VMware Workspace ONE Community
CharlesTchia
Contributor
Contributor
‎11-29-2019 12:04 AM

EAS empty password field

Hi

We publish an EAS profile which also includes a certificate payload. We've had a couple of incidents lately where EAS password field was empty. Both devices iPhones and both running iOS 13+. This is just for native mail, not using Boxer.

When checking troubleshooting logs at the time, we can see a certificate renew request made but it was sysadmin generated, not like via a profile push by an operator.

Another ioS 13 bug?
Labels (1)
Labels
0 Kudos
7 Replies
chengtmskcc
Expert
Expert
‎12-01-2019 09:02 PM

Are you using SEG or no in front of Exchange?
0 Kudos
CharlesTchia
Contributor
Contributor
‎12-01-2019 09:15 PM

Hiya Thomas, nah, no SEG, just simple Exchange activesync
0 Kudos
chengtmskcc
Expert
Expert
‎12-01-2019 09:18 PM

Gotcha. Sounds like the cert might be at fault? But I wouldn't be surprised if it was another iOS 13 bug either.
0 Kudos
CharlesTchia
Contributor
Contributor
‎12-02-2019 01:58 AM

Hey Thomas, nah, I don't think it's the cert. We've been using it for the past 12-15 months without issues. Only started to come up in the last 2-3 weeks on 2 devices and both are on iOS13. Touch wood but haven't heard anything from ios 12 devices.
0 Kudos
chengtmskcc
Expert
Expert
‎12-02-2019 05:19 AM

We are not using cert-based EAS just yet but I did have some experience with it before. I do agree the newest iOS is not playing nicely for some reason when it comes to mail sync which is the most crucial feature on a corporate device or any device that requires access to work email.
0 Kudos
MRFVMUser
Enthusiast
Enthusiast
‎12-02-2019 05:21 AM

If I understand you correctly, I think you would want the ' Password'  field to be blank for the EAS Profile because you are using the identity certificate (in payload) to authenticate.  The whole idea for using the certificate for authentication is to not rely on a password.  How is the certificate provisioned for including in the EAS Profile?  You mention a ' certificate renew request'  which makes me think you are doing something different about provisioning this identity certificate for EAS authentication.  Typically, the cert doesn't ' renew'  but the whole EAS Profile is deployed, revoking the old cert and installing the ' new'  one.  Is your EAS Profile configured to use the provisioned cert for EAS authentication?
0 Kudos
CharlesTchia
Contributor
Contributor
‎12-02-2019 01:14 PM

Hi Myles. In our case, to come in through activesync, you need both password and a certificate in order to come in. In years past, people who knew the activesync server settings would just manually enter it in and have access which means we couldn't pull the profile when needed to perform an enterprise wipe. Having the certificate there (even though it's not used to authenticate) just provided another level of security to stop this back door and forces people to enrol correctly. Our certificate is setup with a certain lifespan and renews within a certain window, this was setup at the request of our security team.
0 Kudos