Email Notification Service
2 (ENS2)
VMware Workspace ONE UEM
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright
©
2023 VMware, Inc. All rights reserved. Copyright and trademark information.
Email Notification Service 2 (ENS2)
VMware, Inc. 2
Contents
1 What is Email Notification Service? 4
2 ENS2 Requirements and Prerequisites 6
3
ENS2 Deployment Options 13
4
Configure your Email Notification
Service for Cloud Deployment 24
5 Configure your Email Notification Service for On-Premises Deployment 27
6 Configure ENS2 with Application Configuration Values for Boxer 37
7
Migrate from FedRAMP ENS On-Premises Server to Cloud Server 46
8
Configure SEG as EWS Proxy for ENS
49
9 Configure Certificate-Based Authentication for ENS 52
10 Troubleshooting ENS 56
11 Frequently Asked Questions about ENS2 Functionality 108
12 Appendix 115
VMware, Inc.
3
What is Email Notification
Service?
1
Workspace ONE UEM powered by AirWatch Email Notification Service (ENS2) provides new
email notifications for VMware Workspace ONE Boxer on both iOS and Android. The service
works by monitoring the Exchange or Office365 back end for email events and sending updates
to the end user devices through Apple or Google’s push notification services. This documentation
provides the information required to install and configure the ENS2 as a cloud-hosted or on-
premises service.
The Workspace ONE Boxer provides notifications about your emails by running in the
background. Due to platform limitations, Boxer can only run in the background for a limited time.
Email Notification Service (ENS2) provides a solution to deliver notifications to the user's device
when Boxer is not running.
ENS2 supports notifications that include the email subject and a badge icon (iOS only) to notify
the number of unread emails in the Inbox on the server. However, for Android, ENS2 does not
support notifying the number of unread emails in the Inbox on the server.
You can configure ENS2 with the Secure Email Gateway (SEG) V2 to secure your organization's
email infrastructure. For more information about SEG, see the
Workspace ONE UEM Secure Email
Gateway Guide (SEG) V2
guide.
Note To align with the rest of the Workspace ONE suite, the ENS version numbering is changed
to the YY.MM (Year, Month) format starting with the 21.04 release.
ENS2 Architecture
This section provides information about the architecture design and functionality of ENS2.
ENS2 Architectural Flow
VMware, Inc.
4
ENS2 architectural flow description:
1 Public-Key Request - The device requests a public key to encrypt the account credentials.
2 Subscribe - The device sends an encrypted payload with credentials and all the necessary
information to subscribe and get email notifications.
3 Push Subscription - ENS authenticates with EWS and subscribes for push notifications using
a webhook URL. The webhook URL contains the encrypted credentials. The credentials are
now kept encrypted on the Exchange server.
4 New Email Notification -
n Exchange sends notification about the mailbox changes to the provided webhook URL.
n ENS extracts and decrypts the credentials and prepares a call to fetch emails.
5 Email Fetch - ENS performs a fetch for the email details (subject and sender) required for
providing a notification.
6 Push Notification Payload - ENS pushes email details for delivery to all devices belonging to
the user through SNS (ENS cloud deployments) or CNS (ENS on-premises deployments).
7 SNS or CNS sends notifications to iOS or Android devices. For iOS devices, SNS or CNS uses
Apple Push Notification Service (APNS), and for android devices, SNS or CNS uses Firebase
Cloud Messaging (FCM).
Email Notification Service 2 (ENS2)
VMware, Inc. 5
ENS2 Requirements and
Prerequisites
2
This section explains the requirements and prerequisites for using the ENS2 with Workspace ONE
UEM.
Email Server Integration Supported Versions
n Email Client - For Android support, you must have ENS2 1.3.0.4 or later and Workspace ONE
Boxer 5.2 or later.
n Email Server - Exchange 2010 SP3, Exchange 2013 SP1, Exchange 2016, Exchange 2019 (for
on-premises ENS2 version 1.7 and later), or Office 365.
n For ENS2 on-premises with ENS2 version 1.8 and later, Office 365 is supported.
Workspace ONE UEM Requirements
n On-premises and Cloud deployment: Workspace ONE UEM console 1902 and later
Hardware Requirements (On-Premises Only)
Table 2-1. Web Server
CPU Core RAM Hard Disk Storage Notes
2 (Intel processor) 16 GB 30 GB Per 100,000 users.
Table 2-2. Database Server
CPU Core RAM Hard Disk Storage Notes
2 (Intel processor) 16 GB (minimum) Approx. 0.0477 MB per user to estimate the DB storage
size.
Per 100,000 users.
VMware, Inc. 6
Software Requirements
Requirement (On-Premises) Notes
Windows Server 2016, Windows
Server 2019, or Windows Server
2022
The servers must be externally accessible through https (SSL Cert) and with a
Fully Qualified Domain Name (FQDN)
SQL Server 2016, 2017, and 2019
(Database Server)
The db_owner role and public role must be assigned to the SQL server
user that is used for running the application. The database option must
be selected for external database and you must set the collation to
SQL_Latin1_General_CP1_Cl_AS. A dedicated SQL instance for ENS is
recommended. The steps to create an ENS database and the Workspace ONE
UEM database are the same. For more information on creating the Workspace
ONE UEM database, see
Create the Workspace ONE UEM Database
topic in the
Installing Workspace ONE UEM
guide.
Note A shared SQL instance can only be used for demonstration purpose,
where a small set of users can use the ENS.
Basic Authentication for the
Exchange environment
OAuth and Certificate-Based Authentication (CBA) is supported for Exchange
Web Services
CNS Certificate
Secure Channel Certificate
IIS 7 or later Installed on Web Server
Requirement (Cloud) Notes
Basic Authentication for the
Exchange environment
OAuth and Certificate-Based Authentication (CBA) is supported for Exchange
Web Services
Autodiscovery enabled in the
Exchange environment and
Internet-facing EWS environment.
If the autodiscovery is deactivated,
you can use the EWSUrl key value
pair to configure ENS.
Networking
Requirements
Table 2-3. Network Ports
Source Destination Protocol (Port)
ENS Exchange (EWS) HTTPS (443)
Exchange (EWS) ENS HTTPS (443)
Mailbox/CAS ENS HTTPS (443)
ENS Exchange OAuth host** HTTPS (443)
ENS AirWatch Cloud Notification Service (CNS) HTTPS (443)
Email Notification Service 2 (ENS2)
VMware, Inc. 7
Table 2-3. Network Ports (continued)
Source Destination Protocol (Port)
ENS SQL Server Instance SQL (1433)
Internet (Devices) ENS HTTPS (443)
ENS* AirWatch Signing Service HTTPS (443)
UEM Console* ENS HTTPS (443)
*Applicable for ENS2 version 1.10 and later and Workspace ONE UEM console version 2101 and
later.
** Required only if Exchange is configured for Modern authentication or OAuth based
authentication, even if SEG is configured as EWS proxy.
Required External Services
ENS uses the following services and is dependent on the services for ENS operation. You must
allowlist or ensure that the ENS server can access the following URLs.
Source Destination Domain Name Supported Versions
ENS AirWatch Trust Discovery awtrustdiscovery.awmdm.com ENS2 version prior to 21.04.
ENS AirWatch Signing Service signing.awmdm.com ENS2 version 1.10 and later and
Workspace ONE UEM console
version 2101 and later
ENS The actual Exchange
OAuth host configured for
Exchange*
https://login.microsoftonline.com
(sample)
ENS2 all versions
* Required only if Exchange is configured for Modern authentication or OAuth based
authentication.
Note When Modern authentication is used, ENS must directly communicate with Exchange to
refresh the authentication token. ENS IPs must be allowlisted for Modern authentication to work if
SEG is used as the EWS proxy because SEG cannot proxy the refresh token request.
CNS Server IP Allowlist
The following table describes the CNS Server IP allowlist requirements.
Source
Destination Domain Name Supported Versions
ENS https://prod.cns.vmwservices.com 44.239.192.231
44.235.169.212
44.237.141.156
ENS2 version 21.04 and later.
Email Notification Service 2 (ENS2)
VMware, Inc. 8
Table 2-4. IIS Services
Component Name Required Services
Web Management Tools IIS 6 Management Compatibility
IIS Management Console
IIS Management Scripts and Tools
IIS Management Service
Table 2-5. World Wide Web Services
Component Name Required Services
Application Development Features .NET Extensibility 3.5
.NET Extensibility 4.6
Application Initialization
ASP
ASP.NET 3.5
ASP.NET 4.6
ISAPI Extensions
ISAPI Filters
Server-Side Includes
WebSocket Protocol
Common HTTP Features Default Document
Directory Browsing
HTTP Errors
Static Content
Health and Diagnostics HTTP Logging
Performance Features Static Content Compression
Security Request Filtering
SQL Server and High Availability Support
High availability configuration - ENS2 supports SQL Server AlwaysOn high availability
configuration. To set up the SQL Server AlwaysOn for active/active or active/passive setup, see
Overview of Always On Availability Groups (SQL Server). If you are using AlwaysOn, point to the
availability group when choosing the database server during the ENS2 installation.
Email Notification Service 2 (ENS2)
VMware, Inc. 9
TLS Support for ENS
ENS2 cloud deployments require TLS 1.2 or greater to maintain security. You must ensure that
TLS 1.2 or greater is enabled on your email server.
For ENS2 on-premises, see the Cipher Suites in TLS/SSL (Schannel SSP) topic for default ciphers
suites for different Windows server versions and select the ENS2 on-premises server version
accordingly.
Note If SEG is configured, then ensure that the on-premises ENS server has all the ciphers that
are enabled in the SEG server.
ENS supports TLS version 1.2 and 1.3. ENS does not choose any protocol, but permits the OS
to choose the strongest available TLS version and the cipher suites. The following table lists the
recommended cipher suites.
Cipher Suites
SSL
Cipher
Strength
TLS
Protocol
Version
Elliptic
Curve
Variants
Cryptographic
Algorithm
Authenticated
Encryption
Cryptographic
Hash
Algorithm
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-
ECDSA-
AES128-
GCM-
SHA256
TLS 1.2 ECDH-
ephemeral
ECDSA AESGCM (128) SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-
ECDSA-
AES256-
GCM-
SHA384
TLS 1.2 ECDH-
ephemeral
ECDSA AESGCM
(256)
SHA256 and
SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-
ECDSA-
AES128-
SHA
TLS 1.2 ECDH-
ephemeral
ECDSA AES (128) SHA1
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-
ECDSA-
AES256-
SHA
TLS 1.2 ECDH-
ephemeral
ECDSA AES (256) SHA1
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-
ECDSA-
AES128-
SHA256
TLS 1.2 ECDH-
ephemeral
ECDSA AES (128) SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-
ECDSA-
AES256-
SHA384
TLS 1.2 ECDH-
ephemeral
ECDSA AES (256) SHA384
Email Notification Service 2 (ENS2)
VMware, Inc. 10
Cipher Suites
SSL
Cipher
Strength
TLS
Protocol
Version
Elliptic
Curve
Variants
Cryptographic
Algorithm
Authenticated
Encryption
Cryptographic
Hash
Algorithm
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-
RSA-
AES128-
GCM-
SHA256
TLS 1.2 ECDH-
ephemeral
RSA AESGCM (128) SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-
RSA-
AES256-
GCM-
SHA384
TLS 1.2 ECDH-
ephemeral
RSA AESGCM
(256)
SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-
RSA-
AES128-
SHA
TLS 1.2 ECDH-
ephemeral
RSA AES (128) SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-
RSA-
AES256-
SHA
TLS 1.2 ECDH-
ephemeral
RSA AES (256) SHA1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-
RSA-
AES128-
SHA256
TLS 1.2 ECDH-
ephemeral
RSA AES (128) SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-
RSA-
AES256-
SHA384
TLS 1.2 ECDH-
ephemeral
RSA AES (256)
ENS2 Prerequisites
To enable and secure the communication between the Exchange server and the ENS server, note
the following points:
n Communication between ENS and Exchange servers must not have any SSL errors.
n telnet and ping commands must work seamlessly between ENS and Exchange CAS/
Mailbox servers.
n SSL certificates used for ENS and Exchange servers must not have any errors when they run
through SSL checkers.
Note If you want to enable certificate-based authentication or configure ENS2 with SEG, see
Chapter 9 Configure Certificate-Based Authentication for ENS and Chapter 8 Configure SEG as
EWS Proxy for ENS.
Email Notification Service 2 (ENS2)
VMware, Inc. 11
Upload the Root CA Certificate
To upload the root CA certificate to the Exchange server, perform the following steps:
1 Download the SSL certificate from the on-premises ENS server. Access the ENS Alive
endpoint in a browser and download the certificate from the address bar.
Note You must only download the root certificate issued by a trusted authority and signed
by an internal CA. For the cloud deployment, you can download the root certificate from
https://ens.getboxer.com/api/ens/alive, https://ens-eu.getboxer.com/api/ens/alive, https://
ens-apj.getboxer.com/api/ens/alive, or htpps://ens-uk.getboxer.com/api/ens/alive based on
your region, issued by VMware for your account.
For the on-premises deployment, download the root certificate and replace acme.com with
the resolved name or IP address of your ENS server.
2 Import this certificate on the Exchange Server into the Trusted Root Certification Authorities
through MMC.
Email Notification Service 2 (ENS2)
VMware, Inc. 12
ENS2 Deployment Options
3
You can deploy ENS2 as a cloud-hosted service or host your own ENS instance an on-premises
installation.
ENS2 deployment methods are explained in the following sections.
n Deploying ENS2 as a cloud-hosted service with Office 365 or on-premises Exchange
n Deploying ENS2 as a cloud-hosted service with Office 365 or on-premises Exchange with
SEGv2 proxy
n Deploying on-premises ENS2 with Office 365 or Exchange in a single and multidata center
n Deploying on-premises ENS2 with SEGv2 as the EWS proxy for Office 365 or Exchange in a
single and a multidata center
Note Deploy ENS2 as a cloud-hosted service with Office 365 unless there is a requirement to
deploy on-premises ENS2 with Office 365 or Exchange in a single and multidata center or deploy
on-premises ENS2 with SEGv2 as the EWS proxy for Office 365 or Exchange in a single and a
multidata center.
ENS2 on-premises deployments can be used with multiple email servers concurrently, including
mixed-mode Exchange on-premises and Office 365 environments.
Deploying ENS2 as a Cloud-hosted Service with Office 365
or On-Premises Exchange
In this deployment scenario, ENS2 and Office 365 are in a cloud-hosted environment. To
subscribe to ENS2 and get email notifications, the external devices such as iOS, Android, and
so on, can access ENS2 and Office 365 through port 443.
In an on-premises Exchange setup, as shown in the following topology, to subscribe to ENS2
and get email notifications, the on-premises Exchange server can access ENS2 and Office 365
through port 443. ENS2 and the Exchange server interact with each other over port 443 through
the EWS protocol.
VMware, Inc.
13
Internet
External Devices
Datacenter 1
DMZ
Internal
Network
External
Firewall
Load
Balancer
Port 443
Internal
Firewall
Load
Balancer
On Premises
Exchange
HTTP(s) 80/443
and ios MDM
Services 5223
Office 365ENSV2
Deploying ENS2 as a Cloud-hosted Service with Office 365
or On-Premises Exchange with SEGv2 Proxy
In this deployment scenario, ENS2 and Office 365 are in a cloud-hosted environment. To secure
your organization's email infrastructure, you can configure ENS2 with the SEGv2. When an
external device initiates a registration request to ENS2, ENS2 sends the request to SEG, and then
the request is routed to the Office 365. Any email exchanges or push notifications are routed
through the SEG proxy.
