Exchange settings

To specify the settings for the ActiveSync server that devices use, go to Policies & Configs > Configurations, then click Add New > Exchange. The ActiveSync server can be a Microsoft Exchange server, an IBM® Lotus® Notes Traveler server, Microsoft Office 365, or another server.

The Exchange configuration works:

  • Through MobileIron Sentry and ActiveSync
  • With Samsung Knox devices running the Samsung native email app and the Android versions listed in the Mobile@Work for Android Release Notes.

Note that AppConnect-enabled Email+ for iOS and Email+ for Android do not use an Exchange setting. Instead, you configure the email clients using an AppConnect app configuration.

Android enterprise email clients are configured using AppConnect app configurations. See Setting up Gmail with Android enterprise.

The following table describes the Exchange settings you can specify.

Table 1. Exchange settings

Section

Field Name

Description

General

Name

Enter brief text that identifies this group of Exchange settings.

 

Description

Enter additional text that clarifies the purpose of this group of Exchange settings.

 

Server Address

Enter the address of the ActiveSync server.

If you are using Standalone Sentry, do the following:

Enter the Standalone Sentry’s address.
If you are using Lotus Domino server 8.5.3.1 Upgrade Pack 1 for your ActiveSync server, set the server address to <Standalone Sentry’s fully qualified domain name>/traveler.
If you are using a Lotus Domino server earlier than 8.5.3.1 Upgrade Pack 1, set the address to <Standalone Sentry fully qualified domain name>/servlet/traveler.
If you are using load balancers, contact MobileIron Professional Services.

When using Integrated Sentry, set the server address to Microsoft Exchange Server’s address.

NOTE: When using Sentry, you can do preliminary verification of your Exchange configuration choices for the ActiveSync User Name, ActiveSync User Email, and ActiveSync Password fields. To do so, first set the server address to the ActiveSync server. After you have verified that users can access their email using this Exchange configuration, change the server address to the appropriate Sentry address.

For more information about configuring Sentry, see the MobileIron Sentry Guide.

 

Use SSL

Select to use secure connections.

SSL is always used, regardless of whether this setting is selected.

 

Use alternate device handling

Replaces the Use Standalone Sentry option. Use this option only under the direction of MobileIron Support.

 

Domain

Specify the domain configured for the server.

 

Google Apps Password

This check box only appears if you have configured a Google account with MobileIron Core, as described in Exchange settings.

When linking to Google Apps, select this option to use the Google Apps password to log in to the Google account you have configured to work with MobileIron Core. This password allows device users to access their Email, Contacts, and Calendar data on their managed devices.

When selected, Core grays out the ActiveSync User Name and ActiveSync User Password.

This check box only appears if you have configured a Google account with MobileIron Core, as described in Synchronizing Google account data.

 

ActiveSync User Name

Specify the variable for the user name to be used with this Exchange configuration. You can specify any or all of the following variables $EMAIL$, $USERID$, $PASSWORD$. You can also specify custom formats, such as $USERID$_US. Custom attribute variable substitutions are supported.

Typically, you use $USERID$ if your ActiveSync server is a Microsoft Exchange Server, and you use $EMAIL$ if your ActiveSync server is an IBM Lotus Notes Traveler server. You cannot use $NULL$ for this field.

 

ActiveSync User Email

Specify the variable for the email address to be used with this Exchange configuration. You can specify any or all of the following variables $USERID$, $EMAIL$,$SAM_ACCOUNT_NAME$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, CUSTOM_USER_Attributename$, or $NULL$. You can also specify custom formats, such as $USERID$_US. Custom attribute variable substitutions are supported.

Typically, you use $EMAIL$ in this field; you cannot use $NULL$.

 

ActiveSync User Password

Specify the variable for the password to be used with this Exchange configuration. You can specify any or all of the following variables: $USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, CUSTOM_USER_Attributename$, or $NULL$. You can also specify custom formats, such as $USERID$_US. Custom attribute variable substitutions are supported.

Enter additional variables or text in the text box adjacent to the Password field. Entries in this text box are kept hidden and will not be visible to any MobileIron Core administrator.

NOTE: All variables and text up to the last valid variable will be visible. Anything after the last valid variable will not be visible. The valid variable may appear in either of the password fields. Valid variables are variables in the drop-down list.

 

Identity Certificate

Select the Certificate Enrollment entry you created for supporting Exchange ActiveSync, if you are implementing certificate-based authentication.

NOTE: When setting up email for devices with multi-user sign-in, the exchange profile must always use a user-based certificate. The user-based certificate will ensure secure access to email for all users. Using a device-based certificate can result in one user sending or receiving emails for another user. When configuring the user-based certificate, select the Proxy enabled and Store certificate keys on MobileIron Core options. This allows the user certificate and private key to be delivered each time they log in on the shared device.

