Setting Exchange Mail servers, such as Microsoft Exchange Server, can be integrated and used through Knox Manage on the user's device. This Guide describes the method of connecting to Microsoft Exchange Server by authenticating user information in Active Directory based on a certificate issued by a Certificate Authority (CA). Preparations The following tasks must be completed before you begin to configure Exchange. Active Directory service A certificate authority (CA) server - The client certificate must be issued for authentication. Microsoft Exchange server. - For more information about configuring certificate based authentication, see Configuring Exchange server and https://technet.microsoft.com/en- US/library/mt791265(v=exchg.160).aspx. Sign in the Knox Manage Admin Portal and register a user and organization. Install the Cloud Connector Client - To establish a secure channel with the Cloud Connector when connecting to the Directory server and the CA server, you must install the Cloud Connector Client on the customer site. For more information, see Installing the SCC client. Configuring Exchange server To authenticate the user on the device with Exchange ActiveSync, follow the steps set out below. Certificate Authentication settings 1. Open IIS Manager on the Exchange server. An easy way to launch IIS Manager is to go to Start > Run, and enter inetmgr, and select Internet Information Service (IIS) Manager. 2. Select the server in the left Connection area, and double-click Authentication in the right IIS section. 3. Select Active Directory Client Certificate Authentication on the Authentication page. 396
4. Click Enable in the Actions. SSL settings 1. Select Microsoft-Server-ActiveSync under the Default Web Site in the left area, and double-click SSL Settings in the right section. 2. Confirm Require SSL is checked, and select Require in Client certificate on SSL Settings. 3. Click Apply in the Actions. Client certificate mapping settings 1. Select Microsoft-Server-ActiveSync under the Default Web Site in the left area, and double-click Configuration Editor in the right section. 397
2. Navigate to system.webserver/security/authentication in the Section drop-down menu. 3. Select True on the enabled, and click Apply in the Actions. Setting Exchange profile with ADCS and AD The process for setting up an Exchange server is as follows: 1. Add a directory server for user information. 2. Add a directory connector for searching users. When you use the email from registered users information of Knox Manage, skip step1 and 2, and select User information in User information input method of the profile settings. When copying the certificate from the CA to the directory, you can register the certificate directory service. For the procedure with the certificate directory service, see Setting Exchange profile with certificate registered in AD. 3. Add the CA to authenticate the users. 4. Add the certificate templates. 5. Add Exchange setting in the profile. 6. Deploy the device management profile to user device. From steps 1 and 3, you can set the cloud connector for a secure channel between directory / CA servers and Knox Manage server. For more information about setting cloud connector, see Cloud connector. 398
How to set Email server with CA To set the Exchange server with Certificate template, complete the steps below. This guide only mentions what to watch out for, so see the SAMSUNG Knox Manage Administrator Guide for detailed information about whole item: Adding directory server Aside from user synchronization, which is required to enter user and organization information in Knox Manage, you need to add a Device Management Directory service. 1. Go to Settings > System Integration > Directory Integration. 2. Click and enter directory server information. Click Save. For more information, see Integrating a directory server. User ID is the administrator's information specified on the directory server. You may enter a {Domain}\{Admin ID}, {Admin ID}@{Domain}, or use several other formats, including CN={Admin ID},CN={Users},DC={Domain},DC=com. If you want to use cloud connector between the directory server and the Knox Manage server, select TRUE in Cloud Connector. Adding directory connector Set fields that you wish to include in user information in the Pool, which is the Directory server that has been added. You can select this connector when you set up a profile only if a connection has been established through a connection test. 3. Go to Settings > System Integration > Directory Connectors. 4. Click and enter directory service information. Click Save. Select the Pool name registered in Adding directory server. 399
Select Profile Configuration (User) in Directory Type. In the Output Field Settings field, the User ID and Email attributes are automatically filled out, and you may choose to use them as-is. This connector is used if you have selected Connector interworking as the User information input method in Exchange settings. Adding CA Add a certificate authority that issues a certificate that will be used for user authentication. In this example, we are using ADCS. 5. Go to Certificates > Certificate Authority (CA). 6. Click and enter CA information and click Save. Once a connection test is completed, the target CA that issues and manages the relevant certificate is displayed. 400