Email Notification Service 2 (ENS2)
VMware, Inc. 14
Internet
External Devices
Datacenter 1
DMZ
Internal
Network
External
Firewall
Load
Balancer
Ws1 Device
Services
WS1 API
AW
Console
Port
443
Port
443
Port
443
Port
443
Port 443
Port 443
Port
443
Port
443
SEGv2
Internal
Firewall
Load
Balancer
On Premises
Exchange
HTTP(s) 80/443
and ios MDM
Services 5223
Office 365ENSV2
On an on-premises setup, all traffic from ENS2 to the Exchange is routed through the SEG v2.
However, the Exchange server can directly interact with ENS2.
Email Notification Service 2 (ENS2)
VMware, Inc. 15
Deploying On-Premises ENS2 with Office 365 or Exchange
in a Single and Multidata Center
In a single data center ENS2 deployment scenario, as shown in the following topology diagram,
ENS2 is hosted on an on-premises network within the DMZ zone so that ENS2 is publicly
accessible. External devices such as iOS, Android, and so on, have access to ENS2 through port
443 to subscribe to ENS2 and get email notifications.
ENS database server can be hosted on the on-premises network behind the internal firewall and
ENS2 can communicate with ENS database through the internal firewall. ENS database server can
be scaled vertically to upgrade the capacity of the existing ENS database server.
Email Notification Service 2 (ENS2)
VMware, Inc. 16
Internet
Office 365CNS
External Devices
Datacenter 1
DMZ
Internal
Network
External
Firewall
Load
Balancer
Port
443
Port
443
ENSV2
Internal
Firewall
Load
Balancer
ENS DB
Server
On Premises
Exchange
HTTP(s) 80/443
and ios MDM
Services 5223
Note
n ENS application servers can be scaled horizontally.
n ENS application servers can have any transparent proxy or load balancer in front of the
application server.
n ENS database servers are scaled vertically and not load balanced.
n ENS database HA/DR is supported through SQLAlwaysON.
The following topology shows ENS2 deployed in a multidata center, where there might be more
than one data center to support a failover. In every data center, for each instance of ENS, there
is always a paired instance of ENS database and each ENS database can host their own data. In
case, the data center 1 fails then the data center 2 becomes active to support failover scenarios.
Email Notification Service 2 (ENS2)
VMware, Inc. 17
Internet
Office 365CNS
External Devices
Datacenter 1
DMZ
Internal
Network
Internal
Network
DMZ
Datacenter 2
External
Firewall
Load
Balancer
Port 443
Port 443
ENSv2
External
Firewall
Load
Balancer
Internal
Firewall
Load
Balancer
ENS DB
Server
On Premises
Exchange
ENSv2
ENS DB
Server
On Premises
Exchange
Internal
Firewall
Load
Balancer
HTTP(s) 80/443
and ios MDM
Services 5223
Note
n ENS application servers can be scaled horizontally
n ENS application servers can have any transparent proxy or load balancer in front of the
application server
n ENS database servers are scaled vertically and not load balanced
n ENS database HA/DR is supported through SQLAlwaysON
Email Notification Service 2 (ENS2)
VMware, Inc. 18
Deploying On-Premises ENS2 with SEGv2 as the EWS Proxy
for Office 365 or Exchange in a Single and a Multidata
Center
In this deployment scenario, ENS2 is hosted on-premises and the SEG is installed in between the
external devices and the on-premises Exchange. All the EWS traffic coming from the external
devices must pass through the SEGv2 and then reach the on-premises Exchange. However, the
on-premises Exchange can directly communicate with ENS2.
Email Notification Service 2 (ENS2)
VMware, Inc. 19
Internet
External Devices
Datacenter 1
DMZ
Internal
Network
External
Firewall
Load
Balancer
Device
Services
API
AW
Console
Port
443
Port
443
Port
443
Port 443
Port 443
Port
443
Port
443
SEGv2
ENSv2
Internal
Firewall
Load
Balancer
ENS DB
Server
On Premises
Exchange
HTTP(s) 80/443
and ios MDM
Services 5223
Office 365CNS
Email Notification Service 2 (ENS2)
VMware, Inc. 20
The following topology shows ENS2 deployed in a multidata center, where there might be more
than one data center to support a failover. ENS2 is hosted on-premises and the SEG is installed
in between the external devices and the on-premises Exchange. All the EWS traffic coming from
the external devices must pass through the SEG and then reach the on-premises Exchange.
However, the on-premises Exchange can directly communicate with ENS2. In every data center,
for each instance of ENS2, there is always a paired instance of ENS database and each ENS
database can host their own data. In case, data center 1 fails then the data center 2 becomes
active to support failover scenarios.
Email Notification Service 2 (ENS2)
VMware, Inc. 21
Internet
Office 365CNS
External Devices
Datacenter 1
DMZ
Internal
Network
Internal
Network
DMZ
Datacenter 2
External
Firewall
Load
Balancer
Device
Services
API
AW
Console
Port
443
Port
443
Port 443
Port 443
Port 443
Port
443
Port
443
SEGv2ENSv2
External
Firewall
Load
Balancer
Internal
Firewall
Load
Balancer
ENS DB
Server
On Premises
Exchange
Device
Services
API
AW
Console
Port
443
Port 443
Port
443
Port
443
ENSv2SEGv2
ENS DB
Server
On Premises
Exchange
Internal
Firewall
Load
Balancer
HTTP(s) 80/443
and ios MDM
Services 5223
Email Notification Service 2 (ENS2)
VMware, Inc. 22
Note
n ENS application servers can be scaled horizontally
n ENS application servers can have any transparent proxy or load balancer in front of the
application server
n ENS database servers are scaled vertically and not load balanced
n ENS database HA/DR is supported through SQLAlwaysON
Difference between ENS2 Cloud-hosted Deployment and
ENS2 On-Premises Deployment
The following table describes the benefits and limitations of deploying ENS2 through a cloud-
hosted service and an on-premises deployment.
ENS2 Cloud-hosted Deployment ENS2 On-Premises Deployment
Benefits of deploying ENS2 through a cloud-hosted
service:
n Easiest method of deployment as no infrastructure or
maintenance is required.
n Easily scalable as you can automatically scale up to
meet the increasing demands of the user.
n ENS2 supports the Office 365 cloud strategy
deployments.
Benefits of deploying ENS2 on-premises:
n Controls the upgrade cadence and can be deployed to
the DMZ without exposing the Exchange Web Services
(EWS).
Limitations of deploying ENS2 through a cloud-hosted
service:
n ENS2 requires an internet-facing or proxied EWS
endpoint (can be restricted to IP ranges) and the email
data flows outside the organization network.
Limitations of deploying ENS2 on-premises:
n Requires additional manual installation and
maintenance of ENS2 and the CNS components.
n Requires periodic updates to stay updated.
n Environment scaling requires additional setup and
maintenance.
n High availability requires additional installation and
manual resource allocation.
n Requires additional licensing (Microsoft Windows
Server and Microsoft SQL Server) and hardware.
Email Notification Service 2 (ENS2)
VMware, Inc. 23
Configure your Email
Notification Service for Cloud
Deployment
4
ENS2 can be deployed on a cloud-hosted service. This topic describes configuring ENS2 on a
cloud-hosted service.
Email Notification Service for Cloud
Use Workspace ONE UEM console to configure Workspace ONE Boxer for your cloud
deployment.
Prerequisites for Workspace ONE UEM Console 2101 and later
n Obtain the ENS2 server URL from VMware which is required to activate the ENS service using
the Workspace ONE UEM console.
n The ENS cloud API token is obtained automatically and not shared by the VMware Support.
Prerequisites for Workspace ONE UEM Console 2011 and lower
n An API token and ENS2 server URL received from VMware is required to activate the ENS
service using the Workspace ONE UEM console. To provision the ENS cloud API token,
contact VMware Support.
n Ensure the ENS server certificate is available on the user's Exchange server.
To configure ENS2 and email related settings for Workspace ONE Boxer see the
Assign
Workspace ONE Boxer with Email Settings
section in the
Workspace ONE Boxer Admin Guide
.
ENS Endpoints and IP Allowlist
The API endpoints supported by ENS2 are listed in this topic.
When using cloud ENS servers, you must ensure that the ENS is accessible from the Exchange or
Office 365 environment. The inbound IP addresses must be allowlisted to permit the ENS traffic
into Exchange or Office 365. The IP address is selected based on the region the ENS is hosted in.
The following table describes the Exchange server IP allowlist requirements.
VMware, Inc.
24
Table 4-1. Exchange Server IP Allowlist Requirements
Location API Endpoint ENS Outbound to Exchange Inbound
North America https://ens.getboxer.com/api/ens 35.170.156.92
52.203.205.147
Asia Pacific https://ens-apj.getboxer.com/api/ens 54.248.56.175
54.249.212.171
European Union (EU) https://ens-eu.getboxer.com/api/ens 18.195.84.245
18.196.197.192
United Kingdom (UK) https://ens-uk.getboxer.com/api/ens 3.10.97.61
18.132.5.114
America (Federal) https://ens.gc.workspaceone-gov.com/api/ens 52.61.66.193
15.200.44.192
52.61.178.90
For information on the architecture design and functionality of ENS2, see the
ENS2 Architecture
section in the Chapter 1 What is Email Notification Service? topic.
Note The Exchange CNS outbound connections are required when ENS is hosted on cloud
and on-premises deployment. VMware leverages the public cloud providers for the greatest
availability of services and cannot provide a static list of IPs. If there is a requirement to limit the
outbound connectivity, the following hostnames can be used. For ENS use ens.getboxer.com,
ens-eu.getboxer.com, ens-uk.getboxer.com, and ens-apj.getboxer.com (based on region in which
the ENS is used) and for CNS use cns.awmdm.comThe outbound IP addresses must be
allowlisted from the Microsoft Exchange client access rules (including Office 365) and any other
firewall. This permits the outbound communication from the Exchange server into the ENS server.
You need not allowlist SEG IP addresses as all outbound connections from the Exchange server is
going to the ENS server and not to the SEG EWS proxy.
Subscribe to ENS2 Cloud System Status
You can subscribe to receive status updates on Workspace ONE Email Notification Service 2. To
subscribe for the ENS2 status updates, perform the following steps:
1 Login to status.workspaceone.com.
Email Notification Service 2 (ENS2)
VMware, Inc. 25
2 Click Subscribe to Updates.
3 Select Workspace ONE Email Notification Service 2.
4 Select your Region.
Verify VMware Boxer Settings
Use Workspace ONE Boxer to verify your email connnectvity.
After you have added the ENS configuration keys to VMware Boxer in Workspace ONE UEM,
check the Boxer settings on your device to confirm it has received these keys and that the ENS is
activated.
1 Open Boxer, tap the Settings icon and then select the appropriate email account.
2 In the email settings, verify the Use Push Service is enabled.
3 In the email settings, verify the Notifications display Push as the default selection.
Results: If the Use Push Service is enabled and Notifications display Push, then the ENS is
activated.
Email Notification Service 2 (ENS2)
VMware, Inc. 26
Configure your Email
Notification Service for On-
Premises Deployment
5
You can configure ENS2 for an on-premises deployment. This topic explains how to configure
various versions of ENS2 in an on-premises environment.
Configuring ENS requires the installation of ENS2, followed by the configuration of Workspace
ONE Boxer. If your ENS version is older than 21.04, you must first configure CNS and download
the ENS configuration files before installing ENS2 and setting Workspace ONE Boxer for on-
premises.
Prerequisites
Before installing any version of ENS for your on-premises deployment, ensure that the following
prerequisites are met:
n Assign the db_owner role and public role to the SQL server user that is used for
running the application. ENS supports any version of the SQL server. The database
option must be selected for the external database and you must set the collation to
SQL_Latin1_General_CP1_Cl_AS. For more information on creating the Workspace ONE
UEM database, see the
Create the Workspace ONE UEM Database
topic in the
Installing
Workspace ONE UEM
guide.
n Set up the SQL Server AlwaysOn for active/active or active/passive setup for the high
availability configuration. If you are using AlwaysOn, point to the availability group when
selecting the database server during the ENS2 installation. See the
Overview of Always On
Availability Groups (SQL Server)
topic for more information.
n Ensure that the ENS server certificate is available on the user's Exchange server. For more
information, see Chapter 2 ENS2 Requirements and Prerequisites.
Note If your ENS version is 21.04 and later, you can skip the following section and see the
Install and Upgrade Email Notification Service 2
section. You must also ensure to allow the CNS
server IP addresses. For more information, see the
CNS Server IP Allowlist
section in the
ENS2
Requirements and Prerequisites
topic.
VMware, Inc.
27
Configure CNS and Download Email Notification Service
Configuration Files
For ENS versions prior to 21.04, before you install ENS in an on-premise deployment, you must
configure the Cloud Notification Service (CNS) and download the configuration .xml file using
the Workspace ONE UEM console.
Prerequisites
n Download the CNS public certificate from the CNS Public Certificate.
n Navigate to the System > Advanced > Secure Channel Certificate and select Download CNS
Secure Channel Certificate Installer if the UEM console is on-premises. Open a support ticket
with the VMware Support and provide the secure channel certificate file through the support
ticket.
Note To proceed with the ENS2, your console version must be 9.3 or later. If the Download
Installer is displayed when your are configuring and downloading the configuration files, then
your console version is less than 9.3 and this installer is for the earlier version of ENS. See the
VMware Email Notification Service Installation
guide for instructions and detailed information.
1 Select the required Organization Group and navigate to Groups & Settings>All Settings.
2 From the System column, select Advanced, and then select Site URLs.
Email Notification Service 2 (ENS2)
VMware, Inc. 28
3 Optional: (On-premise UEM console only) From the site URLs values page, select Cloud
Notification Service URL and add the https://cns.awmdm.com/nws/notify/apns.
4 Optional: (On-premise UEM console only) - If the Workspace ONE UEM console is deployed
on-premise, then you must upload the CNS certificate.
a From the left navigation, select System > Security > SSL Pinning.
b Select ADD HOST. In the Add Pinned Host, enter the host as cns.awmdm.com.
c Select Upload and upload the CNS certificate you downloaded earlier.
5 From the Settings page, select Email and then select Email Notification.
6 To enable Email Notification, select Yes and then click Save.
After the settings are saved, the Download Configuration option is displayed.
7 Select Download Configuration.
8 Enter a password in Certificate Password. to download the configuration.
Note The password is required to download the configuration and must be provided again
during the ENS installation.
9 Select Confirm Password, reenter the password, and click Download.
10 Save the archived .xml file to be accessible for the upload during the ENS installation.
Install and Upgrade Email Notification Service 2
To use the Email Notification Service 2 (ENS2), you must install the ENS on an IIS server.
Prerequisites
n Install IIS 7 or later on the Web Server
n Update ASP.Net to v 4.6.2.
Note If your ENS version is older than 21.04, you must download the config.xml file from
the Workspace ONE UEM console. See the
Configure CNS and Download Email Notification
Service Configuration Files
section.
n Ensure that an SSL certificate with a valid hostname is set up on the IIS server. This server
should be externally accessible via https (SSL cert) and with a Fully Qualified Domain Name
(FQDN).
n Create a new database and name it appropriately. If you are using SQL Server AlwaysOn, you
can create availability group and listeners.
n The database account user must have privileges to access and modify the database.
Email Notification Service 2 (ENS2)
VMware, Inc. 29
To install ENS2:
1 Download the latest version of ENS2 installer from the Software section of the My Workspace
ONE portal.
2 Run the installer. The InstallShield Wizard opens and displays the License Agreement.
3 Select the I accept the terms in the license agreement check box and then click Next.
4 Click Next to install the components at the default location. If you want to install the
components at a custom location, click Change and browse and select your location.
