Provision IOS profile for Exchange ActiveSync with client certificate authentication

Problem this snippet solves:

If you need to use client certificate authentication for ActiveSync services on IOS, you need to deploy custom profiles through a Mobile Device Management. MDM is maybe a little bit too much to achieve only this feature.

The irule below provide necessary materials to provision a certificate and an exchange profile on IOS.

Tested successfully on IOS 9. We use SCEP protocol for certificate enrollment.

How to use this snippet:

You need to define a Virtual Server and an access profile to publish ActiveSync. Then, you need to assign the irule on the Virtual Server.

The certificate is retrieved using SCEP protocol on a Microsoft ADCS 2012 R2. The SCEP url should be changed in the Exchange payload.

We configured APM to protect the access to this service and retrieve attributes from Active Directory but you can change the irule code to retrieve information and protect the service in a different manner.

When a user reach /enroll uri with Safari browser, the provisioning process starts.

/!\ I provide an IOS payload as example, but you need to modify it to fit your environment and save it as an ifile.

Settings that need to be changed in the xml payload :

  • <string>HOST.DOMAIN.COM</string>
    : Activesync FQDN
  • <string>DOMAIN-Issuer-CA</string>
    : Issuing CA Name (if exists otherwise related code should be removed)
  • <data>CERTIFICATE</data>
    : X.509 certificate in Base64 for Issuing CA
  • <string>DOMAIN-Root-CA</string>
    : Root CA Name
  • <data>CERTIFICATE</data>
    : X.509 certificate in Base64 for the Root CA
  • <string>DOMAIN</string>
    : Organization name to be present in the user certificate
  • <string>http://scep.domain.com/scep</string>
    : SCEP url

External links

Github : github.com/e-XpertSolutions/f5

Code :

68654

Tested this on version:

11.5
Updated Jun 06, 2023
Version 2.0

Was this article helpful?

1 Comment

  • if you add "programmability contest" as a tag, you'll be entered into our Codeshare Challenge contest we're running this month!