07-15-2014 12:06 PM
Don't waste your time with BB Support trying to get this going. We have Advantage TSupport and after 2 weeks of trying to solve the SCEP and iOS issue, the tech then pointed me to that KB (which was published 2 weeks prior at that point). Very disappointed with the UDS.
Prior to me working on the iOS, getting an Android up and running using certs was very convulated but at least you can use the SWS. Similar experience with BB Support, 2 weeks of sending in logs, etc and then they said "SCEP is not supported on the Android". I'm not sure how other MDM providers say they support SCEP but we have started to look at other MDM offerings.
So to make a long story short, I found a way to manually create the cert, export it to .pfx, create an individual user cert profile on UDS and then assign it to the specific user. It turned out to be a 30 page admin doc for setting up a user. Also, no idea on what happens once the cert expires but I'm sure there is probably no automatic renewal and you would have to repeat the same process. Maybe ok for a handful of users but not sustainable for a large number to provision and maintain.
I didn't even bother trying this same process for the iOS after they told me we have to use the MDM controls (and not SWS) for SCEP to work. Very frustrating experience.
Using SCEP for blackberries (BDS) works like a charm if you had set it up correctly. However, they have a long way to go with respect to iOS and Android though.
07-15-2014 12:14 PM
Thanks for that guys, luckily i don't have any androids to support, BB and iOS is enough.
that was my conclusion last night was that it would need another CAS, however another issue is that I have a few users that have a Blackberry and an iPad.
Any ideas how that might work? i can't see how i could get each device to go through a different cas for the same mailbox?
thanks for your input
07-15-2014 12:16 PM
Sorry i can't help you.
All i know is that we have separate Mailbox and CAS servers in our cetnral location - other locations have mailbox and CAS on teh same box. These users are knackered unless we build a separate CAS in each locatin, but centrally, we have 3 CAS servers - 2 using certificate auth and 1 basic working fine.
07-15-2014 12:26 PM
Yeah, sorry i'm not an exchagne guy - our exchange team sorted that. Maybe it's to do with subnets or something - if its in the same subnet then you can use any?
07-15-2014 12:36 PM
I believe you just have to publish another activesync virtual directory on the same CAS servers. However, this would mean an additional IP Address, another alias to the Exchange cert, etc. You then set that virtual dir for basic auth.
There is a section in this link which talks about it.
07-15-2014 12:52 PM
You can setup a CAS to accept both basic authentication and certfiicates. My test environment has a mixture of users using both. You just need to have basic auth enabled and certficates set to accepted rather than required.
07-15-2014 01:55 PM