Email Notification Service 2 (ENS2)
VMware, Inc. 30
5 If you are using ENS version prior to 21.04, perform these steps.
a Click Browse and locate the config.xml file and then click Next.
b Click Certificate Password text box and enter the certificate password you provided
when you downloaded the configuration file from the Workspace ONE UEM console, and
then click Next
6 (Optional) On the AirWatch CNS Email Proxy Configuration window, provide the following
information:
a Check Enable CNS Proxy to configure the CNS proxy. Enter the Hostname/IP address
and the Proxy Port of the the server.
b Select the authentication type:
n Anonymous - For Anonymous authentication type user name and password is not
required.
n Basic/Windows - Enter User name and Password.
Email Notification Service 2 (ENS2)
VMware, Inc. 31
7 Click Next.
8 (Optional) On the AirWatch Signing Service Proxy Configuration window, provide the
AirWatch Signing Service proxy details for configuring the email server.
a Select Enable Proxy to configure the AirWatch Signing Service proxy. Enter the
Hostname/IP address and the Proxy Port of the the server.
9 Click Next.
10 Select the target site on the Airwatch IIS configuration window.
11 On the Database Server window, enter the following information:
a Browse to select the database server where the database is located. Enter the IP address
or host name of the server if the server is not listed.
b Select Windows authentication or server authentication based on your authentication
configuration. If you select server authentication, enter the login ID and password.
c Enter the name of the database in the Name of the database catalog text box and click
Next.
n If the database has already been created, browse and select the existing database.
Email Notification Service 2 (ENS2)
VMware, Inc. 32
n If there is no existing database, enter a name for the new database, and the installer
will create and publish the database.
n You can configure using a single database configuration or with SQL AlwaysOn. The
following figure shows the single database configuration.
The below diagram shows the configuration using SQL Server AlwaysOn.
Note If you are using SQL Server AlwaysOn, you can configure the availability group
Listener URL here.
12 Enter the installation token key, on the Authentication Token Information window.
Note The following steps do not apply when you are installing ENS version prior to 21.04.
Email Notification Service 2 (ENS2)
VMware, Inc. 33
To generate a token, log in to MyWorkspaceONE and proceed with the following steps:
a Navigate to myWorkspaceONE > My Company.
b Select Certificate Signing Portal.
c Select Authorize Install.
d Select Generate a Token.
e Copy the token displayed on this page. You can also regenerate the token if required.
f Return to the installer and paste the copied token into the Installation Token text box.
13 Click OK to confirm and then click Install to start the
installation.
14 Click Finish to complete the installation. After the installation is complete, an API token is
displayed in a text file.
15 Copy the API token.
Note This API token is required when configuring the Boxer application UEM console. Use
this value for the
ENSAPIToken
field.
Email Notification Service 2 (ENS2)
VMware, Inc. 34
Upgrade ENS2
You can upgrade from an older version of ENS2 to the latest version.
You must have the latest version of the installer on your system. Download the latest version of
ENS2 installer from the Software section of the My Workspace ONE portal.
The instructions to upgrade to the latest version of ENS2 are the same as the ENS2 installation
instructions. See
Install and Upgrade Email Notification Service 2
section in the Chapter 5
Configure your Email Notification Service for On-Premises Deployment topic.
Configure Workspace ONE Boxer for On-Premises
After you have installed the ENS2, you must configure the ENS2 related settings for Workspace
ONE Boxer on the Workspace ONE UEM console.
Prerequisites
The API token and ENS2 server URL are required to activate the ENS service using Workspace
ONE UEM console.
1 Select the required organization group.
2 Select Resources > Apps and then select the Public tab.
3 Select VMware Boxer.
4 Select Edit on the upper right corner of the page and then select the Assignment tab.
5 In the Application Configuration (Optional) section, add the required keys. The details of
the required keys to be added are listed in the Chapter 6 Configure ENS2 with Application
Configuration Values for Boxer topic.
6 Select Save & Publish and then select Publish on the next page. To verify the settings,
see the
Verify VMware Boxer Settings
section in the Chapter 4 Configure your Email
Notification Service for Cloud Deployment topic.
Email Notification Service 2 (ENS2)
VMware, Inc. 35
Migrate from ENS On-Premises Server to Cloud Server
This section describes the information required to migrate from the ENS on-premises server to
the cloud server.
Before your begin, ensure that the cloud ENS can access the Exchange server. For more
information, see the
Email Notification Service for Cloud
section in the Chapter 4 Configure your
Email Notification Service for Cloud Deployment topic. When you migrate from the on-premise
server to the cloud server, you must update the following Boxer profile configuration:
n Update the ENSLinkAddress to the appropriate cloud URL.
n Update the ENSAPIToken to the one provided for cloud.
When all the users migrate to the cloud server, ENS on-premise servers can be shut down.
During migration, the users can unregister from the on-premise ENS server and migrate to the
cloud ENS server.
Email Notification Service 2 (ENS2)
VMware, Inc. 36
Configure ENS2 with Application
Configuration Values for Boxer
6
You can configure settings for ENS2 using the configuration key and configuration value
provided by the Workspace ONE UEM.
ENS2 Application Configuration for Workspace ONE UEM
Console Version 2101 or Later
For specific customers with Workspace ONE UEM version 2101 and later, the following
screenshot displays the ENS2 configuration in the Boxer app assignment page.
Note For Workspace ONE UEM version 2105 or later, by default, for all the users, the following
options appear in the Boxer app assignment page. For Workspace ONE UEM version 2101 or
later and Workspace ONE UEM version 2102 or lower, by default, for all the users, the following
options do not appear in the Boxer app assignment page. The displayed options are enabled
only for specific customers. In case, you do not see the displayed options in the Email Settings
screen, then switch to the Workspace ONE UEM 2011 or lower versions for ENS2 configuration
although you might be using Workspace ONE UEM version 2101 or lower.
The following table describes the ENS2 configuration options that are applicable for Workspace
ONE UEM console version 2101 or later.
VMware, Inc.
37
Settings Description
ENS2
(Enable – Disable toggle)
Activates or deactivates ENS2 in Workspace ONE Boxer.
ENS2 Server Address The URL address of the ENS2 server.
For Cloud ENS users, the address must be in the https://
ens.getboxer.com/api/ens format. See the
ENS Endpoints
and IP Allowlist
section in the Chapter 4 Configure your
Email Notification Service for Cloud Deployment topic for a
list of supported cloud ENS2 geo-specific endpoint.
For on-premises users, the address must be in the https://
mycompany.com/MailNotificationService/api/ens format.
Here, the mycompany.com is the IP or domain name of your
ENS2 the on-premises server.
After entering the URL, click Retrieve Token.
If Workspace ONE UEM console is successfully able to
communicate with the cloud ENS2 Server referenced in the
ENS2 Server Address field, then a successful API token
generation and retrieval notification is seen.
If Workspace UEM console cannot successfully
communicate and obtain the API token from the cloud
ENS2 server, then you might see an error notification. The
error might be due to the either of the following reasons.
However, the reason for the error is not limited to the
reasons listed below:
n The URL entered might be incorrect. Check if the
entered URL matches the actual ENS2 server URL and
correct it.
n You might be using an older version of the ENS which
does not support this capability. You must update to
the latest version of ENS2.
n The ENS server might not be active. Check if the
ENS2 alive endpoint is accessible at the URL: <ENS2
Server Address>/alive. The URL can be opened
in a user's Web browser. For example,
https://
ens.getboxer.com/api/ens/alive.
n The required network ports might not be open on
the on-premises Workspace ONE UEM Console and/or
the on-premises ENS2 server. Depending on the URL
provided for the ENS2 server address, ensure that the
HTTPS (443) is open for outbound on the on-premises
UEM console and inbound on the on-premises ENS2
server. For the on-premises UEM console, you can
check if the ENS2 alive endpoint is accessible from the
Windows Server on which the UEM console is installed.
n Due to temporary network issue the communication
between UEM Console and the ENS might be impaired.
In such scenarios, the issue might resolve automatically,
or you can retry later. Refer the ENSv2 logs for
Email Notification Service 2 (ENS2)
VMware, Inc. 38
Settings Description
more information on the errors. See the Integrated
Services Logging and/or the Workspace ONE UEM
console /API/MEM endpoint logs at Core Services
Logging to check the exact cause of the issue.
For any further assistance, reach out to VMware Support.
Notification Content Configure the information to be displayed in each incoming
mail notification alert.
The EWS URL configuration is optional, but it is recommended you configure the EWS URL. You
can configure the EWS URL in the
Email Settings page as shown in the following screenshot.
For more information, see the
Assign and Configure Workspace ONE Boxer Using the App
Assignment Page
section in the
Workspace ONE Boxer Admin Guide
.
The following table describes the EWS URL option.
Settings
Description
EWS URL Enables manual configuration of the Exchange Web
Services (EWS) endpoint when autodiscovery is
deactivated in your email environment.
Supported format: https://
[external_email_server_domain]/EWS/Exchange.asmx
Sample EWS URLs:
n https://e.mail.com/EWS/Exchange.asmx
n https://seg.dom.com/EWS/Exchange.asmx
n https://outlook.office365.com/EWS/Exchange.asmx
ENS2 Application Configuration for Workspace ONE UEM
Console Versions 2008, 2010, and 2011
The following screenshot displays the ENS2 configuration in the Boxer app assignment page for
Workspace ONE UEM console versions 2008, 2010, and 2011.
Email Notification Service 2 (ENS2)
VMware, Inc. 39
The following table describes the ENS2 configuration options that are applicable for Workspace
ONE UEM console versions 2008, 2010, and 2011.
Settings Description
ENS2
(Enable – Disable toggle)
Activates or deactivates ENS2 in Workspace ONE Boxer.
ENS2 Server Address The URL address of the ENS2 server.
For Cloud ENS users, the address must be in the https://
ens.getboxer.com/api/ens format. See the
ENS Endpoints
and IP Allowlist
section in the Chapter 4 Configure your
Email Notification Service for Cloud Deployment topic for a
list of supported cloud ENS2 geo-specific endpoint.
For on-premises users, the address must be in the https://
mycompany.com/MailNotificationService/api/ens format.
Here, the mycompany.com is the IP or domain name of your
ENS2 the on-premises server.
ENS2 API token VMware provides the API token to activate the ENS
service. For the ENS2 on-premises installation, the installer
generates the ENS2 API token.
Sample API token - da848cc9340034843ecdjdad11048461q
Notification Content Configure the information to be displayed in each incoming
mail notification alert.
The EWS URL configuration is optional, but it is recommended you configure the EWS URL. You
can configure the EWS URL in the Email Settings page as shown in the following screenshot.
For more information, see the
Assign and Configure Workspace ONE Boxer Using the App
Assignment Page
section in the
Workspace ONE Boxer Admin Guide
.
Email Notification Service 2 (ENS2)
VMware, Inc. 40
The following table describes the EWS URL option.
Settings Description
EWS URL Enables manual configuration of the Exchange Web
Services (EWS) endpoint when autodiscovery is
deactivated in your email environment.
Supported format: https://
[external_email_server_domain]/EWS/Exchange.asmx
Sample EWS URLs:
n https://e.mail.com/EWS/Exchange.asmx
n https://seg.dom.com/EWS/Exchange.asmx
n https://outlook.office365.com/EWS/Exchange.asmx
ENS2 Application Configuration for Workspace ONE UEM
Console Versions 2004, 2005, 2006, and 2007
The following screenshot displays the ENS2 configuration in the Boxer app assignment page for
Workspace ONE UEM console versions 2004, 2005, 2006, and 2007.
Email Notification Service 2 (ENS2)
VMware, Inc. 41
The following table describes the ENS2 configuration options that are applicable for Workspace
ONE UEM console versions 2004, 2005, 2006, and 2007.
Settings
Description
ENS2 Server Address The URL address of the ENS2 server.
For Cloud ENS users, the address must be in the https://
ens.getboxer.com/api/ens format. See the
ENS Endpoints
and IP Allowlist
section in the Chapter 4 Configure your
Email Notification Service for Cloud Deployment topic for a
list of supported cloud ENS2 geo-specific endpoint.
For on-premises users, the address must be in the https://
mycompany.com/MailNotificationService/api/ens format.
Here, the mycompany.com is the IP or domain name of your
ENS2 the on-premises server.
ENS2 API token VMware provides the API token to activate the ENS
service. For the ENS2 on-premises installation, the installer
generates the ENS2 API token.
Sample API token - da848cc9340034843ecdjdad11048461q
ENS2 (Enable – Disable toggle) Activates or deactivates ENS2 in Workspace ONE Boxer.
Email Notification Service 2 (ENS2)
VMware, Inc. 42
Settings Description
EWS URL Enables manual configuration of the Exchange Web
Services (EWS) endpoint when autodiscovery is
deactivated in your email environment.
Supported format: https://
[external_email_server_domain]/EWS/Exchange.asmx
Sample EWS URLs:
n https://e.mail.com/EWS/Exchange.asmx
n https://seg.dom.com/EWS/Exchange.asmx
n https://outlook.office365.com/EWS/Exchange.asmx
Notification Content Configure the information to be displayed in each incoming
mail notification alert.
ENS2 Application Configuration for Workspace ONE UEM
Console Version 2003 or Lower
The following screenshot displays the ENS2 configuration keys and value types applicable for
Workspace ONE UEM console version 2003 or lower.
The following table lists the application configuration keys and the configuration values for ENS2
that are applicable for Workspace ONE UEM console version 2003 or lower.
Email Notification Service 2 (ENS2)
VMware, Inc. 43
Configuration Key Value Type Configuration Value Description
ENSLinkAddress String Supported format:
https://
ens.getboxer.com/api/ens
Replace
ens.getboxer.com with
the resolved name or
IP provided by VMware
based on your region.
Sample link address:
n For AMER - https://
ens.getboxer.com/api/e
ns
n For APAC - https://ens-
apj.getboxer.com/api/e
ns
n For EMEA - https://ens-
eu.getboxer.com/api/e
ns
n For UK - https://ens-
uk.getboxer.com/api/e
ns
The URL address of the ENS
server. Provide the address
for the ENS2 system for
your users to connect.
For Cloud customers, the
address must be https://
ens.getboxer.com/api/ens
(or any of the ENS Cloud
URLs or API endpoints).
For on-premises users,
the address must be
in the following format:
https://mycompany.com/
MailNotificationService/api/
ens. Here, mycompany.com
is the IP or domain name
of your ENS server.
ENSAPIToken String Sample API token -
da848cc9340034843ecdjd
ad11048461q
VMware provides the API
token to activate the ENS
service. For the on-premises
installation, the on-premises
installer creates this token.
AccountNotifyPush Boolean False - disable (default)
True - enable
Enables ENS for the account.
Email Notification Service 2 (ENS2)
VMware, Inc. 44
Configuration Key Value Type Configuration Value Description
EWSUrl String Supported Format:
https://
[external_email_server_do
main]/EWS/Exchange.asmx
Sample EWS URL:
n https://
e.mail.com/EWS/
Exchange.asmx
n https://
seg.dom.com/EWS/
Exchange.asmx
Enables manual
configuration of Exchange
Web Services (EWS)
endpoint when the
autodiscovery is deactivated
in your Exchange
environment.
PolicyLimitNotificationText Integer 0 - sets notification
to sender, subject, and
preview.
1 - sets notification
to sender and subject
(default).
2 - sets notification to
sender.
3 - sets notification to
a generic message (new
message).
4 - sets notification to
none (only the badge is
updated).
To configure the ENS
notification policy for
Workspace ONE Boxer,
add the following key
value pair. When configured,
Workspace ONE Boxer
immediately resubscribes to
the ENSv2 and notification
policy is updated as per the
set key value.
