Exchange settings

To specify the settings for the ActiveSync server that devices use, go to Policies & Configs > Configurations, then click Add New > Exchange. The ActiveSync server can be a Microsoft Exchange server, an IBM® Lotus® Notes Traveler server, Microsoft Office 365, or another server.

For macOS 10.10 Yosemite:

Contacts, Email, Notes, Reminders, and Calendar are synchronized. ActiveSync is not supported.

For iOS:

If an Exchange profile already exists on the device, then attempts to distribute new ActiveSync settings using Core will fail.

For iOS and macOS:

iOS/macOS can take advantage of the optional Save User Password feature under Settings > Preferences to facilitate Exchange configuration.

Note that AppConnect-enabled Email+ for iOS and Email+ for Android do not use an Exchange setting. Instead, you configure the email clients using an AppConnect app configuration.

The following table describes the Exchange settings you can specify.

**Table 31.** Exchange settings
Section	Field Name	Description
General	Name	Enter brief text that identifies this group of Exchange settings.
	Description	Enter additional text that clarifies the purpose of this group of Exchange settings.
	Server Address	Enter the address of the ActiveSync email server. If you are using Standalone Sentry, do the following: • Enter the Standalone Sentry’s address. • If you are using Lotus Domino server 8.5.3.1 Upgrade Pack 1 for your ActiveSync server, set the server address to <Standalone Sentry’s fully qualified domain name>/traveler. • If you are using a Lotus Domino server earlier than 8.5.3.1 Upgrade Pack 1, set the address to <Standalone Sentry fully qualified domain name>/servlet/traveler. • If you are using load balancers, contact Ivanti. Professional Services. When using Integrated Sentry, set the server address to Microsoft Exchange Server’s address. When using Sentry, you can do preliminary verification of your Exchange configuration choices for the ActiveSync User Name, ActiveSync User Email, and ActiveSync Password fields. To do so, first set the server address to the ActiveSync server. After you have verified that users can access their email using this Exchange configuration, change the server address to the appropriate Sentry address. For more information about configuring Sentry, see the Sentry Guide for Core.
	Use SSL	Select to use secure connections.
	Use alternate device handling	Replaces the Use Standalone Sentry option. Use this option only under the direction of Ivanti Technical Support.
	Domain	Specify the domain configured for the server.
	Google Apps Password	This check box only appears if you have configured a Google account with Core. When linking to Google Apps, select this option to use the Google Apps password to log in to the Google account you have configured to work with Core. This password allows device users to access their Email, Contacts, and Calendar data on their managed devices. When selected, Core grays out the ActiveSync User Name and ActiveSync User Password. This check box only appears if you have configured a Google account with Core, as described in Synchronizing Google account data.
	ActiveSync User Name	Specify the variable for the user name to be used with this Exchange configuration. You can specify any or all of the following variables $EMAIL$, $USERID$, $PASSWORD$. $MANAGED_APPLE_ID$ can be used for Shared iPad devices and User Enrolled devices only. You can also specify custom formats, such as $USERID$_US. Custom attribute variable substitutions are supported. Typically, you use $USERID$ if your ActiveSync server is a Microsoft Exchange Server, and you use $EMAIL$ if your ActiveSync server is an IBM Lotus Notes Traveler server. You cannot use $NULL$ for this field.
	ActiveSync User Email	Specify the variable for the email address to be used with this Exchange configuration. You can specify any or all of the following variables $USERID$, $EMAIL$,$SAM_ACCOUNT_NAME$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, CUSTOM_USER_Attributename$, or $NULL$. $MANAGED_APPLE_ID$ can be used for Shared iPad devices and User Enrolled devices only. You can also specify custom formats, such as $USERID$_US. Custom attribute variable substitutions are supported. Typically, you use $EMAIL$ in this field; you cannot use $NULL$.
	ActiveSync User Password	Specify the variable for the password to be used with this Exchange configuration. You can specify any or all of the following variables: $USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, CUSTOM_USER_Attributename$, or $NULL$. You can also specify custom formats, such as $USERID$_US. Custom attribute variable substitutions are supported. Enter additional variables or text in the text box adjacent to the Password field. Entries in this text box are kept hidden and will not be visible to any Core administrator. All variables and text up to the last valid variable will be visible. Anything after the last valid variable will not be visible. The valid variable may appear in either of the password fields. Valid variables are variables in the drop-down list.
	Identity Certificate	Select the Certificate Enrollment entry you created for supporting Exchange ActiveSync, if you are implementing certificate-based authentication. When setting up email for devices with multi-user sign-in, the exchange profile must always use a user-based certificate. The user-based certificate will ensure secure access to email for all users. Using a device-based certificate can result in one user sending or receiving emails for another user. When configuring the user-based certificate, select the Proxy enabled and Store certificate keys on MobileIron Core options. This allows the user certificate and private key to be delivered each time they log in on the shared device.
	Password is also required	Specify whether to prompt device users for a password when certificate authentication is implemented. The password prompt is turned off by default. Once you specify an Identify Certificate, this option is enabled. Select the option if you want to retain the password prompt.
