MobileIron on Prem to work with Office 365/Online


#1

Does anyone have on prem MobileIron setup to work with Office 365 online?
Any tips & advice for this setup would be greatly appreciated it as this is the direction my company is going.


#2

Hi Wes,

Depends if you are using Sentry or not.
If you do NOT uses the Sentry, only needs to change in to the Exchange Configuration the server address to outlook.office365.com, and leave in blank the Domain.
If you have Sentry, you needs to change the server address in to the Sentry Configuration --> ActiveSyns Server, and change the server to outlook.office365.com:443, too.

If the O365 configuration it´s ok, and the users can login via web, it should work.


#3

Hi @Jon,

Thanks for the info.
Yes, we are using on prem Core & Sentry.
I’ll look up MI to see if there’s any documents on this setup.

Thank you


#4

Hi Wes,

You need to pay attention to the firewall rules in your organization. It’s easier just to enable all the traffic on port 443 from the Sentry to the cloud, but the Security dept. might not be so happy about this.
In the end we got rid of the Sentry for the Exchange Online mailboxes, but now we cannot block the active sync connection if we want to…

Good luck!


#5

https://community.mobileiron.com/docs/DOC-6710
Technical Guide-Secure Authentication to Office 365 on MobileIron Core


#6

@DaniCondriuc thank you for the info. what made you guys get rid of the Sentry servers?

@brendanmain thanks for the article.


#7

You can block the activesync connection.


#8

Hopefully someone is still following this thread! how do we restrict EAS connections in Exchange Online / 365 only to those devices using the sentry? At the moment the devices using the sentry are creating a direct connection to EAS (get-mobiledevice) so I cannot whitelist the sentry and block everything else


#9

At the moment the devices using the sentry are creating a direct connection to EAS (get-mobiledevice) so I cannot whitelist the sentry and block everything else <-- either one of those statement is wrong or you can whitelist Sentry.

If you’re using Sentry, you can whitelist it using a claim rule - for Activesync proxy anyway. If you are using per-app VPN to tunnel the traffic there are better ways to restrict user based Oauth connections.


#10

Thanks for the response Adam, there is no ADFS in the infrastructure so a claim rule is not possible for us, the customer is using password hash sync and authentication for O365 takes place in the cloud.

The customer is migrating to Office 365 / Exchange Online, we were told by the company that look after MobileIron (I am pretty unfamiliar with mobileiron and how the sentry works) that the Sentry makes / proxies the Active Sync connection to Exchange Online. However when I check the activesync devices in Exchange Online each user has an entry for their own device i.e. “iphone 7” rather than the sentry server.

In this configuration I am unable to lock down Active Sync to only those devices coming via / registered with MobileIron so Activesync access remains open.


#11

use MobileIron Integrated Sentry with Office365 to block un-registered ActiveSync devices connections to Office365


#12

Thanks, Do you have any guidance/articles on how to do this? how do I stop un-registered devices connecting to EAS?


#13

So i finally got to setting this up. We have two Stand along sentry server (HA purpose).
I have Sentry server open to O365 Exchange Online IP ranges listed in the URL below.
https://support.content.office.net/en-us/static/O365IPAddresses.xml

We have a SCEP profile tied to our Exchange Config profile and labels applied to test devices.

From Exchange Config i have tested the config by putting our Sentry server name in the “Server Address” section and also tested it with “outlook.office365.com” but device fails to get mail with both settings.

We’re getting a 503 error through the sentry log when the Address is pointed to the sentry server.
Is there something that needs to be setup in O365 end?
The Technical Guide-Secure Authentication to Office 365 on MobileIron Core seems to go all over the place with the setup.


#14

If activesync is allowed, no. Is Sentry pointing to outlook.office365.com?
The Technical Guide-Secure Authentication to Office 365 on MobileIron Core <-- this is for a different scenario to what you are describing.


#15

Adam,

Our Active Sync Configuration in Sentry setting is pointing to “outlook.office365.com:443”.


#16

And is O365 expecting a client certificate? Is Sentry? Are they both? Will they both accept the same certificate? If you point the devices at Sentry which consumes a client certificate and O365 also expects a client certificate what have you configured to facilitate that?


#17

FYI, you can perform cert based auth directly from device for ActiveSync to Office365 without the requirement for an ADFS Server

All you need to do is upload the Root CA Certificate (and intermediate if you have 2 CA Servers) into

  • Windows Powershell and run as administrator
  • Type “Install-module azuread” and hit enter, then Y and A
  • Type “Connect-AzureAD” and hit enter
  • Type “Get-AzureADTrustedCertificateAuthority” and hit enter (should be no results as you have not added Root Certs yet
  • Type $cert=Get-Content -Encoding byte " C:\Temp\LocalCA.cer ” (.cer file location of Root CA Cert)
  • Type "$new_ca=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation"
  • Type "$new_ca.AuthorityType=0"
  • Type "$new_ca.TrustedCertificate=$cert"
  • Type $new_ca. crlDistributionPoint = "http://server.contoso.com/certsrv/RootCA-server.crl"
  • Type "New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $new_ca"
  • Type “Get-AzureADTrustedCertificateAuthority” and hit enter (should be the Root Cert you just uploaded)

You can now create a user/device certificate with the users Email Address in the Subject and Subject Alternative Name to use for authentication for ActiveSync email to “outlook.office365.com


#18

Cert based auth for ActiveSync won’t work if you enable MFA for the user in the MFA portal

You will need to create a conditional access policy with the following attributes to still enforce MFA requirement for all other services/applications except ActiveSync

Assignments
Include users in the scope of your test
Include all cloud apps
Include any location. Note that here is where you can exclude an IP whitelist created in the MFA portal by clicking on the exclude tab and selecting ‘MFA Trusted IPs’

Access controls:
Grant access
Require multi-factor authentication

What this accomplishes is:

If an application identifies itself as supporting modern authentication… we will require MFA.
If an application does not identify itself as supporting modern authentication… we will not require MFA.

It should be noted again that this approach is less secure and would also allow other legacy clients such as older versions of Outlook (prior to 2016) to bypass MFA