Email Notification Service 2 (ENS2)
VMware, Inc. 45
Migrate from FedRAMP ENS On-
Premises Server to Cloud Server
7
Before you begin the migration, ensure that the cloud ENS server can access the Exchange
server. To verify the access, permit two way communication between the ENS cloud server and
the Exchange server.
When you migrate from the ENS on-premises server to the cloud server, update the following
Boxer profile configuration in the Workspace ONE UEM console Boxer app settings:
n Update the ENSLinkAddress in the appropriate cloud URL.
n Update the ENSAPIToken with the token provided for cloud.
Note To migrate from FedRAMP ENS on-premises server to the cloud server, you must update
the AMER Federal URL. Contact VMware Support to receive the ENSAPIToken. VMware provides
the API token to activate the ENS service.
During migration, the users must unregister from the on-premises ENS server and migrate to
the cloud ENS server. After all users migrate to the cloud server, you can shutdown the ENS
on-premises server.
All users must resubscribe their devices after migrating from on-premises ENS to cloud ENS.
When a new Boxer profile is pushed to the device, Boxer sends a new register device request to
the ENS cloud based on the updated ENSLinkAddress URL.
Note If users are unable to unsubscribe from the previous ENS server, that is the on-premises
ENS server, then users might start receiving duplicate notifications for the new emails. Therefore,
you must deactivate the on-premises ENS server to ensure users are not receiving duplicate
notifications.
ENS2 Application Configuration for Workspace ONE UEM
Console Versions 2008, 2010, and 2011
The following screenshot displays the ENS2 configuration in the Boxer app assignment page for
Workspace ONE UEM console versions 2008, 2010, and 2011.
VMware, Inc.
46
The following table describes the ENS2 configuration options that are applicable for Workspace
ONE UEM console versions 2008, 2010, and 2011.
Settings Description
ENS2
(Enable – Disable toggle)
Activates or deactivates ENS2 in Workspace ONE Boxer.
ENS2 Server Address For ENS2 to communicate with the federal services,
use the following URL: https://ens.gc.workspaceone-
gov.com/api/ens
ENS2 API token VMware provides the API token to activate the ENS
service. For the ENS2 on-premises installation, the installer
generates the ENS2 API token.
Sample API token - da848cc9340034843ecdjdad11048461q
Notification Content Configure the information to be displayed in each incoming
mail notification alert.
The EWS URL configuration is optional, but it is recommended you configure the EWS URL. You
can configure the EWS URL in the Email Settings page as shown in the following screenshot.
For more information, see the
Assign and Configure Workspace ONE Boxer Using the App
Assignment Page
section in the
Workspace ONE Boxer Admin Guide
.
Email Notification Service 2 (ENS2)
VMware, Inc. 47
The following table describes the EWS URL option.
Settings Description
EWS URL Enables manual configuration of the Exchange Web
Services (EWS) endpoint when autodiscovery is
deactivated in your email environment.
Supported format: https://
[external_email_server_domain]/EWS/Exchange.asmx
Sample EWS URLs:
n https://e.mail.com/EWS/Exchange.asmx
n https://seg.dom.com/EWS/Exchange.asmx
n https://outlook.office365.com/EWS/Exchange.asmx
Email Notification Service 2 (ENS2)
VMware, Inc. 48
Configure SEG as EWS Proxy for
ENS
8
Monitor compliance of the client with the ENS2 environment so that ENS2 together with SEG V2
can block or unblock a client depending on the compliance criteria of the client.
Background
Currently, when a mobile device is enterprise wiped or removed from the Workspace ONE UEM
console, the client unregisters from the ENS2 environment. For example, when an enterprise
wipe command is sent to iOS Boxer the device tries to unregister until it is successful. However,
this is not an ideal scenario as there is a dependency on the device to unregister from the ENS2
environment.
Integration with SEG V2
The SEG V2 protects the email configuration of the client and enables MEM functionality by
monitoring the compliance of the device against the configuration in the Workspace ONE UEM
console. With the integration of ENS2 and SEG V2, you can block request to a device and control
the client, based on the compliance criteria specified in the Workspace ONE UEM console. The
following is a high-level diagram showing the interaction between ENS2 and Exchange with SEG
V2 as the proxy.
VMware, Inc.
49
In addition to the compliance scenario, you can use SEG V2 as a proxy when the Exchange Web
Service (EWS) endpoint is not publicly available. The EWS proxy allows devices to subscribe
to the EWS subscriptions through the SEG V2 server instead of publicly exposing the EWS
endpoint.
SEG V2 supports both cloud and on-premises ENS deployments. SEG V2 listens to the EWS
traffic from ENS using the EWS endpoints. SEG applies the MEM compliance policies on the
incoming requests and proxies the requests to Exchange. See, the
Configure ENS2 with SEG
section in the Chapter 8 Configure SEG as EWS Proxy for ENS topic.
Supported Exchange Web Service Authentication Methods
for SEG Proxy
The Exchange Active Sync (EAS) authentication method used with Boxer must match the EWS
authentication method as ENS implicitly uses the authentication method used by Boxer. SEG as
EWS proxy supports basic authentication, certificate-based authentication (CBA) with KCD, and
modern authentcation (OAuth) types and does not support the New Technology LAN Manager
(NTLM) authentication type.
Certificate-based authentication using KCD is supported. If your deployment utilizes CBA using
KCD, SEG accquires the Kerberos token (from KCD) required for the Exchange authentication.
The authentication method for EAS and Exchange Web Service (EWS) protocol must match for
SEG to work correctly.
For more information, see the
Configure SEG V2 Compliance for Email Notification Service
topic
in the
Secure Email Gateway (SEG) V2
guide.
Supported Servers for Exchange Web Service and
ActiveSync
If you have different fully qualified domain name (FQDN) for Exchange Web Service
(EWS) and ActiveSync endpoints, it is recommended you upgrade to SEG version 2.12
or later. In this SEG version, you can provide a different hostname and uncomment the
ews.email.server.host.and.port=https://example.com:443 property for EWS flows.
Note If you provide a different hostname, SEG still uses the server timeout,
ignoreSslErrorsWithExch, and other settings from the EAS email server configuration
provided in the MEM configuration for the email server client. If the EWS server is using self-
signed certificate then you need to add the self-signed certificate in the Java trustStore before
the SEG installation or you need to rerun the SEG installer.
For SEG versions before 2.12, the only option available is to have two different MEM configuration
and two different SEG servers to proxy traffic. One SEG can serve one email server address or
FQDN. However, if EWS and ActiveSync endpoints are hosted on the same email server address
or FQDN, same SEG server can proxy both EWS and ActiveSync traffic.
Email Notification Service 2 (ENS2)
VMware, Inc. 50
Configure ENS2 with SEG
The following procedure describes the steps to configure ENS2 with SEG.
1 Navigate to SEG > Configuration.
2 Select the application.properties file and edit the file.
3 Select the enable.boxer.ens.ews.proxy value and update the value to
enable.boxer.ens.ews.proxy=true.
4 Restart the SEG service. SEG receives the /EWS and /ews endpoints for traffic from the ENS.
Configure SEG for Authentication
If you are using basic authentication only, and the EWS endpoint is configured to allow NTLM
authentication, ensure the SEG version is 2.9.0.1 and validate the remove.unsupported.auth
configuration in SEG using the following procedure:
1 Navigate to SEG > Configuration folder using file explorer.
2 Select the application.properties file and edit the file.
3 Check if the remove.unsupported.auth.for.ews value is true if NTLM authentication is
enabled on Exchange, as SEG does not support NTLM connection persistence. If you do not
see an entry for remove.unsupported.auth.for.ews then the SEG version is not 2.9.0.1.
Ensure the SEG version is 2.9.0.1.
4 Verify the SEG version and save the file.
Results: In the SEG application.properties, flag the
remove.unsupported.auth.for.ews=true value to remove the unsupported www-
authentication header from the EWS response to the ENS through SEG. The NTLM and the
Negotiate headers are removed from the EWS response. The NTLM header as a persistent
connection is not supported by SEG. The Negotiate www-authenticate header is removed in
the absence of a valid client certificate, that is, when the userPrincipalname (UPN) is null. In
the absence of Kerberos authentication, the Negotiate header can be considered as NTLM
authentication.
Note If you enable both basic and Kerberos authentication and the client fails to present a valid
client certificate, then the SEG removes the Negotiate header and requests you to authenticate
using basic authentictaion. In such scenarios, the client is enforced to use basic authentication
only. If the client does not have the basic authentication configured then the client fails to receive
a successful response. When the client presents a valid certificate, the SEG generates a Kerberos
token and proceeds with the Negotiate authentication.
Email Notification Service 2 (ENS2)
VMware, Inc. 51
Configure Certificate-Based
Authentication for ENS
9
ENS supports certificate-based authentication (CBA) and dual authentication. The dual
authentication is a combination of basic authentication and certificate-based authentication.
For ENS, you must configure the Boxer application with certificate-based authentication for
Exchange server and enable certificate-based authentication for the EWS endpoint. ENS uses
the same certificate that the Boxer application receives for the authentication purpose. ENS must
ensure that the EWS endpoint can validate the certificates used by the Boxer application.
Note When you configure SEG as the EWS Proxy for ENS, the authentication to the EWS
endpoint is through Kerberos and not certificate-based authentication.
Prerequisites
Configure Boxer application with CBA and enable CBA for the EWS endpoint. For more
information about configuring CBA for Workspace ONE Boxer, see the
Workspace ONE Boxer
Admin Guide
documentation.
1 Push the certificate with Boxer profile from the Workspace ONE UEM console to the
Workspace ONE Boxer.
2 Register your device with the ENS server and send the certificate from Workspace ONE
Boxer.
3 Send certificate from ENS to the Exchange server and establish the push subscription.
VMware, Inc.
52
Configure ENS2 for Certificate-Based Authentication
When you configure ENS2 for Workspace ONE Boxer and want to use Certificate-Based
Authentication (CBA) for authentication, you must follow the steps listed in this section for ENS2
to work with CBA.
1 Configure Workspace ONE Boxer to use CBA. See the
Configure Certificate-Based
Authentication on the Exchange Server
section in the Chapter 9 Configure Certificate-Based
Authentication for ENS topic.
2 Change the appropriate settings to ensure that CBA is supported for the EWS endpoint
and for EAS on the on-premise Exchange Server. See the
Using Office 365 with ENS2 and
Certificate-Based Authentication
section and the
Configure Certificate-Based Authentication
on the Exchange Server
sections in the Chapter 9 Configure Certificate-Based Authentication
for ENS topic.
3 If you are using Secure Email Gateway V2 (SEG V2), see the
Secure Email Gateway V2 guide
for information on the changes that are required on the SEG server.
Configure Certificate-Based Authentication on the Exchange
Server
You can enable certificate-based authentication (CBA) for Exchange Active Sync (EAS) on the
Exchange Server (for TLS testing) by modifying specific values on the IIS server. Office 365 or
Exchange online does not directly support certificate-based authentication. You must set up dual
authentication, that is, modern authentication and CBA, to setup certificate-based authentication
for Office 365. You must have Active Directory Federation Service (ADFS) setup to do
certificate-based authentication. Office 365 authenticates through the modern authentication,
and certificate is presented to the ADFS for authentication.
In the Boxer profile, certificate-based authentication with modern authentication can be enabled
using the AccountUseOauth configuration key. See the
Allow Certificate-Based Authentication
with Modern Authentication in Standalone Mode
topic in the
Workspace ONE Boxer Admin Guide
for more details.
1 From the IIS console, navigate to the EWS endpoint and ensure the EWS endpoint accepts
the client certificates.
Email Notification Service 2 (ENS2)
VMware, Inc. 53
2 For client certificates to be allowed on the Exchange server, the Exchange server must have
Active Directory Client Certificate Authentication installed and enabled in IIS.
Using Office 365 with ENS2 and Certificate-Based
Authentication
If you are using Office 365 and want to perform certificate-based authentication (CBA), you must
enable certain settings in the Workspace ONE Boxer profile.
Office 365 or Exchange online does not directly support certificate-based authentication. You
must set up dual authentication, that is, modern authentication and CBA, to set up certificate-
based authentication for Office 365. You must have Active Directory Federation Service (ADFS)
set up to perform certificate-based authentication. Office 365 authenticates through the modern
authentication and certificate is presented to ADFS for authentication.
Email Notification Service 2 (ENS2)
VMware, Inc. 54
You must also enable modern authentication and certificate-based authentication using the
AccountUseOauth
setting in the Workspace ONE Boxer profile. See the
Workspace ONE Boxer
Admin Guide
documentation for more details.
Supported EWS Authentication Methods with Office 365
The following EWS authentication methods are supported with Office 365:
n OAuth 2.0 (Exchange Online only)
n NTLM (Exchange On-premises only)
n Basic (no longer recommended)
Refer to the relevant Microsoft Office 365 documentation for more details.
Email Notification Service 2 (ENS2)
VMware, Inc. 55
Troubleshooting ENS
10
This topic lists the various troubleshooting procedures for ENS.
ENS2 Resubscription and Badge Count Accuracy Limitations
The ENS2 uses the Exchange Web Services (EWS) subscription to notify the Boxer application
of any changes in an end-users mailbox, including the email notifications. The Boxer application
initiates these subscriptions with the ENS and the ENS subscribes a user's account with the EWS.
The EWS is responsible for informing the ENS when there is a change in a user's mailbox. The
subscriptions have limited lifetime due to the movement of mailbox, throttling, and so on. The
Exchange can drop the EWS push subscriptions which are triggered by the Exchange and the
ENS does not have control over the subscription lifetime. The EWS sends notification updates to
the Boxer until the EWS subscription is active and alive.
To keep these subscriptions alive, the Boxer application has a check-in mechanism which
validates if an EWS subscription is alive. In addition, the ENS2 is listening for status updates
from the EWS. If the ENS2 does not receive a status update from the EWS, the ENS2 can send
the Boxer a silent push notification to check in with the EWS.
The following figure describes the ENS resubscription process flow.
VMware, Inc.
56
ENS Servers
OnPrem
Cloud
AW CNS
Microsoft
Exchange
EWS
1
2
3
4
5
6
APNS
AWS SNS
1 The EWS sends a heartbeat signal to the ENS every 15 minutes.
2 The ENS sends an acknowledgement to the EWS that the heartbeat signal is received.
3 The ENS checks that the heartbeat signal is received every 30 minutes from the EWS.
4 If the ENS does not receive a heartbeat signal, the ENS2 sends a silent notification to the
Boxer application to initiate the resubscription process.
5 The Boxer application initiates a resubscription process on receiving a silent notification.
6 The Boxer application proactively checks the EWS subscription status with the ENS server to
ensure the continuous delivery of notifications.
The ENS2 requests the Exchange to send heartbeat that a subscription is alive. When the
ENS2 does not receive a heartbeat the ENS2 detects a drop in subscription from the EWS. If
the subscription is not established and users are not receiving the ENS notifications, the users
can manually trigger a resubscription. To trigger a resubscription or if you do not receive ENS
notifications after you migrate from on-premises ENS to cloud ENS then change the notification
sound in the email account settings section of the Boxer settings as shown in the following
image.
Email Notification Service 2 (ENS2)
VMware, Inc. 57
The check-in mechanism used by ENS2 requires intervention from Boxer to renew the EWS
subscriptions because the users credentials are required to open the subscription. These
credentials are not stored in ENS. The functionality of ENS2 also depends on the Apple Push
Notification Service (APNS) to deliver silent notifications to the device.
