Friday, June 5, 2015

Configure AirWatch Mobile Email Management to connect Office 365

Recently, I needed to test Mobile Email Management (MEM) of AirWatch to connect to Office 365 email. I'd like to mark some notes for myself and share it to everyone. If you are using AirWatch for Enterprise Mobility Management solution, you might be interested.

Why do we use Mobile Email Management? 
We got Active Sync to connect to our Exchange Servers or Office 365 and with some security policies. 

Normally, Enterprise Mobility Management software providers provide an email software to work with their platform. This kind of email software can provide enhanced security features like email encryption, data loss  prevention and so on to protect email on mobile devices.

Goals
Configure email profile on AirWatch for iOS devices with AirWatch Inbox to connect to their email accounts on Office 365.

To configure MEM, we need to do the following tasks on Office 365 and AirWatch console.
1. Create a service account for AirWatch to connect to your Office 365.
2. Create a email profile for Mobile Devices on Airwatch.
3. Configure Mobile Email Management on Airwatch.

Task 1
1. Log in to your Office 365 as an administrator.
2. Go to Office 365 admin center > Users > Active Users.



3. Click + button to create a new user.
4. On "Create new user account" page, under "Display name" and "User name", enter a name for this service account.
5. Click "Type password" and then enter a password for this service account.
6. Un-check "Make this person change their password the next time they sign in".



7. Click "Create".

By default, the Office 365 will assign to the user when we create. For the service account, we don't need to assign any Office 365 license. We're going to remove the Office 365 license for it.



8. Select the service account and then click "Edit" next to "Assigned license".



9. On  "Assign License" page, un-check Office 365 license and then click "Save".



10. Go to "Exchange admin center", click "permissions".



11. Click + button to add a new admin role.
12. On "new role group" page, add "Mail Recipients", "Organization Client Access" and "Recipient Policies" under "Roles".
13. Add the service account to become a member.



14. Click "Save".

Task 2
1. Log in to your AirWatch console as an administrator.
2. Navigate to "Devices > Profiles > List View".



3. Click "Add".
4. Select a platform for deploying email profile. In my test case, I selected Apple iOS.



5. On "General" page, enter a name for the profile.
6. Next to "Assigned Smart Groups", select the smart group from your environment. In my environment, I selected the smart group related to iOS devices.



7. On left pane, select "Exchange ActiveSync" and then click "Configure".
8. On "Exchange ActiveSync" page, next to "Mail Client", select "AirWatch Inbox".
9. Next to "Exchange ActiveSync Host", enter "outlook.office365.com" to connect to mail servers on Office 365.
10. Next to "Login Information", you need to understand your corporate email addresses naming convention and AirWatch provided many options for us to configure it.



In my test environment, I configured the following patterns.



There are some restrictions to control AirWatch Inbox.



In my test case, I don't change any default settings.

11. Click "Save and Publish" to deploy the profile to managed devices.

Task 3
1. Still in AirWatch console, go to "Settings".
2. On "Settings" page, navigate to "Email > Configuration".



3. Click "Configure".
4. On "Mail Platform" page, select the following and the click "Next".

Email Server Type: Microsoft Exchange
Microsoft Exchange Version: Exchange 2010 / 2013 / Office365
Deployment Type: Exchange PowerShell



5. On "MEM Deployment" page, enter the following and then click "Next".

Friendly Name: O365_MEM
PowerShell URL: https://outlook.office365.com/PowerShell
Authentication Type: Basic
Admin Username: <Service account>@<your domain name>
Admin Password: <The password the service account>.



Additional info: I tested that we can also use https://outlook.office365.com/powershell-liveid/powershell to connect to Office 365. 

AirWatch uses WinHTTP connection to connect Office 365.

We can click "Test Connection" to verify the connection between AirWatch and your Office 365 account.

6. On "MEM Profile Deployment" page, click "Add" and then select the following

Platform: iOS
Mail Client: AirWatch Inbox
Action: Use Existing Profile
Profile: iOS MEM Profile



7. Click "Next".
8. On "Summary" page, click "Save".



In this test, I don't have any AD forest. In production environment, you can click "Advanced" and then check "sync with entire forest in AD" to sync settings with Active Directory.



9. Navigate to "Email > Compliance Policies".



The settings of this page controls which devices can received email. You should carefully configure it. If all devices of your company aren't enrolled Mobile Device Management but it downloads email though ActiveSync, you need to be award of  "Allow unmanaged devices" setting. 



By default, it allowed both managed or unmanaged devices. If changed to managed devices only, ActiveSync users of unmanaged devices couldn't download email. This is the conditional access settings provided by AirWatch for email on Office 365.  

After configuration, you can click "Run Compliance" to update the settings.



Now, enrolled devices can use AirWatch Inbox to check email.

References:
Connect to Exchange Online using remote PowerShell

Use PowerShel to Manage Exchange Online in Office 365

Managing and Protecting Mobile Email with AirWatch

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment