices

What is needed?

  • Certification Authority (in-house Microsoft CA or public MPKI service)
  • E-mail server with EAS functionality
  • MDM system which can integrate with AD, CA, EAS - At Aerion we are utilizing AirWatch® MDM with the AirWatch Cloud Connector

How to get it done?

Aerion is offering such implementation as a service. Please contact us to request more details.