Exchange ActiveSync (EAS) MDM payload settings for Apple devices
Use the Exchange ActiveSync (EAS) payload to enter the user’s settings for your Microsoft Exchange Server. You can create a profile for a particular user by specifying the user name, hostname, and email address, or you can provide just the hostname; users are prompted to fill in the other values when they install the profile.
In iOS 14 and iPadOS 14 or later, Exchange accounts configured for OAuth and Microsoft cloud-based services (such as Office365 or outlook.com) are automatically upgraded to use Microsoft’s OAuth 2.0 authentication service.
The Exchange ActiveSync (EAS) payload supports the following. For more information, see Payload information.
Supported payload identifier: com.apple.eas.account
Supported operating systems and channels: iOS, iPadOS.
Supported enrollment types: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—more than one Exchange ActiveSync payload can be delivered to a user or device.
For information about requirements and supported features, see Integrate Apple devices with Microsoft Exchange.
You can use the settings in the table below with the Exchange ActiveSync payload.
The display name for the account.
The IP address or fully qualified domain name (FQDN) of the Exchange host.
Account user name
The user name with the optional domain.
Account email address
The email address for the account.
The password of the user account. If you leave this field empty, users must enter their password after the payload is installed on the device. You can also choose to override the previous password.
Use OAuth for authentication
Specifies whether the connection should use OAuth for authentication. If OAuth is specified, the password field should be left empty.
When the Use SSL option is selected and the server’s SSL certificate isn’t issued by a trusted certificate authority known to the devices, use the Certificates payload to add any root or intermediate certificates that are necessary to validate the server’s SSL certificate.
Past days of mail to sync
Select the amount of time to sync older mail. The options are:
Authentication credential name
The name or description of the account.
Select the certificate that identifies the user to the Exchange ActiveSync (EAS) server.
Allow user to move messages from this account
Specify whether email messages can be moved between mail accounts.
Allow recent addresses to be synced
Specify whether recently used addresses can be synced across devices.
Allow Mail Drop
Specify whether Mail Drop appears as an option when sending large files using the Mail app.
Use only in Mail
Specify whether any apps other than the Mail app are able to send email.
Note: If this is turned on, the Exchange account can’t be used with share sheet in other apps.
Enable S/MIME signing
Enable S/MIME signing.
Allow S/MIME signing
Allow the user to enable or disable S/MIME signing.
Allow the user to modify the S/MIME signing certificate
Allow the user to modify the S/MIME signing certificate.
Force S/MIME encryption
Force S/MIME encryption.
Allow S/MIME encryption
Allow the user to enable or disable S/MIME encryption.
Allow the user to modify the S/MIME encryption certificate
Allow the user to modify the S/MIME encryption certificate.
Enable per-message encryption switch
Specify whether users have the option to encrypt messages on a per-message basis.
Communication service rules
You can select a default app to be used when calling contacts from this account.
You can select one of the following services: Mail, Contacts, Calendars, Reminders, Notes. At least one service should be selected.
Service account modification
You can restrict users from making account changes to the following services: Mail, Contacts, Calendars, Reminders, Notes.
Note: Each MDM vendor implements these settings differently. To learn how various Exchange ActiveSync (EAS) settings are applied to your users, consult your MDM vendor’s documentation.