Adding certificate template This certificate template will be installed in the user device, and it is used for communication with the Exchange server and the device. 7. Go to Certificates > Certificate Templates. 8. Click and enter the certificate template for Exchange. Click Save. Select CA registered in Adding CA from the drop-down CA list. Select a reference item as Subject Name, Email is most commonly used. Select Exchange in Certificate Usage. Select Email Address in SAN Type, and click items. and select Email in reference 401
Adding settings with CA in Profiles Create a Device Management Profile in Profiles, and then configure the Exchange settings. 9. Go to Profiles > Device Management Profile. 10. Click and New Registration. 11. Enter Profile Name and Profile Description, and click Next. 12. Click Settings for the platform you want to add settings to. 13. Select Exchange in Category and enter the information required for the Exchange settings. For more information about each item, see Exchange settings for Android. 14. Select Connector interworking in User information input method, and select the directory connector registered in Adding directory connector. When you use the email from registered user information of Knox Manage, and select User information in User information input method. 15. Select Issuing external CA in User certificate input method, and select the certificate template registered in Adding certificate template. EMM Management Certificate is an option that allows you to use a certificate added in External Certificates when a single account is used. Connector interworking is an option that allows you to integrate the connector that you have added in Adding directory connector by selecting Profile Configuration (Certificate) in Directory Type, provided that you have copied the certificate to the Directory. Select Use in SSL to set SSL between the device and Exchange server. 402
16. Click Apply to deploy the device management profile to the user device. Using Exchange on the device 17. Go to Download Configuration from the Knox Manage application. Tap Install to download the Exchange configuration. The user certificate for exchange is installed in the device. 18. Tap the notification for setting up the new email account. 19. Accept the privacy policy and activate device administrator. 20. You can see that your email account is added to the Samsung email application. 403
To install the exchange configuration, The User ID in the Knox Manage application should be the same as the User ID of Active Directory. The user's email in the Admin Portal is used as the email account for Exchange server. 404
Setting Exchange profile with certificate registered in AD To set the Exchange server with Certificate directory, complete the steps below: 1. Add a directory server for user information. See Adding directory server. 2. Add a directory connector for searching users. See Adding directory connector. When you use the email from registered users information of Knox Manage, skip step1 and 2, and select User information in User information input method of the profile settings. 3. Add a directory connector for authenticate the users when copying the certificate from the CA to the directorythe CA to authenticate the users. See Adding certificate connectors. 4. Add Exchange setting in the profile. See Adding settings with certificate connector in Profiles. 5. Deploy the device management profile to user device. See Using Exchange on the device. From steps 1, you can set the cloud connector for a secure channel between directory server and Knox Manage server. For more information about setting cloud connector, see Cloud connector. Adding certificate connectors 1. Go to Settings > System Integration > Directory Connector. 2. Click and enter directory service information. Click Save. Select the Pool name registered in Adding directory server. Select Profile Configuration (Certificate ( Certificate) in Directory Type. The Cert File* and Cert. Name attributes are automatically selected in the Output Field Setting. Select each Source Name and click Loading Attribute button, and set the property title as below image. (certificatetemplates:cert File*, usercertificate:cert. Name) This connector is used if you have selected Connector interworking as the User certificate input method in Exchange settings. 405
Adding settings with certificate connector in Profiles 1. Go to Profiles > Device Management Profile. 2. Click and New Registration. 3. Enter Profile Name and Profile Description, and click Next. 4. Click Settings for the platform you want to add settings to. 5. Select Exchange in Category and enter the information required for the Exchange settings. For more information about each item, see Exchange settings for Android. 6. Select Connector interworking in User information input method, and select the directory connector registered in Adding directory connector. When you use the email from registered user information of Knox Manage, and select User information in User information input method. 7. Select Connector interworking in User certificate input method, and select the certificate template registered in Adding certificate connectors. Select Use in SSL to set SSL between the device and Exchange server. 8. Click Apply to deploy the device management profile to the user device. 406
407