Configuring Exchange email notifications

Follow these steps to configure settings for the Email Notification module.

Before you begin

The Secure Mail feature must be enabled for your account. If Secure Mail is not enabled, contact IBM® support.

Procedure

  1. From Setup > Services, expand and then select the message icon next to the Secure Mail section to enable email notifications for iOS devices in the IBM® MaaS360® Portal.
  2. Open the Cloud Extender® Configuration Tool and select Email Notification.
  3. Depending on the version of Exchange that you are using, select an option under Streaming Notifications on Exchange or Exchange Push Notifications.
  4. Configure settings for any of the following versions of Exchange or Office 365:
    • For Exchange 2010, configure the following settings:
      Setting Description
      Mail Server Choose Exchange 2010 SP1 to use for streaming notifications.
      Exchange Web Services URL The URL for the EWS service. Use the following command from the Exchange Management Shell to determine the Web Service URL: Get-WebServicesVirtualDirectory | Select name,*url* | fl
      Note: An internal URL is typically used for this URL.
      Limit to specified Mailbox servers Limits the email notifications subscription to mailboxes only on the specified list of mailbox servers.
      Accounts for Exchange Web Services Configures the listener accounts. Each listener account can subscribe to a maximum of 1,250 mailboxes. One Cloud Extender accepts up to 12 listener accounts.
    • For Exchange 2013 or later, configure the following settings:
      Setting Description
      Mail Server Choose Exchange 2013 & above to use for streaming notifications.
      Exchange Web Services URL This field is missing because the Cloud Extender uses the Autodiscover service to determine the CAS for the subscribing mailbox.
      Limit to specified Mailbox servers Limits the email notifications subscription to mailboxes only on the specified list of mailbox servers.
      Accounts for Exchange Web Services Configures the listener account.
    • For Office 365, configure the following settings:
      Setting Description
      Exchange Web Services URL This field is missing because the Cloud Extender uses the Autodiscover service to determine the CAS for the subscribing mailbox.
      Office 365

      Configure for modern authentication.

      Using a Specific URL
      Configure the email notification based on the EWS URL. The Exchange integration requires the address of your Exchange server, which is called the Exchange Web Services (EWS) URL.
      Note: It is auto-detected by using your email address.

      Format is https://<mail.server>/ews/exchange.asmx
      Using Autodiscover Configure to determine the CAS URL associated with a specific email address. When given a new email address to monitor, the Email Notification module is for auto-discovery and is also used for subscribing to a mailbox.
      Exchange Push Notifications Configure for HTTP email notifications.
      Important:
      Additional Configurationis available only when you select the following options:
      • Using a Specific URL
      • Using Autodiscover
      • Exchange Push Notifications

      Select Scope by specific mailbox servers checkbox to configure the email notification based on mailbox servers. Mailbox servers must be different across all Cloud Extenders.

  5. Configure authentication to connect to an Exchange server:
    • For Office 365
      To use modern authentication, you must provide the Tenant ID and the Client ID created in the Azure Portal. Also configure the number of iOS mailbox accounts based on your requirements. By default, the Exchange Environment option is set to General. Also, the GCC and GCC high customers can select other environments according to their respective regions.
      CE Exchange modern authentication
      Follow these steps to create these IDs in the Azure portal:
      1. Log in to the Azure portal as the Global Administrator.
      2. Register your application.
        Important:
        • Configure Public client/native as urn:ietf:wg:oauth:2.0:oob in the Redirect URI while registering the application.
        • Copy the Tenant ID and the Client ID from the Azure portal.
        For example, register an application from the Azure portal:
        Application registration in the Azure portal

        For more information about creating and registering an application, see Microsoft documentation

      3. Select the registered application on the Azure portal and grant API permissions:
        Important: Configure EWS EWS.AccessAsUser.All when you have selected the Using Listener Account and full_access_as_app when you have selectedUsing Shared Secret or Using Certifice.
        Click the +Add a Permission. The Request API permissions window is displayed.
        • Go to the APIs my organization uses > Office 365 Exchange Online > Delegated permissions and select EWS EWS.AccessAsUser.All .
        • Go to the APIs my organization uses > Office 365 Exchange Online > Application permissions and select full_access_as_app.

        Click Grant admin consent for <your application> to grant the permission.

        For example, API permissions from the Azure portal:
        Add permissions

        For more information about API permissions, see Microsoft Documentation

      4. Turn on the Allow public client flows toggle as Yes to update the authentication for registered application to Public Client and save the changes.
        Important: It is applicable only when you have selected Using Listener Account .
        For example, Authentication from the Azure portal:
    • For the following options, configure the URL, port, and server account details in the Server Configuration and Service Account Configuration windows:
      • Using a Specific URL
      • Using Autodiscover
      • Exchange Push Notifications
  6. Configure the credentials for authentication.
    • Select one of the following credentials types in the Office 365 and configure:
      Note:
      • Listener accounts and Client secrets credentials expire and are considered less secure than Certificate credentials. Therefore, Microsoft recommends that uses Certificate Credentials.
      • From 1 July 2024, the Using Listener Account option will be deprecated according to Microsoft, new assignments of the ApplicationImpersonation role are blocked starting July 2024. By November 2024, this permission scope will be removed entirely. User must use one of the options such as Using Shared Secret or Using Certificate to configure email notification. For more information, see https://www.ibm.com/support/pages/node/7158061.
      credential types in Office 365
      • Using Listener Account: Configure the username and password. For more information about setting up listener accounts, see Setting up a listener account.
      • Using Shared Secret
        • Go to Azure>Applications>App Registration>MaaS360 Email Notifications>Certificates and secrets> Client secrets. Configure the secret code that is created in the Azure portal and then select the expiry date. Client secret lifetime is limited to two years or less.
          Note: You cannot specify a custom life longer than 24 months.
        • Ensure to note the secret value as the value is not displayed after the user exits the page.
        • Enter the Shared Secret value and Expiry date.

          For more information about creating secret code, see Microsoft documentation.

      • Using Certificate
        • Go to Applications > App registration > MaaS360 Email Notifications > Certificates and secrets > Certificates. Click Upload certificate to upload the Public Key Certificate.
        • Add the Private Key Certificate to the Cloud Extender Configuration. Enter the password used to encrypt the certificate.

          For more information about uploading certificates, see Microsoft documentation.

          You can create a self-signed public certificate to authenticate. Self-signed certificates are not signed by a trusted third-party Certificate Authority (CA). Self-signed certificates are considered unsafe and recommended for testing purposes only. For more information, see https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-self-signed-certificate.

  7. Optional: Configure proxy in the Configure Advanced Settings
    Configure a static (unauthenticated) proxy to connect to an Exchange server. The proxy settings are read from the repository for the Email Notifications module. The Email Notifications module uses the proxy settings to auto discover and to connect to the Exchange server.
    1. Click Advanced.
    2. Select the Use proxy settings checkbox.
    3. Provide the address and the port for the proxy.
      Note: If you want to change proxy settings in the module after you configured a static proxy, you must restart the module for changes to the proxy settings to take effect.
  8. Check Testing Exchange email notifications after completing the configurations.
  9. Save your changes.