VMware Workspace ONE Community
CharlesTchia
Contributor
Contributor

EAS empty password field

Hi

We publish an EAS profile which also includes a certificate payload. We've had a couple of incidents lately where EAS password field was empty. Both devices iPhones and both running iOS 13+. This is just for native mail, not using Boxer.

When checking troubleshooting logs at the time, we can see a certificate renew request made but it was sysadmin generated, not like via a profile push by an operator.

Another ioS 13 bug?
Labels (1)
Reply
0 Kudos
7 Replies
chengtmskcc
Expert
Expert

Are you using SEG or no in front of Exchange?
Reply
0 Kudos
CharlesTchia
Contributor
Contributor

Hiya Thomas, nah, no SEG, just simple Exchange activesync
Reply
0 Kudos
chengtmskcc
Expert
Expert

Gotcha. Sounds like the cert might be at fault? But I wouldn't be surprised if it was another iOS 13 bug either.
Reply
0 Kudos
CharlesTchia
Contributor
Contributor

Hey Thomas, nah, I don't think it's the cert. We've been using it for the past 12-15 months without issues. Only started to come up in the last 2-3 weeks on 2 devices and both are on iOS13. Touch wood but haven't heard anything from ios 12 devices.
Reply
0 Kudos
chengtmskcc
Expert
Expert

We are not using cert-based EAS just yet but I did have some experience with it before. I do agree the newest iOS is not playing nicely for some reason when it comes to mail sync which is the most crucial feature on a corporate device or any device that requires access to work email.
Reply
0 Kudos
MRFVMUser
Enthusiast
Enthusiast

If I understand you correctly, I think you would want the ' Password'  field to be blank for the EAS Profile because you are using the identity certificate (in payload) to authenticate.  The whole idea for using the certificate for authentication is to not rely on a password.  How is the certificate provisioned for including in the EAS Profile?  You mention a ' certificate renew request'  which makes me think you are doing something different about provisioning this identity certificate for EAS authentication.  Typically, the cert doesn't ' renew'  but the whole EAS Profile is deployed, revoking the old cert and installing the ' new'  one.  Is your EAS Profile configured to use the provisioned cert for EAS authentication?
Reply
0 Kudos
CharlesTchia
Contributor
Contributor

Hi Myles. In our case, to come in through activesync, you need both password and a certificate in order to come in. In years past, people who knew the activesync server settings would just manually enter it in and have access which means we couldn't pull the profile when needed to perform an enterprise wipe. Having the certificate there (even though it's not used to authenticate) just provided another level of security to stop this back door and forces people to enrol correctly. Our certificate is setup with a certain lifespan and renews within a certain window, this was setup at the request of our security team.
Reply
0 Kudos