	Items to Synchronize (Android, Windows)	This feature is not supported for iOS macOS .
	Items to Synchronize (iOS)	Select to specify individual syncing of Outlook items: Email, Calendar, Contacts, Notes, and Reminders. All check boxes are selected by default. If Allow User Override is selected for a specific item, the device user will be able to change the service status on the device. At least one of the Outlook items settings must be enabled. If you disabled syncing for one of the Outlook items and allowed the device user to override that same item, the device user will still be able to enable the Outlook item. For example, if you disabled Calendar, but had Allow User Override selected, the device user will be able to enable calendar on the iOS device.
	Past Days of Email to Sync	Specify the maximum amount of email to synchronize each time by selecting an option from the drop-down list.
	Move/Forward Messages to Other Email Accounts	Starting with iOS 5: This feature specifies whether to block device users from moving or forwarding email from the managed email account.
S/MIME	Enable for Android and iOS 9.3.3 (or earlier)	Select to enable S/MIME signing and encryption on devices running Android or iOS 9.3.3 or earlier. You must select this option for the fields in the S/MIME Signing and S/MIME Encryption sections to apply to devices running iOS 9.3.3 or earlier.
S/MIME Signing	(Optional) S/MIME signing applies to iOS devices up to iOS 9.3.3.
	S/MIME Signing: Enable	Disabled by default. Select the check box to enable S/MIME signing. Applicable to iOS 10.3 or supported newer versions.
	S/MIME Signing identity	Select a certificate enrollment setting as a signing identity. If you do not make a selection, then the device user will be prompted to select from the certificates that are already installed on the device. If the device has no certificate, then S/MIME signing will not be functional on the device. Applicable to iOS 9.0 or supported newer versions. Related topics Certificate Enrollment settings.
	Signing Identity: User Overrideable	Applicable to iOS 12.0 or supported newer versions. Select to allow the user to select the signing identity on the device.
	S/MIME Signing: User Overrideable	iOS 12 or supported newer versions. Select to allow the user to enable and disable S/MIME signing in device settings.
S/MIME Encryption	S/MIME encryption applies only to iOS devices.
	Encryption by Default	Disabled by default. Select to enable S/MIME encryption.
	Encryption Identity	Select a certificate enrollment setting as an encryption identity. If you do not make a selection, then the device user will be prompted to select from the certificates that are already installed on the device. If the device has no certificate, then S/MIME encryption will not be functional on the device. Related topics Certificate Enrollment settings.
	Encryption Identity: User Overrideable	iOS 12.0 or supported newer versions. Select to allow the user to set the S/MIME encryption identity and enable encryption.
	Encryption by Default: User Overrideable	iOS 12.0 or supported newer versions. Select to allow the user to enable or disable S/MIME encryption by default in the device settings.
	Per-Message Encryption Switch	This feature is not supported for Mac OS devices. Per-message S/MIME for iOS allows device users to enable or disable S/MIME encryption for each email they send. S/MIME encryption is incompatible with Sentry attachment encryption.
ActiveSync		Not for iOSmacOS.
	Sync during
	Peak Time	Select the preferred synchronization approach for peak times.
	Off-peak Time	Select the preferred synchronization approach for off-peak times.
	Use above settings when roaming	Specify whether to apply synchronization preferences while roaming.
	Send/receive when send	Specify whether queued messages should be sent and received whenever the user sends a message.
	Peak Time
	Peak Days	Specify which days should be considered peak days.
	Start Time	Specify the beginning of the peak period for all peak days.
	End Time	Specify the end of the peak period for all peak days.
iOS 5 and Later Settings		These features are not supported for Mac OS devices.
	Email access to Third-Party apps	Specifies whether third-party apps can use the account for email access.
	Recent Address syncing (iOS 6 and later)	Specifies whether recently used email addresses can be synchronized.
	Use OAuth for Authentication: Enable	iOS 12.0 or supported newer versions. Select the check box to enable OAuth for Authentication. When selected, Core will not send the password and OAuth will be used. For devices pre-iOS 12.0, the OAuth selection will be ignored by the devices, so you should fill in the ActiveSync User Password field.


	Communication Service Rules (iOS 10 and later)	Select a default audio service or app to be associated with the device user's accounts on the Exchange, CardDAV, LDAP, and Google servers. All calls initiated on the iOS device to contacts from contact lists stored on the server will use the selected audio service by default. This feature is supported on devices running iOS 10 or supported newer versions. To enable communication service rules: Select Choose a default app to be used when calling contacts from this account. A drop-down list of apps displays. Click the drop-down list to select the default audio app or service.
Android		These features are not supported for iOS devices. These features are not supported for Mac OS devices.
	Windows 10 Desktop	This feature is not supported for iOS devices. This feature is not supported for Mac OS devices.

iOS and macOS Exchange profiles and password caching

To facilitate iOS and macOS deployments, Core offers the option of caching a user’s email password. This option is turned off by default. Cached passwords are encrypted, stored on the appliance, and used only for authentication. Note that the email password must match the LDAP password in order for this feature to be of use.