Skip to main content

Configuring Exchange ActiveSync Profiles in Mobile Guardian

  • Updated

Configuring IMAP Mail Profiles in Mobile Guardian

Mobile Guardian allows administrators to automatically deploy pre-configured mail accounts to managed Apple devices. By utilizing the Mail Payload (IMAP), you can ensure that endpoints are provisioned with corporate or institutional email settings over-the-air, standardising email setups without requiring manual user intervention.

[!NOTE] This specific payload configures the traditional IMAP/SMTP protocol. It handles email synchronisation only. Calendar and Contacts sync are managed through separate account profiles.

Field-by-Field Configuration Guide

To configure this, log into Mobile Guardian, navigate to Profiles, select your target profile, click on Accounts, and select Mail -> Add New.

1. General Settings

This section establishes the visible identity of the email account on the endpoint device.

  • Account Type: Set to IMAP.
  • Path Prefix: Leave blank unless your email server provider explicitly requires a specific folder path prefix (e.g., INBOX).
  • Account Description (*): Required. The user-friendly name displayed in the Apple Mail and Settings apps (e.g., School Mail or Company Email).
  • User Display Name: The sender name that recipients will see when the user sends an email (e.g., You can use a dynamic variable like %fullname% if supported, or leave blank for the user to define).
  • Email Address (*): Required. The full target email address. Use the Mobile Guardian variable %email% to dynamically map the mailbox to the assigned device user.

Data Security Options (Toggles)

  • Prevent user from moving messages out of this account: Enforces data loss prevention (DLP). Prevents users from moving emails from this managed account into personal email accounts on the same device.
  • Prevent Recent Addresses from being synced: Stops iCloud/Apple from syncing recently used email addresses to other devices.
  • Allow Mail Drop: Dictates whether the user can use Apple's Mail Drop feature to send large attachments via iCloud.
  • Prevent sending mail from apps other than Apple Mail: Restricts third-party applications from using this specific mail account to send messages.

2. Incoming Mail (IMAP)

Controls how the device fetches mail from the server to display to the user.

  • Authentication Type: Select your server's requirement (typically Password or MD5 Challenge-Response).
  • SSL (Use SSL): Highly Recommended. Check this box to encrypt incoming email traffic.
  • Hostname (*): Required. The incoming mail server address provided by your email host (e.g., imap.gmail.com or mail.yourdomain.com).
  • Port: If left blank, the device defaults to standard ports (993 for SSL, 143 for non-SSL).
  • Username (*): Required. The account login credential. Use %email% or %username% for dynamic mapping.
  • Password: Leave blank to force the user to type their own password on their device, or enter a generic password if utilizing an encrypted profile with shared mailboxes.
  • Discard domain suffix if Username is an email address: If your mail server requires just a username (e.g., john) instead of the full email address (john@example.com) to authenticate, check this box.

3. Outgoing Mail (SMTP)

Controls how the device sends mail out to the world.

  • Authentication Type: Match your incoming mail authentication settings (usually Password).
  • SSL (Use SSL): Highly Recommended. Encrypts outgoing mail traffic.
  • Hostname (*): Required. The SMTP server address (e.g., smtp.gmail.com or smtp.yourdomain.com).
  • Port: If left blank, Apple Mail will automatically cycle through standard SMTP ports (25, 587, and 465) to establish a secure connection.
  • Username (*) / Password: Enter the outgoing server credentials if they differ from the incoming server.
  • Outgoing Password Same As Incoming Password: > [!WARNING]

As noted in the interface, setting this to True minimizes user prompts during interactive, manual profile installations. However, because Mobile Guardian pushes profiles silently via non-interactive MDM, this specific option is not natively supported by Apple's iOS MDM framework. Users will likely be prompted for their password for both incoming and outgoing configurations.

 

Configuring Calendar Profiles in Mobile Guardian

Mobile Guardian allows administrators to automatically provision calendar infrastructure onto managed Apple devices. When setting up calendars under a profile's Accounts section, Mobile Guardian provides two distinct deployment protocols: CalDAV and CalSub.

Understanding the differences between these protocols is vital for a successful deployment:

  • CalDAV (Calendar Distributed Authoring and Versioning): A two-way protocol. It allows users to read, create, schedule, and edit calendar events directly from their device.
  • CalSub (Calendar Subscription): A one-way, read-only protocol. It streams a public or shared calendar (such as a school timetable, district holidays, or exam schedule) down to the device. Users cannot edit these events.