The following list describes the dependencies of the ENS2 on the EWS and APNS.
n If the Boxer application is active and receives a silent notification, the Boxer application
attempts to resubscribe. When the Boxer application receives a silent notification, the Boxer
sends a resubscription request to the EWS using the employee credentials.
n The iOS can stop the Boxer process without any warning due to various reasons. In such
scenarios, the end users might see Boxer in the App Scroll of an iOS device, however, the
Boxer process is stopped. The Boxer application has no control over this process and this
state is called a killed state. If the Boxer application is in a killed state when it receives a silent
notification, the Boxer application cannot resubscribe due to which the user can experience
loss of notifications until the user opens the Boxer application. Opening the Boxer application
triggers the ENS subscription again, and the user starts receiving notifications.
n The end user might experience an inaccurate badge count when the time subscription is lost
and before the Boxer application resubscribes.
The following list describes the badge count accuracy limitations on the Boxer application:
n Sync window - The ENS checks the Inbox folder without the sync period and the Boxer
unread messages are within the sync period. So, the users might have unread messages
outside the sync window in the Inbox folder. The ENS reports these messages as unread
while the user might not see these unread email messages in the Inbox.
Email Notification Service 2 (ENS2)
VMware, Inc. 58
n Boxer application dependency on resubscription - When the ENS is going through
resubscription, the ENS does not receive any notification or badge count. During this period,
the ENS does not have the updated badge count.
n Unmanaged accounts - When the user has both managed and unmanaged accounts like the
Exchange account and Gmail account, the badge counts are not handled correctly.
n Comparison with Outlook on MAC devices - The Outlook on MAC devices shows certain
emails as read whereas the same emails show unread when opened using Boxer or Outlook
for Web Access (OWA). So, the badge count is incorrect when compared with Outlook on
MAC devices.
Troubleshooting Accessibility Issues to the ENS Server from
a Cloud ENS
Probem: Check if the cloud ENS is accessible from the ENS server and confirm if the ENS server
is accessible from the CAS or the Mailbox server.
1 Access the following URL in a browser on all CAS or mailbox servers:
https://{ENS cloud URL}/api/ens/alive.
2 Select the ENS cloud URL based on your region.
Region
ENS Cloud URL
North America https://ens.getboxer.com/api/ens
Asia Pacific https://ens-apj.getboxer.com/api/ens
European Union (EU) https://ens-eu.getboxer.com/api/ens
United Kingdom https://ens-uk.getboxer.com/api/ens
Results:
For example, if you enter https://ens.getboxer.com/api/ens/alive you must receive the following
response:
This XML file does not appear to have any style information associated with it.
The document tree is shown below.<string xmlns="http://schemas.microsoft.com/2003/10/
Serialization/">ens.getboxer.com is alive Version = 1.5.257.10706 Environment = Productio
InstanceId = i - 042168040ee9293ac </string>
If you are unable to see a similar response, then allowlist the IP addresses and endpoints and
validate the connection to the ENS server. To see the supported ENS2 API endpoints and to
receive status updates on ENS2, refer the
ENS Endpoints and IP Allowlist
and
Subscribe to ENS2
Cloud System Status
section in the Chapter 4 Configure your Email Notification Service for Cloud
Deployment topic.
Email Notification Service 2 (ENS2)
VMware, Inc. 59
Troubleshooting Accessibility Issues to the ENS Server from
an On-Premises Installation
Problem: ENS version 1.10 and later installations fail because the ENSCertificateManager is unable
to communicate through proxy.
Support for proxy is added in the ENSCertificateManager service. As a workaround, you must
deactivate proxy while installing ENS so that there is a direct communication between the service
and the signing.awmdm.com. ENS does not communicate to the signing.awmdm.com after the
installation and ENS will function normally.
Problem: Check if the ENS server is accessible on an on-premises setup and is receiving the
request. After an on-premises ENS installation, confirm that the ENS is installed and running on
the ENS server.
1 Navigate to the following URL in a web browser and select the same server
where ENS is installed. The user localhost is mentioned as follows: https://localhost/
MailNotificationService/api/ens/alive. To check from outside the ENS server, see http://{ENS
server public url}/MailNotificationService/api/ens/alive and https://{ENS server public url/
MailNotificationService/api/ens/alive. You must be able to view the following response:
This XML file does not appear to have any style information associated with it. The
document tree is shown below.
<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/"> is alive. Version =
1.5.7249.1115 Enviroment = OnPRem InstanceId = A1 </string>
2 Confirm that a certificate is imported and 443 is bound to the website if you have an issue
with the https 443 traffic.
Result:
Confirm if the ENS is receiving the request from outside (for example, receiving the request
from a browser when you reach the alive endpoint). When verifying the ENS alive endpoint, the
IIS logs are generated. The IIS logs are by default stored at the following path: %SystemDrive%
\inetpub\logs\LogFiles. If you do not find the logs at the default path, then the logs for your
IIS might be stored at a different location. To get the path for the IIS logs, check the following link:
Managing IIS Log File Storage.
For other successful ENS traffic, you might see the following log entries in the IIS logs.
Email Notification Service 2 (ENS2)
VMware, Inc. 60
Test the Exchange Web Services URL
The Exchange Web Services (EWS) subscriptions notify changes in a users' mailbox. Use the
Microsoft's Remote Connectivity Analyzer online tool to test the EWS URL. You can test the EWS
URL only if the EWS is configured for the basic authentication and the EWS is publicly available.
1 Open the Microsoft's Remote Connectivity Analyzer.
2 Select the Synchronization, Notification, Availability, Automatic Replies under the Microsoft
Exchange Web Services Connectivity Tests and click Next.
3 Enter the Email address, Domain\User Name (or UPN), Password, and Confirm Password
information.
4 Enter the EWS URL manually, if the autodiscovery is not enabled or select the Use Auto-
Discovery to detect server settings if autodiscovery is enabled.
5 Click Verify account and perform the test.
Results:
If there are no issues, the following success message appears:
If the connectivity test fails for the following reasons, then expand the error to see more
information.
Email Notification Service 2 (ENS2)
VMware, Inc. 61
You see the following 401 error when the user is unauthorized.
You see the following error when the autodiscovery is not enabled.
Email Notification Service 2 (ENS2)
VMware, Inc. 62
You see the following error when the Remote server cannot be resolved.
Email Notification Service 2 (ENS2)
VMware, Inc. 63
Troubleshooting the EWS Accessibility on an On-Premises
ENS Installation
Use the EWSEditor tool to check if the EWS is internal and accessible from an on-premises
ENS. The EWSEditor tool works only if you are using basic authentication or Open Authorization
(OAuth).
1 Download and extract the EWSEditor ZIP file from the EWSEditor.
2 Run the EWSEditor.exe file.
3 Navigate to the File > New Exchange Service and enter the Service URL, User Name,
Password, and Domain.
4 Click OK. If there is an error in the details entered, then an appropriate error message
appears. If the details entered are correct, then the following message appears:
5 Click Yes.
6 Select the device for which you want to check the subscription and right-click on the device.
Select Open Streaming Notifications Viewer.
7 Click Subscribe and Clear Events.
8 To test the notifications, send a test message to the device. If the test is successful, the
following screen appears:
Email Notification Service 2 (ENS2)
VMware, Inc. 64
EWSEditor
Troubleshooting ENS2 Configuration Issues in Workspace
ONE UEM Console
For Workspace ONE UEM Console 2003 or lower
You can configure the ENS2 settings using the configuration key and configuration value
provided by the Workspace ONE UEM console.
The following image shows the ENS2 settings when configured without EWS URL and with the
EWS URL.
The following table lists the Workspace ONE UEM console configuration keys and values for
ENS2.
Email Notification Service 2 (ENS2)
VMware, Inc. 65
Configuration Key Value Type Configuration Value
ENSLinkAddress String Specify the URL address of the ENS
server.
n For cloud deployments,
the URL must be https://
ens.getboxer.com/api/ens. Based
on your region, VMware provides
the resolved name or IP address .
n For on-premises deployments,
the URL must
be https://mycompany.com/
MailNotificationService/api/ens,
where mycompany.com is the IP
address or domain name for your
ENS server.
ENSAPIToken String VMware provides the API token to
enable the ENS service. For the on-
premises installation, the on-premises
installer creates this token.
AccountNotifyPush Boolean This value must be True.
EWSUrl String Enables manual configuration of
the Exchange Web Services (EWS)
endpoint when the autodiscovery
is deactivated in your Exchange
environment. Even for deployments
where the autodiscovery is enabled,
you must prefer to configure this
option. The value of this option is your
EWS endpoint. For example,
https://outlook.office365.com/EWS/
Exchange.asmx (for Office 365)
For Workspace ONE UEM console version 2004, 2005, 2006, and 2007
You can configure the ENS2 settings and the EWS URL in Workspace ONE UEM console.
However, configuring the EWS URL is not mandatory for ENS but it is recommended you
configure the EWS URL.
You can configure the ENS2 specific settings and the EWS URL in the Email Settings
> Notification section of the Boxer app assignment page. For more information on the
ENS2 specific settings, see the
Assign and Configure Workspace ONE Boxer Using the App
Assignment Page
section in the
Workspace ONE Boxer Admin Guide
and see the Chapter 6
Configure ENS2 with Application Configuration Values for Boxer topic for more information on
the ENS2 configuration for Boxer.
For Workspace ONE UEM console version 2008 and later
You can configure the ENS2 settings and the EWS URL in Workspace ONE UEM console.
However, configuring the EWS URL is not mandatory for ENS but it is recommended you
configure the EWS URL. The location where you set the ENS2 specific settings and the EWS
URL are different.
Email Notification Service 2 (ENS2)
VMware, Inc. 66
You can configure the EWS URL in the Email Settings page and the ENS2 specific settings in
the Email Settings > Notification page of the Boxer app assignment page. For more information,
see the
Assign and Configure Workspace ONE Boxer Using the App Assignment Page
section in
the
Workspace ONE Boxer Admin Guide
and see the Chapter 6 Configure ENS2 with Application
Configuration Values for Boxer topic for more information on the ENS2 configuration for Boxer.
Troubleshooting ENS2 Notification Issues
ENS notifications are applicable only for emails in the Inbox folder. The notifications do not
work for Calendar events, sub folders, and so on. The following topics describes the steps to
troubleshoot the ENS2 notification issues for emails in the Inbox folder.
Public Key Request from the ENS
The Boxer application requests the public key from the ENS. The public key is used to encrypt
the user credentials. When the ENS processes the request, the ENS sends the public key and
creates a user record in the database against the user ID. In the following sample, the ENS logs
for the GetPublicKeyRequest, the Boxer application sends the SHA256 hash of the email address
as the user ID.
2019/10/18 05:54:05.395 WIN-HTCPEDXIUVF 7b21cd56-4c45-4a7c-88d9-
a7f225cea3b9 [0000000-0000000] (5) Debug
MailNotificationService.Controllers.EnsController.GetPublicKey User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Processing Get Public key
request for Userid[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
2019/10/18 05:54:05.457 WIN-HTCPEDXIUVF 7b21cd56-4c45-4a7c-88d9-
a7f225cea3b9 [0000000-0000000] (5) Debug
MailNotificationService.BusinessImpl.GetPublicKeyBusiness.ProcessGetPublicKeyRequestAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Key generated for
user id [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
2019/10/18 05:54:05.457 WIN-HTCPEDXIUVF 7b21cd56-4c45-4a7c-88d9-
a7f225cea3b9 [0000000-0000000] (5) Debug
MailNotificationService.Controllers.EnsController.GetPublicKey User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Get Public Key request
processed. HttpStatusCode:[OK] ResponseCode:[UpdateSuccess]
The possible error types and solutions that you might see during a GetPublicKeyRequest is listed
as follows:
Error: Unauthorized Request
If you see the following error when you send a GetPublicKeyRequest, then ensure that the
provided API token is correct. Verify if the API token is the same at the following instances:
n API token in the ENS logs - API token : [12341*********fasdf]
n The Boxer application configuration in the UEM console. See, the Workspace ONE Boxer
Admin Guide for more information on the Boxer application configuration values.
n API token in the Boxer application logs - Verify the API token in the Boxer application logs.
Email Notification Service 2 (ENS2)
VMware, Inc. 67
Error: Unable to add a NULL value into the PublicKey column
Note This section is applicable for an on-premises installation only.
When the available RSA keys in the database are exhausted, you might see the following error.
This issue is automatically fixed when the RSAKey tracker service triggers and generates new
keys again.
2019/10/18 12:20:04.121 WIN-HTCPEDXIUVF
b4a42dc8-6896-4243-9a4c-8ed476ae94ab [0000000-0000000] (5) Debug
MailNotificationService.Controllers.EnsController.GetPublicKey User Id
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Processing Get Public key
request for Userid[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
2019/10/18 12:20:04.136 WIN-HTCPEDXIUVF
b4a42dc8-6896-4243-9a4c-8ed476ae94ab [0000000-0000000] (5) Debug
MailNotificationService.BusinessImpl.GetPublicKeyBusiness.ProcessGetPublicKeyRequestAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Error: 515,
Severity: 16, State: 2, Message: "Cannot insert the value NULL into column 'PublicKey',
table 'onpremensdev.dbo.UserInfo'; column does not allow nulls. INSERT fails.", Procedure:
"UserInfo_Save", Line: 39
2019/10/18 12:20:04.136 WIN-HTCPEDXIUVF
b4a42dc8-6896-4243-9a4c-8ed476ae94ab [0000000-0000000] (5)
Debug MailNotificationService.Controllers.EnsController.GetPublicKey User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Get Public Key request
processed. HttpStatusCode:[InternalServerError] ResponseCode:[UpdateFail]
Note The RSAKey tracker trigger interval time is 120 minutes. If the number of keys available
in the database during the tracker trigger time is less than 250, then the RSAKey tracker starts
generating a new batch of RSA keys. By default, the RSAKey tracker generates 500 new keys at
a time.
Ensure that the following values are present in the RSAKey tracker configuration file:
<add key="numberOfKeysToBeInserted" value="500"/>
<add key="wakeUpIntervalInMins" value="120"/>
<add key="keysThreshold" value="250"/>
Error: ENS service communication
When communicating with the ENS service, if you see the following error in the Boxer application
logs, then ensure that your device has proper connectivity.
2019-11-04T12:23:12Z E [710337] [ENS] An error occurred when communicating
with the ENS service: Error Domain=NSURLErrorDomain Code=-1009 "The Internet
connection appears to be offline." UserInfo={NSUnderlyingError=0x281fead90 {Error
Domain=kCFErrorDomainCFNetwork Code=-1009 "The Internet connection appears to
be offline." UserInfo={NSErrorFailingURLStringKey=https://ens-staging.getboxer.com/api/ens/
getpublickey, NSErrorFailingURLKey=https://ens-staging.getboxer.com/api/ens/getpublickey,
_kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1, NSLocalizedDescription=The
Internet connection appears to be offline.}}, NSErrorFailingURLStringKey=https://
ens-staging.getboxer.com/api/ens/getpublickey, NSErrorFailingURLKey=https://ens-
staging.getboxer.com/api/ens/getpublickey, _kCFStreamErrorDomainKey=1,
Email Notification Service 2 (ENS2)
VMware, Inc. 68
_kCFStreamErrorCodeKey=50, NSLocalizedDescription=The Internet connection appears to be
offline.} at URL: https://ens-staging.getboxer.com/api/ens/getpublickey. Data: . Response
Code: 0
2019-11-04T12:23:12Z E [710337] [ENS] Error registering new account:
Error:Error Domain=com.alamofire.serialization.response.error.response Code=-1 "invalid
public key" UserInfo={NSLocalizedDescription=invalid public key}
2019-11-04T12:23:12Z E [703318] [ENS] Error registering device for push notification
Error:Error Domain=com.alamofire.serialization.response.error.response Code=-1 "invalid
public key" UserInfo={NSLocalizedDescription=invalid public key}
2019-11-04T12:23:12Z E [726177] - Unexpected error: {
BXLocalizedContextMessageErrorKey = "Could not update settings for the push notification
service";
BXLocalizedTitleErrorKey = "Could not update settings for the push notification service";
NSLocalizedDescription = "Could not update settings for the push notification service. ";
NSLocalizedFailureReason = "Failed to update push notification settings. Please contact
your administrator.";
} context: 1
Register Device Request
The Boxer application sends a Register request to the ENS, a push subscription to the EWS, and
a subscribe for notification. If the GetPublicKey request is successful, then the Boxer application
sends a register request to the ENS with the necessary information required to register a device
for notification.