 

Password is also required

Specify whether to prompt device users for a password when certificate authentication is implemented. The password prompt is turned off by default. Once you specify an Identify Certificate, this option is enabled. Select the option if you want to retain the password prompt.

 

Items to Synchronize

(Android, Windows)

This feature is not supported.

 

Items to Synchronize (iOS)

This feature is not supported on Android devices.

 

Past Days of Email to Sync

Specify the maximum amount of email to synchronize each time by selecting an option from the drop-down list.

This setting works only with these email apps:

Samsung Knox devices’ native email app
Email+

 

Move/Forward Messages to Other Email Accounts

This feature is not supported for Android devices.

S/MIME

Enable for Android and iOS 9.3.3 (or earlier)

Select to enable S/MIME signing and encryption on devices running Android or iOS 9.3.3 or earlier.

S/MIME Signing

 

S/MIME Signing: Enable

This feature is not supported for Android devices.

 

 

S/MIME Signing identity

This feature is not supported for Android devices.

 

Signing Identity: User Overrideable

This feature is not supported for Android devices.

 

S/MIME Signing: User Overrideable

This feature is not supported for Android devices.

S/MIME 
Encryption

 

Encryption by Default

This feature is not supported for Android devices.

 

Encryption Identity

This feature is not supported for Android devices.

 

Encryption Identity: User Overrideable

This feature is not supported for Android devices.

 

Encryption by Default: User Overrideable

This feature is not supported for Android devices.

 

Per-Message Encryption Switch

This feature is not supported for Android devices.

ActiveSync

 

Limited support for Android.

 

Sync during

 

Peak Time

Select the preferred synchronization approach for peak times.This feature is not supported for Android devices.

 

Off-peak Time

Select the preferred synchronization approach for off-peak times.This feature is not supported for Android devices.

 

Use above settings when roaming

Specify whether to apply synchronization preferences while roaming.

 

 

Send/receive when send

Specify whether queued messages should be sent and received whenever the user sends a message.

 

 

Peak Time

 

Peak Days

Specify which days should be considered peak days.

 

 

Start Time

Specify the beginning of the peak period for all peak days.

 

 

End Time

Specify the end of the peak period for all peak days.

 

iOS 5 and Later Settings

 

These features are not supported for Android devices.

 

Android

 

 

 

Exchange App Priority

Drag and drop email configurations to specify which are allowed. Change the order of selected configurations to specify priority.

If there are no email apps specified in the Selected column, then Mobile@Work uses the following provisioning priority:

1. Android Email+ (AppConnect-enabled)
2. Android Email+
3. Native email app

General

 

 

Accept all SSL certificates: Enable

Enables device users to set Android devices to accept all SSL certificates. This setting applies to Android Email+ and Samsung Knox email and is intended for use when the MobileIron Sentry uses self-signed certificates.

NOTE: Use caution when enabling this setting, as device users might unknowingly expose the device to attack.

 

Copy/Paste: Enable

Prevents use of the copy and paste commands in Android Email+.

 

Allow access to secure info from outside container

Specify whether to publish contacts and calendar items to non-secure email clients running on the same device.

For Secure Android Email+, you can allow access to both contacts and calendar.

 

NitroDesk TouchDown

Enter the license key.

Samsung SAFE (Knox)

Supported on all Samsung Knox devices

 

HTML Email : Allow

Select this option to allow viewing of HTML email. This option is not enabled by default, which prevents rendering of HTML-based email.

 

SmartCard Authentication: Enable

This feature is not supported.

 

Windows 10 Desktop

This feature is not supported for Android devices.

 

Multiple Exchange Support for Android

Multiple Exchange mailboxes are supported for devices running Android versions no earlier than 4.0 or Samsung Knox 4.0 devices, using either Android Email+ or Samsung Native Email client apps. For Samsung Native Email client, Certificate Enrollment is not supported as the authentication method with multiple mailboxes.

The MobileIron Core administrator can configure and apply up to two Exchange settings for each device. Exchange settings are found in the Admin Portal under Policies & Configs > Configurations. When it receives the configuration, the device must be running Mobile@Work version 6.0 through the most recently released version as supported by MobileIron.

On the device, both mailboxes appear in a single email app. The email app is determined by 1) the email app’s priority as specified in the Exchange Setting’s Exchange App Priority, and 2) the email app’s availability on the device. For example, if both Samsung Native Email and Email+ are available on the device, the app with the highest priority is used.

NOTE: Mobile@Work’s Options > Email Status is not supported for multiple Exchange accounts.