Payload 1: Configuring CalDAV (Two-Way Interactive Calendars)

Use this payload if users need to sync, create, and manage their personal or institutional schedules.

Field Configuration Guide

  • CalDAV Description (*): Required. The user-friendly name displayed in the native Calendar and Settings applications (e.g., Staff Calendar).
  • Hostname: The Fully Qualified Domain Name (FQDN) or IP address of your internal or cloud-hosted CalDAV server (e.g., dav.google.com or cal.yourdomain.com).
  • Port: Leave blank to use default protocol ports, or specify your server’s custom port if required.
  • Principal URL: The specific directory path on the server where the user's calendar data resides. Many modern cloud systems automatically detect this if left blank; refer to your email/calendar host documentation if required.
  • Account Username: The login credential for the server. Use the Mobile Guardian variable %email% or %username% to dynamically map the account to the specific device user.
  • Account Password: Leave blank to prompt the user for their password on the device, or input a predefined password if utilising encrypted profiles for a shared department calendar.
  • Use SSL: Highly Recommended. Check this box to encrypt calendar data transmitted between the endpoint device and your server.

Payload 2: Configuring CalSub (One-Way Read-Only Subscriptions)

Use this payload to broadcast rigid organisational schedules—such as a school term calendar, lesson timetables, or exam rosters—directly into the user's native calendar app.

Field Configuration Guide

  • CalSub Description: The user-friendly name displayed next to the subscribed calendar on the device (e.g., School Term 2 Dates or District Holiday Roster).
  • CalSub Hostname: The web address hosting the .ics calendar file.

[!NOTE] Do not include the Internet Protocol prefixes (like http:// or webcal://) directly in the hostname field. Input the clean host address (e.g., calendar.google.com/calendar/ical/.../public/basic.ics).

  • Account Password: Only required if the hosted calendar file is password-protected. If the subscription is publicly accessible via a shared URL, leave this field blank.
  • Use SSL: Check this box to ensure the calendar subscription stream is pulled over a secure, encrypted connection (HTTPS/WebCalS).

 

Configuring Contacts in Mobile Guardian Profiles

Mobile Guardian allows administrators to automatically provision address books and contact directories onto managed Apple devices. By using the CardDAV (vCard Extensions to WebDAV) protocol, you can securely sync corporate directories, school staff contact lists, or individual user address books directly to the native Contacts application without manual user setup.

Field Configuration Guide

To configure this setup, navigate to Profiles, choose your target profile, go to Accounts, and select Contacts -> New Contact.

General Settings

  • CardDAV Description (*): Required. The user-visible name for the address book as seen in the Contacts and Settings applications (e.g., School Directory or Company Contacts).
  • Hostname: The Fully Qualified Domain Name (FQDN) or IP address of your CardDAV server (e.g., contacts.google.com or addressbook.yourdomain.com).
  • Port: Leave blank to use the protocol’s default ports, or specify your custom internal infrastructure port if required.
  • Principal URL: The explicit server directory path where the address book database resides.

[!NOTE] Many modern cloud contact providers automatically discover this path using the Hostname and Username. However, for specific on-premises servers (e.g., custom Nextcloud or legacy Exchange setups), you may need to explicitly define the path (e.g., /remote.php/dav/principals/users/).

  • Account Username: The login credential required to access the address book. Use the Mobile Guardian variable %email% or %username% to dynamically map individual employee or student accounts.
  • Account Password: Leave blank to securely prompt the user for their account password on the device, or pre-populate it if deploying a shared, read-only organisational address book with a common account.
  • Use SSL: Highly Recommended. Check this box to enforce Secure Socket Layer (SSL) encryption, securing sensitive personal data and contact information while it is in transit.

Endpoint User Experience

Once Mobile Guardian successfully applies this profile to a target device:

  1. The account dynamically populates under Settings -> Contacts -> Accounts.
  2. When the user opens the native Contacts or Phone app, the new group (matching the CardDAV Description) will appear in the list.
  3. If the password field is left blank in the dashboard, a native prompt will securely request the user's password once to kick off the initial synchronisation.

Please let us know if you found this helpful. 
 

Thanks for reading! 🙂

 

Related articles