Scenario 1: - If the EWS URL is not configured in the console, then the ENS tries autodiscovery to
obtain the EWS URL to subscribe the user.
Scenario 2: - If the EWS URL is configured in the console, then the ENS uses the same EWS URL
to subscribe the user.
Email Notification Service 2 (ENS2)
VMware, Inc. 69
When the subscription is successful, the ENS receives the [UserSubscribed] message with the
subscription ID as mentioned in the following code snippet.
2019/11/05 08:18:49.674 A3 726c4072-5144-4450-848b-821f65174b89 [0000000-0000000]
(23) Info
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] User
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] subscribed with
subscriptionId
[JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0bG9vay5jb20QAAAAJ6RYazaIoUCfX7KheUsQYUQnw9rIYdcIE
AAAAAQ9tcFCKSZFrTOxLbSCwj4=]
2019/11/05 08:18:49.767 A3 726c4072-5144-4450-848b-821f65174b89 [0000000-0000000]
(28) Debug MailNotificationService.Controllers.EnsController.RegisterDeviceV2 User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Register device request
processed. HttpStatusCode:[OK] ResponseCode:[UserSubscribed]
In the Android Boxer logs, you must see the following log entries to confirm a successful
registration:
--------------------------------------------------------------
ENS SETTINGS
--------------------------------------------------------------
ENS_LINK_ADDRESS = https://ens.getboxer.com/api/ens
ENS_API_TOKEN = 17413**********************88c08
POLICY_ACCOUNT_NOTIFY_PUSH = true
EWS_URL =
ENS_STATE = (8 -> Registered)
--------------------------------------------------------------
HEALTH STATUS
--------------------------------------------------------------
App version health status: Green, Current app version: 5.11.0.4, New version: 5.10.0
Sync Health Status: Green, Sync durations in seconds: [0.522, 0.49, 0.416, 0.379, 0.424,
0.368, 0.465, 0.496, 0.565, 1.344], Sync results [OK, OK, OK, OK, OK, OK, OK, OK, OK, OK]
Ens health status: Green , Ens state: Registered
Overall health status: Green
Ens registration for account (id=8) is successful!
For the iOS Boxer logs, you must see the following log entries to confirm a successful
registration:
For normal subscription
2019-11-11T09:31:41Z I [12347] [ENS] Successfully registered account.
Note For iOS Boxer logs, open the Boxer application, navigate to the Boxer Settings, click
the VMware Secure Email, and ensure the Use Push Service switch is enabled to confirm a
successful ENS registration.
The possible errors and solutions that you might see when you are unable to locate the
autodiscover services are listed as follows:
Error: Unable to Locate the Autodiscover Services
Email Notification Service 2 (ENS2)
VMware, Inc. 70
If you see the following error, then ensure to enable autodiscovery, check the availability and
connectivity of the autodiscovery server using the EWSEditor and the MS remote connectivity
analyzer.
2019/11/06 07:01:56.207 A3 d252be19-1c5d-4e30-9155-a0ae3a529679 [0000000-0000000]
(94) Warn MailNotificationService.BusinessImpl.SubscriptionBusiness.SubscribeV2Async
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Exception while
auto discovery occured for userId
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], Exception Message [The
Autodiscover service couldn't be located.] , Exception
[Microsoft.Exchange.WebServices.Data.AutodiscoverLocalException: The Autodiscover service
couldn't be located.
at
Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.InternalGetLegacyUserSettings[
TSettings](String emailAddress, List`1 redirectionEmailAddresses, Int32& currentHop)
at
Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.GetLegacyUserSettings[TSetting
s](String emailAddress)
at
Microsoft.Exchange.WebServices.Autodiscover.AutodiscoverService.InternalGetLegacyUserSettings(
String emailAddress, List`1 requestedSettings)
at Microsoft.Exchange.WebServices.Data.ExchangeService.GetAutodiscoverUrl(String
emailAddress, ExchangeVersion requestedServerVersion,
AutodiscoverRedirectionUrlValidationCallback validateRedirectionUrlCallback)
at Microsoft.Exchange.WebServices.Data.ExchangeService.AutodiscoverUrl(String
emailAddress, AutodiscoverRedirectionUrlValidationCallback validateRedirectionUrlCallback)
at
MailNotificationService.BusinessImpl.ExchangeServiceBusiness.<GetExchangeServiceViaAutoDiscove
ry>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at
MailNotificationService.BusinessImpl.ExchangeServiceBusiness.<GetExchangeServiceAsync>d__6.Mov
eNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at
MailNotificationService.BusinessImpl.SubscriptionBusiness.<SubscribeV2Async>d__7.MoveNext()],
Inner Exception [], Autodiscover url used [The Autodiscover service couldn't be located.]
2019/11/06 07:01:56.207 A3 d252be19-1c5d-4e30-9155-a0ae3a529679 [0000000-0000000]
(94) Debug MailNotificationService.Controllers.EnsController.RegisterDeviceV2 User Id:
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Register device request
processed. HttpStatusCode:[Conflict] ResponseCode:[SubscribeAgain]
Error: The remote server returned an error (403) Forbidden
If this error occurs during a subscription, then ensure to enter the proper EWS URL in the
Boxer application KVP values of the UEM console. The EWSUrl used to subscribe must have the
complete endpoint specified.
Email Notification Service 2 (ENS2)
VMware, Inc. 71
Example of a correct EWSUrl - [https://mail-mem13.xyz.com/EWS/exchange.asmx]
Example of an incorrect EWSUrl - [https://mail-xyz.com/]
To check the EWS URL availability and connectivity, check the EWSEditor and the MS remote
connectivity analyzer.
2019/11/06 07:09:54.064 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug MailNotificationService.Controllers.EnsController.RegisterDeviceV2 User Id:
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Processing register
device request for Userid[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586]
2019/11/06 07:09:54.080 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.RegisterDeviceBusiness.ProcessRegisterDeviceRequestAsyncV
2 User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Exchange
version sent by boxer [2]
2019/11/06 07:09:54.080 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeServiceBusiness.GetExchangeServiceAsync User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Using client ewsurl,
mailServerUrlMatched : False, deletedEWSUrl: False
2019/11/06 07:09:54.080 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] EWSUrl used to
subscribe: [https://mail-mem13.ssdevrd.com/]
2019/11/06 07:09:54.080 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] User subscribing
with [Basic Auth]
2019/11/06 07:09:54.173 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Warn
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotifications User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Service request
exception occured for userId
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], Inner exception message
[The remote server returned an error: (403) Forbidden.] Going for a retry,
2019/11/06 07:09:54.173 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] EWSUrl used to
subscribe: [https://mail-mem13.ssdevrd.com/]
2019/11/06 07:09:54.173 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] User subscribing
with [Basic Auth]
2019/11/06 07:09:54.205 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Warn
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotifications User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Service request
exception occured for userId
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], Inner exception message
[The remote server returned an error: (403) Forbidden.] Going for a retry,
Email Notification Service 2 (ENS2)
VMware, Inc. 72
2019/11/06 07:09:54.205 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] EWSUrl used to
subscribe: [https://mail-mem13.ssdevrd.com/]
2019/11/06 07:09:54.205 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] User subscribing
with [Basic Auth]
2019/11/06 07:09:54.236 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Warn
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotifications User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Service request
exception occured for userId
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], Inner exception message
[The remote server returned an error: (403) Forbidden.] Going for a retry,
2019/11/06 07:09:54.236 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] EWSUrl used to
subscribe: [https://mail-mem13.ssdevrd.com/]
2019/11/06 07:09:54.236 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] User subscribing
with [Basic Auth]
2019/11/06 07:09:54.251 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Warn
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotifications User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Service request
exception occured for userId
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], Inner exception message
[The remote server returned an error: (403) Forbidden.] Going for a retry,
2019/11/06 07:09:54.251 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Warn MailNotificationService.BusinessImpl.SubscriptionBusiness.SubscribeV2Async
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Service request
exception occured for userId
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], Inner exception message
[The remote server returned an error: (403) Forbidden.] Going for a retry,
2019/11/06 07:09:54.251 A3 f43eb3d0-e173-49de-9b52-3acb8a1107c4 [0000000-0000000]
(98) Debug MailNotificationService.Controllers.EnsController.RegisterDeviceV2 User Id:
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Register device request
processed. HttpStatusCode:[Conflict] ResponseCode:[SubscribeAgain]
Sample error logs of Boxer during registration:
2019-11-11T09:13:43Z E [9326] [ENS] An error occurred when communicating with
the ENS service: Error Domain=com.alamofire.error.serialization.response Code=-1011
"Request failed: conflict (409)" UserInfo={NSLocalizedDescription=Request failed:
conflict (409), NSErrorFailingURLKey=https://a3.ssdevrd.com/mailnotificationservice/api/ens/
registerdevicev2, com.alamofire.serialization.response.error.data={length = 135,
bytes = 0x7b227265 73706f6e 7365436f 6465223a ... 4f6e5072 656d227d },
com.alamofire.serialization.response.error.response=<NSHTTPURLResponse: 0x282db1fa0> { URL:
https://a3.ssdevrd.com/mailnotificationservice/api/ens/registerdevicev2 } { Status Code: 409,
Email Notification Service 2 (ENS2)
VMware, Inc. 73
Headers {
"Content-Length" = (
135
);
"Content-Type" = (
"application/json; charset=utf-8"
);
Date = (
"Mon, 11 Nov 2019 09:13:40 GMT"
);
Server = (
"Microsoft-IIS/8.5"
);
"X-Powered-By" = (
"ASP.NET"
);
} }} at URL: https://a3.ssdevrd.com/mailnotificationservice/api/ens/registerdevicev2.
Data: {"responseCode":14,"errorMessage":"The Autodiscover service couldn't be
located.","version":"1.5.7235.6268","environmentType":"OnPrem"}. Response Code: 409
2019-11-11T09:13:43Z E [9326] [ENS] registerAccountOnENS: Error updating settings or
credentials
Error:Error Domain=com.alamofire.error.serialization.response Code=-1011 "Request
failed: conflict (409)" UserInfo={NSLocalizedDescription=Request failed:
conflict (409), NSErrorFailingURLKey=https://a3.ssdevrd.com/mailnotificationservice/api/ens/
registerdevicev2, com.alamofire.serialization.response.error.data={length = 135,
bytes = 0x7b227265 73706f6e 7365436f 6465223a ... 4f6e5072 656d227d },
com.alamofire.serialization.response.error.response=<NSHTTPURLResponse: 0x282db1fa0> { URL:
https://a3.ssdevrd.com/mailnotificationservice/api/ens/registerdevicev2 } { Status Code: 409,
Headers {
"Content-Length" = (
135
);
"Content-Type" = (
"application/json; charset=utf-8"
);
Date = (
"Mon, 11 Nov 2019 09:13:40 GMT"
);
Server = (
"Microsoft-IIS/8.5"
);
"X-Powered-By" = (
"ASP.NET"
);
} }}
2019-11-11T09:13:43Z E [9365] - Unexpected error: {
BXLocalizedContextMessageErrorKey = "Could not update settings for the push notification
service";
BXLocalizedTitleErrorKey = "Could not update settings for the push notification service";
NSLocalizedDescription = "Could not update settings for the push notification service. ";
NSLocalizedFailureReason = "Failed to update push notification settings. Please contact
your administrator.";
}
Email Notification Service 2 (ENS2)
VMware, Inc. 74
In the sample error logs of Boxer, you can see the following message:
{"responseCode":14,"errorMessage":"The Autodiscover service couldn't be
located...
In this case, ensure that the autodiscovery URL is reachable from the ENS and the autodiscovery
URL is configured correctly using the EWSEditor tool or MS connectivity analyzer tool.
If you are using the EWSUrl, ensure that the EWSUrl key is configured in the console with a
correct value for the EWSUrl of their respective Exchange environments. To verify the EWSUrl
is correct, open a browser, enter the EWSUrl, and ensure that you are prompted to enter the
credentials.
You can find the error message and response code for different reasons. Based on the error
message, you can start troubleshooting the issue.
Error: 403 or 401 error message
EWS must be accessible to the ENS application to subscribe the user for notification. If the EWS
is not configured correctly, then you might receive 403 or 401 error. In such cases, refer the
following documents:
n Getting started with the EWS Managed API 2.0
n Managing access for EWS Managed API 2.0 applications
n Authentication and EWS in Exchange
Check the type of authentication you have enabled in the EWS. Ensure that the authentication
is in parity with what the customer is using for ActiveSync (Basic, OAuth, and CBA). The Boxer
application sends the user credentials to the ENS and the ENS uses the same credentials and the
same type of authentication to communicate with the EWS.
Note If the ENS can access the Office 365 and the Active Directory Federation Services (ADFS),
then ensure that either the ENS IPs are allowlisted on the ADFS or the affected user has no block
claim on the ADFS.
If you are using Office 365 and you receive a 401 error from the EWS URL, the reason for the
error might be because the client access rules or ADFS claims are configured. In such scenarios,
refer the following documents.
n Client Access Rules in Exchange Online
n Customizing ADFS Claims Rules for Office 365
In a scenario where the ENS on-premises Exchange with CBA is enabled, you might need to
confirm that the client certificate is arriving at the Exchange endpoint. To troubleshoot any
errors, see the
Troubleshooting ENS with On-Premise Exchange Server
section.
Force Register or Re-register on the Boxer application:
Email Notification Service 2 (ENS2)
VMware, Inc. 75
On iOS devices only, you can manually perform a force subscription, in the following cases:
n If there are any changes to the keys in console, then you must approximately wait for 1
hour and check if the users are still receiving the notification. If the users are not receiving
notifications, you can proceed to re-register the Boxer application with the ENS2 service.
n If you do not see any register request in the ENS logs from the Boxer application, then
assume that the Boxer application has failed to send the register request automatically.
Therefore, the ENS tries to re-register the Boxer application with the ENS2 service forcefully.
To force register or re-register on the Boxer application, perform the following steps:
1 Open the Boxer application and click Settings.
2 Under the Accounts tab, select your ENS-specific account.
3 Turn off the Use Push Service option.
4 Navigate to the Boxer application Settings screen.
5 Repeat Step 2 through Step 4 to turn on the Use Push Service option.
Email Notification Service 2 (ENS2)
VMware, Inc. 76
When you perform either of the steps mentioned, then you can see the force register request in
the ENS logs.
To confirm the force subscription in the ENS logs, search for the ForceSubscription and you
must be able to see the following value: ForceSubscription : [True].
Registration Status Events
If the registration is successful, then the Exchange sends a status event to the ENS
periodically against each subscription ID, to confirm the subscription. The ENS then sends an
acknowledgment for each of the subscription IDs back to the Exchange.
