Microsoft has recently depreciated using Basic Authentication for Office 365 Exchange Online (Non-Cisco link), to continue using an Exchange ActiveSync payload with Office 365 accounts, please ensure you tick "Use OAuth for Authentication" to guide users through the modern authentication flow.
You can provision Exchange ActiveSync e-mail accounts on iOS and Android (Samsung Knox compatible only) devices enrolled in a Systems Manager network. Other Android devices will need to be configured through managed app settings with apps like Gmail or Outlook. Deploying email configurations can greatly simplify the end device user's experience to receive corporate emails. Additionally, account settings can be configured in order to ensure corporate emails are securely accessed.
To configure an Exchange ActiveSync Profile for an iOS or Knox device:
1. Assign device owner
2. Configure Exchange ActiveSync payload
3. Deploy profile to device(s)
Android devices enrolled through Android Enterprise (Android for Work) will need email configured through managed app settings.
Assign Device Owner
Enrolled devices should be assigned to a device user whose email account will be accessed from the device. Owners can be synched from various identity sources (ex. Active Directory) or manually created in Systems Manager as "Meraki-managed" accounts.
To create a Meraki-managed device owner and assign devices:
Option 1 (single device)
- The username field should be the full email account address.
- A domain can be added to the username field (e.g., DOMAIN\user)
- In Dashboard, navigate to Systems Manager > Monitor > Devices.
- Click on the target device to go to the device's details page.
- Under the "Details" section, select Set an Owner
- Click the drop-down to either select an existing owner, or create a new one.
Option 2 (multiple devices)
- In Dashboard, navigate to Systems Manager > Configure > Owners
- Select Add new or Import > CSV import
- Configure owner(s) and assign one or more devices.
Create Exchange ActiveSync Profile
It is important to note that updating a profile with an ActiveSync payload will reset all local email account settings on the devices. Device users will then have to manually re-configure the settings for the email account (e.g., password, default mail account, mail badge notifications).
Therefore, it is highly recommended to create a separate profile to host only the Exchange ActiveSync payload. This method will ensure that changes to other payloads in a given configuration profile will not impact the Exchange ActiveSync account settings and reset account settings.
- In Dashboard, navigate to Systems Manager > Manage > Settings
- Create a new configuration profile
- Select + Add settings and select the "Exchange ActiveSync Email" payload.
- Configure the Exchange ActiveSync settings as described below.
- Save changes.
Configure ActiveSync Settings
- Account name: Description of the email account that will be displayed on the device.
- Exchange host: Address of the exchange email server.
- Prevent move: Prevent email data from being opened in other applications.
- Past days to sync mail: Determines the email archive available on the device.
- Use only in Mail: Prohibits sending messages from other applications, such as Safari or Photos. If checked, configured exchange account cannot be selected as default mail account on the device.
- Use SSL: Mail is sent to exchange server using an encrypted SSL connection.
- Use Client Certificate Authentication: See following section.
- Enable S/MIME Message Signing: A client certificate is used to sign outgoing mail. The certificate must be imported onto the device via the Owners page (see following section).
- Enable S/MIME Message Encryption: A client certificate is used to encrypt outgoing mail. The certificate must be imported onto the device via the Owners page (see following section).
- Use device owner should be selected if devices' have been assigned as in the first step of this article. The password for the user will not be pushed in the payload and the user will be required to enter their email password on the device.
- If specify a user is selected, each device receiving the specified configuration profile will receive the same shared email account settings.
- Use OAuth for Authentication:
- If your email service is configured to use OAuth, then enable this option. Users will be redirected to their appropriate authentication landing page after the configuration is deployed to their device.
- This option is now required for customers using Microsoft 365 (Office 365) as Microsoft have depreciated basic authentication
- Specifiy an email domain, if required by your email configuration.
- Enabled Services: (iOS 13+)
- Specify which services will be deployed to target devices for this configuration. At least one option must be selected
- Account Modification: (iOS 13+)
- Specify which services can be enabled/disabled/modified by the end user
Client Certificate Authentication
Certificate-based email authentication helps to ensure that users only sign into their corporate mail on approved devices that are managed through Systems Manager by allowing you to distribute identity certs through Dashboard. This requires configuration on your Exchange/email server side as well, but prevents users from signing into email on unmanaged devices by simply authenticating with their username/password credentials.
To enable client certificate auth, check the box in the ActiveSync payload, and make sure to upload your client identity certificates to your users under Systems manager > Configure > Owners. Certificates can be uploaded individually by selecting each user, or in bulk through the Import certs option, found under Import on the Owners page. See the Owners article for more info.
Deploy Profile to Device(s)
- After saving changes, devices within the scope of the configured profile will receive the Exchange ActiveSync settings the next time it is able to check-in with the Meraki Cloud.
- Unless a password is entered from the specify a user option, the device user will be prompted for their email account password before accessing the account's emails.
- For more information on creating profiles for different devices, please consult this Knowledge Base article.
Common Troubleshooting Tips
- If an Exchange ActiveSync account already exists on the iOS device that is identical to the ActiveSync payload set to deploy via Systems Manager, the entire configuration profile will fail to install. This is because Apple/iOS prohibits multiple identical email accounts on an iOS device. When an identical Exchange ActiveSync is deployed to a device, an 'Error - Profile Installation Failed' error will log in the client's Activity Log at bottom of its details page.
- To resolve the error, either manually remove the existing email account from the device itself, or remove the ActiveSync payload from the configuration profile in Systems Manager.