Hi Myles. In our case, to come in through activesync, you need both password and a certificate in order to come in. In years past, people who knew the activesync server settings would just manually enter it in and have access which means we couldn't pull the profile when needed to perform an enterprise wipe. Having the certificate there (even though it's not used to authenticate) just provided another level of security to stop this back door and forces people to enrol correctly. Our certificate is setup with a certain lifespan and renews within a certain window, this was setup at the request of our security team.