2019/11/05 08:57:31.413 A3 1eb9186b-9370-45de-a172-0e452586f398 [0000000-0000000]
(58) Debug
MailNotificationService.BusinessImpl.ExchangeNotificationParser.ScanEventNotificationAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Received
[StatusEvent] for subscription:
[JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0bG9vay5jb20QAAAAl4H5dKboFUm1kJ8ZNBKkJILRTBjMYdcIE
AAAAAQ9tcFCKSZFrTOxLbSCwj4=]
2019/11/05 08:57:31.413 A3 1eb9186b-9370-45de-a172-0e452586f398 [0000000-0000000]
Email Notification Service 2 (ENS2)
VMware, Inc. 77
(58) Debug
MailNotificationService.BusinessImpl.PushNotificationBusiness.HandleExchangeEvents User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Status event received for
user: [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
If the ENS receives the status event for the old subscription ID, then the ENS responds to the
Exchange with an unsubscribe response as shown in the following logs.
2019/11/05 08:49:20.123 A3 d2adec8a-73d7-48f2-ba14-abbd917844cd [0000000-0000000]
(54) Info
MailNotificationService.BusinessImpl.ExchangeNotificationParser.ScanEventNotificationAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] This
JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0bG9vay5jb20QAAAAJ6RYazaIoUCfX7KheUsQYUQnw9rIYdcIEA
AAAAQ9tcFCKSZFrTOxLbSCwj4= is old subscription for user
1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d, sending unsubscribe
response
2019/11/05 08:49:20.123 A3 d2adec8a-73d7-48f2-ba14-abbd917844cd [0000000-0000000]
(54) Debug
MailNotificationService.BusinessImpl.ExchangeNotificationParser.ScanEventNotificationAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Sent Unsubscribe
response to EWS successfully for subscriptionId:
[JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0bG9vay5jb20QAAAAJ6RYazaIoUCfX7KheUsQYUQnw9rIYdcIE
AAAAAQ9tcFCKSZFrTOxLbSCwj4=]
2019/11/05 08:49:20.123 A3 d2adec8a-73d7-48f2-ba14-abbd917844cd [0000000-0000000]
(54) Debug
MailNotificationService.BusinessImpl.PushNotificationBusiness.ProcessPushNotificationV2Async
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
ProcessNotificationResponse.IsUnSubscribeResponse is true
For more information on the status frequency, see the StatusFrequency topic.
ENS must receive the status events from the Exchange immediately after a subscription is
successful. If the ENS is not receiving the status events, then check the following troubleshooting
methods to verify the communication between the Exchange server and the ENS.
Error: Status event not received
If you do not see any status events in the ENS logs after a successful subscription, then check
the communication between the Exchange server and the ENS. Access the following URLs in the
browser on the CAS or the mailbox servers to check the communication between the Exchange
and the ENS.
n For on-premises ENS deployments, use the https://{ENS URL}/
MailNotificationService/api/ens/alive.
n For cloud ENS deployments, use the https://{ENS URL}/api/ens/alive. For example, https://
ens.getboxer.com/api/ens/alive. Select the ENS cloud URL based on your region.
You must be able to see the following result when you browse the specified URLs from the
browser.
This XML file does not appear to have any style information associated with it. The document
tree is shown below.
Email Notification Service 2 (ENS2)
VMware, Inc. 78
<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/"> is alive. Version =
1.5.7227.9937 Enviroment = Production InstanceId = i-04676f24928463e31 </string>
n For on-premises ENS deployments, use the https://{ENS URL}/
MailNotificationService/api/ens/pushnotificationlistener.
n For cloud ENS deployments, use the https://{ENS URL}/api/ens/pushnotificationlistener.
Select the ENS cloud URL based on your region.
<Error> <Message> The requested resource does not support http method 'GET'. </Message> </
Error>When browsing the URLs, if you see any SSL error, then proceed to import the ENS
certificate in the MMC of the server.
Note If both the checks mentioned above are successful and the status events are
not received then check the Event Viewer logs on the Exchange server and search for
pushnotificationlistener logs. Right click on the Application node and navigate to Find. If
there are any entries then check if there are any communication errors while pushing the
notification to the ENS.
New Mail Event and Fetch Mail
When a device is successfully registered and the communication between the ENS and the
Exchange is working correctly, the Exchange starts sending new mail events to the ENS
whenever a new mail is received on the subscribed user mailbox. If the payloads of the created
events contain an unread count, then the ENS uses the unread count, else the ENS gets the
unread count from the EWS.
2019/11/05 09:39:56.608 A3 9f08ed6d-0726-430c-8440-9c396443c7ca [0000000-0000000]
(74) Debug
MailNotificationService.BusinessImpl.ExchangeNotificationParser.ScanEventNotificationAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Received
[CreatedEvent] for subscription:
[JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0bG9vay5jb20QAAAAl4H5dKboFUm1kJ8ZNBKkJILRTBjMYdcIE
AAAAAQ9tcFCKSZFrTOxLbSCwj4=]
2019/11/05 09:39:56.639 A3 9f08ed6d-0726-430c-8440-9c396443c7ca [0000000-0000000]
(74) Debug
MailNotificationService.BusinessImpl.UnreadCountExchangeBusiness.GetUnReadCountV2 User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] EWSUrl used to get unread
count: [https://outlook.office365.com/EWS/Exchange.asmx]
2019/11/05 09:39:56.889 A3 9f08ed6d-0726-430c-8440-9c396443c7ca [0000000-0000000]
(74) Info
MailNotificationService.BusinessImpl.PushNotificationBusiness.HandleNewMailEvent User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Received new mail event
for user [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] with BADGE count
[893]
Whenever the ENS receives a new mail event, the ENS fetches the mail information from the
Exchange. The possible errors and solutions that you might see during a fetch mail request is
listed as follows:
Email Notification Service 2 (ENS2)
VMware, Inc. 79
Error: Stuck in EWSUrl used to sync email: [https://outlook.office365.com/EWS/
Exchange.asmx] steps
When a mail event is received from the Exchange, the ENS tries to fetch all the information
from the mail. If you are unable to see any ENS logs such as the Fetched email, then check the
respective EWS logs in the Exchange. You can obtain the corresponding EWS logs using the
client request ID or the activity ID.
Fetch New Mail Request
Sample client request ID or the activity ID: 03ea7f36-f72f-4322-8413-0dcd81c4ac78
Note You can get the client request ID or the activity ID in the third column of the ENS logs.
Copy that ID and search for the client request ID or the activity ID in the EWS logs.
ENS sends a push notification request to the CNS or the SNS
When the new mail information is fetched from the Exchange, the ENS composes and sends a
notification payload to the CNS (for on-premises) or the SNS (for cloud).
Sample of sending a notification payload to the CNS (for on-premises)
2019/11/05 09:48:42.675 A3 fedf9a1d-6cc8-4607-acad-ae006766292a [0000000-0000000]
(82) Info
MailNotificationService.BusinessImpl.NotificationsProcessor.AddNotificationToBatch User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] About to Post
Notification for user : [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
and Device Id : [1]
2019/11/05 09:48:42.690 A3 fedf9a1d-6cc8-4607-acad-ae006766292a [0000000-0000000]
(82) Info
MailNotificationService.BusinessImpl.NotificationsProcessor.AddNotificationToBatch User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] About to Post
Notification for user : [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
and Device Id : [5]
2019/11/05 09:48:47.699 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Info MailNotificationService.BusinessImpl.CNSHelper.ComposeAPNSPushNotification
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Total unread
count retrieved [894] for user
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
2019/11/05 09:48:47.699 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Debug MailNotificationService.BusinessImpl.CNSHelper.ComposeAPNSPushNotification
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Sending to ::
User : [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d], DeviceId : [1],
DeviceLogId : [], Message : messageId:
[AAMkAGMxYjUzZDA0LTI5NDItNDUyNi1hZDMzLWIxMmRiNDgyYzIzZQBGAAAAAAAOx2petA5rS4RDQM8RjW1TBwDnjcIsA
p4/S4beDDAIaXMhAAAAAAEMAADnjcIsAp4/S4beDDAIaXMhAAGszQatAAA=]
2019/11/05 09:48:47.699 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Info MailNotificationService.BusinessImpl.CNSHelper.ComposeAPNSPushNotification
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Total unread
count retrieved [894] for user
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d]
2019/11/05 09:48:47.699 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Debug MailNotificationService.BusinessImpl.CNSHelper.ComposeAPNSPushNotification
Email Notification Service 2 (ENS2)
VMware, Inc. 80
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Sending to ::
User : [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d], DeviceId : [5],
DeviceLogId : [61F9BB13-863C-444C-A300-4F888383ACDD-534-0000000CE599EDE0], Message :
messageId:
[AAMkAGMxYjUzZDA0LTI5NDItNDUyNi1hZDMzLWIxMmRiNDgyYzIzZQBGAAAAAAAOx2petA5rS4RDQM8RjW1TBwDnjcIsA
p4/S4beDDAIaXMhAAAAAAEMAADnjcIsAp4/S4beDDAIaXMhAAGszQatAAA=]
2019/11/05 09:48:47.699 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Debug MailNotificationService.BusinessImpl.CNSHelper.CreateWebRequest User Id:[no-
user-id] CNS Url : [https://cns.awmdm.com/nws/notify/apns]
2019/11/05 09:48:47.699 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Debug MailNotificationService.BusinessImpl.CertificateHelper.ComputeCmsSignature
User Id:[no-user-id] Signing URL [/nws/notify/apns] with Cert [CN=AW Cloud Notification -
aTest]
2019/11/05 09:48:48.558 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Debug MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] Response {"status":"success","errorReason":null}
2019/11/05 09:48:48.558 A3 7e45c693-511b-4c19-ae7c-305e5f8f9f0e [0000000-0000000]
(8) Info MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] ResponseCode OK
Sample of sending a notification payload to the SNS (for cloud)
2019-09-06 12:11:51.5380|INFO|
MailNotificationService.BusinessImpl.NotificationsProcessor.AddNotificationToBatch|b1d8e164-
c3fb-4f67-baa6-002dd3719c4e|User Id:
[35045e4062200ca81c92d5b03928a7e86383ef8e9436d512187a711a4b18e94f] About to Post Notification
for user [35045e4062200ca81c92d5b03928a7e86383ef8e9436d512187a711a4b18e94f]
2019-09-06 12:11:52.5537|INFO|
MailNotificationService.BusinessImpl.AmazonSNSHelper.PostNotifications|67d3c6f0-
a197-4af4-958c-260eeedbf567|User Id:
[35045e4062200ca81c92d5b03928a7e86383ef8e9436d512187a711a4b18e94f] Sending notification via
SNS
2019-09-06 12:11:52.5692|INFO|
MailNotificationService.BusinessImpl.AmazonSNSHelper.PushNotificationViaSNS|67d3c6f0-
a197-4af4-958c-260eeedbf567|User Id:
[35045e4062200ca81c92d5b03928a7e86383ef8e9436d512187a711a4b18e94f] Notification successfully
sent via SNS for [424716]
To confirm if your Android device is receiving notifications from the ENS, enable the Boxer
application passcode and restart the device after a successful registration. You might see a
notification, that is, a banner containing the email address configured. On the banner notification
if you cannot perform actions such as, Delete, Reply, and Read option then, the notification is a
push notification that is sent from the ENS and not locally from the Boxer application itself. If the
notification banner contains notification actions such as Delete, Reply, Read, and so on, then the
notification is a local notification from the Boxer application and not a push notification from the
ENS.
The possible errors and solutions that you might see during a push notification request is listed as
follows:
Error: The remote server returned an error: (400) Bad Request
Email Notification Service 2 (ENS2)
VMware, Inc. 81
Sample error log:
apis
[0000000-0000000] (5) Error
MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] Failed To Post to CNS [https://cns.awmdm.com/nws/notify/apns] Error: [The
remote server returned an error: (400) Bad Request.] Response:
[{"status":"failure","errorReason":"Unable to process json input, errors are Unregistered,
requestId 8f8e1939-3660-43d9-b873-a7ae61ea2b7c"}] ”fcm
[0000000-0000000] (128) Error MailNotificationService.BusinessImpl.CNSHelper.ReadResponse
User Id:[no-user-id] Failed To Post to CNS [https://cns.awmdm.com/cns/services/api/
notifications/fcm] Error: [The remote server returned an error: (400) Bad Request.] Response:
[[{"fcmResults":
[{"fcmMessageId":null,"canonicalRegistrationId":null,"errorCode":"NotRegistered"}],"messageId"
:"AM0PR03MB4067FD025796AB3867E3C5AEEA4F9@AM0PR03MB4067.eurprd03.prod.outlook.com","fcmMulticas
tId":3844875711768273544,"successCount":0,"failureCount":1,"allFcmCloudError":false,"allMsgsIn
NonFcmError":true,"fewMsgsInNonFcmError":false,"errCode":5004}]]"
To troubleshoot the issue, share the trace level logs with the VMware Support team. For more
information, see the
Enable Trace Level Logging for Enhanced Debugging
section.
Error: The underlying connection was closed: Could not establish trust relationship for the
SSL/TLS secure channel
2019/11/06 09:03:48.218 A3 aa57f568-6871-42cc-8b8d-39c77a15af41 [0000000-0000000]
(40) Error MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] Failed To Post to CNS [https://cns.awmdm.com/nws/notify/apns] Error: [The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS secure
channel.] Response: []
Note Ensure you have followed the steps as mentioned in the
Configure CNS and Download
Email Notification Service Configuration Files
section in the Chapter 5 Configure your Email
Notification Service for On-Premises Deployment topic.
If the issue still persists, download the latest public CNS certificate from the CNS Public Certificate
and perform the following steps:
1 Click the SSLPinningCertTool shortcut present in the
ENS server or click <ENS_INSTALL_DIR>\Email Notification
Service\Tools\SSLPinningCertTool\SSLPinningCertTool.exe.
2 Click the Upload CNS Certificate button.
3 Select the certificate to be uploaded and click Submit. If the following screen appears, then
the certificate is successfully added.
Email Notification Service 2 (ENS2)
VMware, Inc. 82
Note After uploading the SSL pinning certificate on the ENS, the tool adds the public key
of the certificate to the ENS configuration. When the ENS posts payload to the CNS, the
certificate validation is done against the newly added certificate public key.
4 If the following screen appears, the certificate is successfully added to the resubscription
configuration file.
Note After uploading the SSL pinning certificate, the tool adds the public key of the
certificate to the resubscription configuration file. For the resubscription mechanism, after
payload (silent notification) to the CNS, the certificate validation is done against the newly
added certificate public key.
5 If the certificate is already present in both the configuration files, then you are prompted with
the following message.
Email Notification Service 2 (ENS2)
VMware, Inc. 83
Note The upload pinning certificate occurs as follows:
n The tool tries to upload the certificate to the ENS configuration file only if the provided
certificate is not present in the ENS configuration file. If the given certificate is already
present, then the tool does not prompt any message and continues to upload the same
certificate to the resubscription configuration file.
n The tool tries to add a certificate to the resubscription configuration file only if the
provided certificate is not present in the resubscription configuration file. If the given
certificate is present, then the tool does not prompt any message to the user.
6 If the certificate is added to the resubscription configuration file, then navigate to Services
and restart the AirWatch Resubscription Mechanism service.
Error: The remote server returned an error: (401) Unauthorized.
Sample error log:
2019/11/06 09:25:13.688 A3 6c041e00-c909-45ff-b340-283844376c06 [0000000-0000000]
(6) Error MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] Failed To Post to CNS [https://cns.awmdm.com/nws/notify/apns] Error: [The remote
server returned an error: (401) Unauthorized.] Response: [{"code":2007,"message":"Unable to
verify if the signer cert as trusted. The associated request id is 154e9542-b695-497b-9896-
a8fd9cb13e84."}]
If you see a 401 error while posting a notification and the UEM console is on-premises, then
navigate to System > Advanced > Secure Channel Certificate and select the Download CNS
Secure Channel Certificate Installer. You can also open a Zendesk ticket with the SaasOps >
CNS Upload Request category. To install the certificate on the CNS server, send a request to the
VMware Support team.
Error: ENS has posted notification to CNS/SNS successfully, but we don't see any notification
on the device.
Email Notification Service 2 (ENS2)
VMware, Inc. 84
This error occurs due to the APNS or the GCM token issue. To verify the APNS or the GCM
tokens, perform the following steps:
1 Log in to the Workspace ONE UEM console and navigate to the organization group where
the device is enrolled.
2 Navigate to the Devices > List View and select the device.
3 Click the SEND > PUSH NOTIFICATION and select the application as Boxer from the drop-
down.
4 Enter the Message Body and click SEND. After you click SEND, you must be able to see the
notification on the device if the APNS token is correct.
Unregistered ENS Logs
The Boxer application sends an unregister request to the ENS in the following scenarios:
n When a device account is removed from the Boxer application
n When a device is deleted from the Workspace ONE UEM console.
n During an enterprise wipe from the Workspace ONE UEM console.
n Toggle off the push notification button in the Boxer application settings.
Sample of unregistered ENS logs:
2019/11/06 10:33:23.976 A3 2bd0af6a-ba08-479e-a606-b1326281902c [0000000-0000000]
(53) Debug MailNotificationService.Controllers.EnsController.Unregister User Id:
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Processing Unregister
request. UserId:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586]
2019/11/06 10:33:24.054 A3 2bd0af6a-ba08-479e-a606-
b1326281902c [0000000-0000000] (55) Debug
MailNotificationService.BusinessImpl.UnregisterBusiness.ProcessUnregisterRequestAsync User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Device Unregistered
for user:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586]
2019/11/06 10:33:24.054 A3 2bd0af6a-ba08-479e-a606-b1326281902c [0000000-0000000]
(55) Debug MailNotificationService.Controllers.EnsController.Unregister User
Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Unregister request
processed. HttpStatusCode:[OK] ResponseCode:[DeviceUnregistered]
When the ENS receives an unregister request, the ENS processes the request and sends an
unsubscribe request to the Exchange and deletes the records from the database. The possible
errors and solutions that you might see when you unregister is listed as follows:
Error: 401 error Unauthorized
The following logs are seen when the Boxer application sends an unregister request with a wrong
API token. You can confirm the API token comparing the API token logged in the ENS logs and
present in the Boxer application logs.
ENS logs: API token : [12341*********fasdf]
Boxer application logs: ensapitoken: 17413********************88c08
Email Notification Service 2 (ENS2)
VMware, Inc. 85
Sample of UnAuthorizedRequest log:
2019/11/06 10:38:20.413 KAVINASH-W03 cd790dc0-ca7e-4f3d-
b468-3c5181c34063 [0000000-0000000] (31) Warn
MailNotificationService.BusinessImpl.ApiKeyRepository.ValidateAsync User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] ApiKey header present
[True], Value Empty/Null: [False] API key dictionary has keys:[True] Key: [12341:fasdf]
2019/11/06 10:38:20.424 cd790dc0-ca7e-4f3d-b468-3c5181c34063 [0000000-0000000]
(31) Debug MailNotificationService.Controllers.EnsController.Unregister user
Id [1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] API token :
[12341*********fasdf]
2019/11/06 10:38:20.444 cd790dc0-ca7e-4f3d-b468-3c5181c34063 [0000000-0000000]
(31) Warn MailNotificationService.Controllers.EnsController.Unregister User Id:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Error Code:'23' Error
message: 'UnAuthorizedRequest'
Stack Trace: at
MailNotificationService.Controllers.EnsController.<Unregister>d__21.MoveNext() in
C:\Stash\MailNotificationService\Controllers\EnsController.cs:line 926
Badge Update for ENS Logs
Badge update is only supported for iOS devices. The badge notification starts displaying only
after the badge receives the first notification from ENS. The badge count is not seen in Boxer
immediately after the badge counter is configured and subscribed.
Sample of badge update ENS logs:
2019/11/11 12:27:55.416 A3 04f06dcb-a721-4a90-a2ff-2be8e007f533 [0000000-0000000]
(52) Debug
MailNotificationService.BusinessImpl.ExchangeNotificationParser.ScanEventNotificationAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Received
[ModifiedEvent] for subscription:
[EgBleGNoMjAxMy5tZW0xMy5vcmcQAAAAjoO0qTL7hk2FF7QvXOHC1BLv0sChZtcIEAAAACanmwmX5x5OpwfUW+dfdrQ=]
2019/11/11 12:27:55.525 A3 04f06dcb-a721-4a90-a2ff-2be8e007f533 [0000000-0000000]
(52) Info
MailNotificationService.BusinessImpl.PushNotificationBusiness.HandleMoveModifiedEventAsync
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] -BADGE UPDATE-
[5422] previous BADGE count is [5422] Received modified event for user
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586]
2019/11/11 12:27:55.525 A3 04f06dcb-a721-4a90-a2ff-2be8e007f533 [0000000-0000000]
(52) Info
MailNotificationService.BusinessImpl.NotificationsProcessor.AddNotificationToBatch User Id:
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] About to Post
Notification for user : [20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586]
and Device Id : [9]
2019/11/11 12:28:00.531 A3 d7893c08-3a06-46a1-a8a7-45361572b573 [0000000-0000000]
(16) Info MailNotificationService.BusinessImpl.CNSHelper.ComposeAPNSPushNotification
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Total unread
count retrieved [5422] for user
[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586]
2019/11/11 12:28:00.531 A3 d7893c08-3a06-46a1-a8a7-45361572b573 [0000000-0000000]
(16) Debug MailNotificationService.BusinessImpl.CNSHelper.ComposeAPNSPushNotification
Email Notification Service 2 (ENS2)
VMware, Inc. 86
User Id:[20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586] Sending to ::
User : [20943ad3f74ef04b3a2394b968cb46cc498f54994bdec0b3520d965e35356586], DeviceId : [9],
DeviceLogId : [], Message : messageId: []
2019/11/11 12:28:00.531 A3 d7893c08-3a06-46a1-a8a7-45361572b573 [0000000-0000000]
(16) Debug MailNotificationService.BusinessImpl.CNSHelper.CreateWebRequest User Id:[no-
user-id] CNS Url : [https://cns.awmdm.com/nws/notify/apns]
2019/11/11 12:28:00.531 A3 d7893c08-3a06-46a1-a8a7-45361572b573 [0000000-0000000]
(16) Debug MailNotificationService.BusinessImpl.CertificateHelper.ComputeCmsSignature
User Id:[no-user-id] Signing URL [/nws/notify/apns] with Cert [CN=AW Cloud Notification -
aTest]
2019/11/11 12:28:00.748 A3 d7893c08-3a06-46a1-a8a7-45361572b573 [0000000-0000000]
(16) Debug MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] Response {"status":"success","errorReason":null}
2019/11/11 12:28:00.748 A3 d7893c08-3a06-46a1-a8a7-45361572b573 [0000000-0000000]
(16) Info MailNotificationService.BusinessImpl.CNSHelper.ReadResponse User Id:[no-user-
id] ResponseCode OK
Understanding ENS Logs
The ENS logs contain information about registration, subscriptions, notifications, and the CNS
or the APNS delivery status. For the on-premises ENS, you can find the ENS2 logs files at:
%ENS Installed Directory%\Logs\Email Notification Service. For example, the ENS2
log file can be at: C:\AirWatch\Logs\Email Notification Service. The name of the log file
is
ENS.log
.
Sample ENS2 log file:
2019/11/05 09:39:56.608 A3 9f08ed6d-0726-430c-8440-9c396443c7ca [0000000-0000000]
(74) Debug
MailNotificationService.BusinessImpl.ExchangeNotificationParser.ScanEventNotificationAsync
User Id:[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d926916622dd182d] Received
[CreatedEvent] for subscription:
[JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0bG9vay5jb20QAAAAl4H5dKboFUm1kJ8ZNBKkJILRTBjMYdcIE
AAAAAQ9tcFCKSZFrTOxLbSCwj4=]
The following table provides a description of a sample ENS2 log file.
Log Format
Value
Date 2019/11/05 09:39:56.608. The date is mentioned in the UTC
format.
machinename A3
ActivityId 9f08ed6d-0726-430c-8440-9c396443c7ca
threadid (74)
logLevel Debug
Email Notification Service 2 (ENS2)
VMware, Inc. 87
Log Format Value
Logger MailNotificationService.BusinessImpl.ExchangeNotificationP
arser.ScanEventNotificationAsync
Message UserId:
[1743604ea20cda831dc7aea285e7fdc011ca233caf0fa7d5d
926916622dd182d] Received [CreatedEvent] for
subscription:
[JwBtbjJwcjE5bWIzMDA1Lm5hbXByZDE5LnByb2Qub3V0b
G9vay5jb20QAAAAl4H5dKboFUm1kJ8ZNBKkJILRTBjMYdcI
EAAAAAQ9tcFCKSZFrTOxLbSCwj4=]
Note In the logs, you can find the user name or email address in the alphanumeric format and
not in the plain text format. For example, the user ID is mentioned as an alphanumeric string such
as, 4e9dc715faba719b266fe90f866caf8e377c08984cd1fd005bac72c7eba4db02. This string is a hash
value that is calculated from the email address.
You can use the SHA-256 hash calculator to translate any email address to a hash value. You can
then use the hash value to search logs for any user.
To obtain the logs for the cloud ENS, you can access ENS2 logs through the LogInsight.
Troubleshooting the ENS2 SEG Errors
This section describes the troubleshooting steps you might have to perform due to
communication errors between the ENS2 and Exchange with SEGv2 as the proxy.
The following steps describe the interaction between the ENS2 and Exchange with SEGv2 as the
proxy.
1 Boxer application requests a public key from the ENS.
2 Boxer application encrypts the user credentials using the public key and sends a subscription
request to the ENS.
3 ENS requests a subscription to the Exchange server using the SEG URL which also contains
the encrypted credentials. The ENS also sends a client certificate. If the client certificate is
configured on the Boxer application profile, then the authentication received from the Boxer
profile is sent. For certificate-based authentication (CBA), when a register device request is
sent to the cloud ENS server, the ENS routes the request to the SEG with the certificate
information. The SEG follows the same token retrieval process similar to the ActiveSync
request.
4 SEG forwards the subscription request to the Exchange to complete the subscription.
The same authentication method configured in the Boxer application profile is used for
subscription. The ENS server callback URL is used to subscribe.
5 The Exchange server receives an email.
Email Notification Service 2 (ENS2)
VMware, Inc. 88
6 The Exchange server notifies the ENS callback URL of the subscriber to inform that a new
email has arrived, hence update the email client with the notification. The ENS fetches the
details of the email from the SEG.
7 The ENS server requests the CNS or SNS to send notification to the Boxer application or the
device of the subscriber.
8 The CNS or the SNS server contacts the Apple Push Notifications (APNs for iOS devices) or
GCM or FCM (for Android devices).
9 The APNS or GCM server pushes the email notification to the device.
Using the transaction ID received in the ews-transaction log, you can search the ews-proxy.log.
For example, if the transaction ID is 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 then search for
544ef2b7.
When you see 200 in the ENS transaction log, you can confirm if the notifications are going
through the CNS communication.
The Ews-transaction log sample.
Time, LogLevel, Thread Id, Message, HTTP-Method, Remote-Host, X-Forwarded-For, SEG
TransactionId, Request-DeviceId, EnsDevices, EmailServerResponseStatus, SegResponseStatus,
EmailRequestBodySize, EmailResponseBodySize, TimeTakenByKerberosService(ms),
TimeTakenBySeg(ms), TimeTakenByEmailServer(ms), BeginningOfRequest
2018-12-03 17:20:15.696, DEBUG, (vert.x-eventloop-thread-0), Responding back to
ENS,POST,192.168.2.34,null,544ef2b7-9ca3-4009-
b116-8a9f6513f2c7,6C30D0304E7A4EE795494DEB0F465B72,"6C30D0304E7A4EE795494DEB0F465B72:200",200,
200,1243,1147,2547,0,16,1543875613133
2018-12-03 17:20:18.274, DEBUG, (vert.x-eventloop-thread-0), Responding back to
ENS,POST,192.168.2.34,null,d77ae46b-2d38-46b5-9548-3bcc25a1bf03,6C30D0304E7A4EE795494DEB0F465B
72,"6C30D0304E7A4EE795494DEB0F465B72:200",200,200,673,1806,2547,0,16,1543875615711
2018-12-03 17:20:41.430, DEBUG, (vert.x-eventloop-thread-0), Responding back to
ENS,POST,192.168.2.34,null,b639bdee-0cfa-42b5-82ea-0629ab1d586a,6C30D0304E7A4EE795494DEB0F465B
72,"6C30D0304E7A4EE795494DEB0F465B72:200",200,200,1632,2464,2562,0,47,1543875638821
2018-12-03 17:21:16.462, DEBUG, (vert.x-eventloop-thread-1), Responding back to
ENS,POST,192.168.2.34,null,ed0db6c1-9dd4-420a-83d3-
e746cb17445c,82B15D853CC14CA3989020257158BFC1,"82B15D853CC14CA3989020257158BFC1:200",200,200,1
632,3028,2563,0,47,1543875673852
2018-12-03 17:21:26.493, DEBUG, (vert.x-eventloop-thread-1), Responding back to
ENS,POST,192.168.2.34,null,425fc495-4ae1-4c26-abc5-
c30f34a376cf,82B15D853CC14CA3989020257158BFC1,"82B15D853CC14CA3989020257158BFC1:200",200,200,6
73,1815,2547,16,15,1543875683915
2018-12-03 17:22:46.649, DEBUG, (vert.x-eventloop-thread-1), Responding back to
ENS,POST,192.168.2.34,null,ba0b13ad-b341-43e3-a4a9-
d1a79c5330e0,82B15D853CC14CA3989020257158BFC1,"82B15D853CC14CA3989020257158BFC1:200",200,200,1
632,3028,2547,15,32,1543875764055
2018-12-03 17:23:01.649, DEBUG, (vert.x-eventloop-thread-1), Responding back to
ENS,POST,192.168.2.34,null,262cc2b2-8ae4-4ea7-b062-
da2b2eb42a68,82B15D853CC14CA3989020257158BFC1,"82B15D853CC14CA3989020257158BFC1:200",200,200,6
73,1815,2547,0,15,1543875779087
2018-12-03 17:26:47.353, DEBUG, (vert.x-eventloop-thread-3), Responding back to
ENS,POST,192.168.2.34,null,c7e5a6c9-
b1b0-4739-9132-49470306882c,6C30D0304E7A4EE795494DEB0F465B72,"6C30D0304E7A4EE795494DEB0F465B72
:200",200,200,673,1806,2547,0,94,1543876004712
Email Notification Service 2 (ENS2)
VMware, Inc. 89
2018-12-03 17:26:51.884, DEBUG, (vert.x-eventloop-thread-3), Responding back to
ENS,POST,192.168.2.34,null,d5cf2470-d818-45f6-ab0e-
dd68599d4aa8,6C30D0304E7A4EE795494DEB0F465B72,"6C30D0304E7A4EE795494DEB0F465B72:200",200,200,6
73,1806,2547,0,15,1543876009322
2018-12-03 22:06:55.421, DEBUG, (vert.x-eventloop-thread-2), Responding back to
ENS,POST,192.168.2.34,null,93f7f097-bda5-417a-
ac67-5667b4088c84,6C30D0304E7A4EE795494DEB0F465B72,"6C30D0304E7A4EE795494DEB0F465B72:200",200,
200,673,1806,12000,16,234,1543892803171
2018-12-03 22:07:00.031, DEBUG, (vert.x-eventloop-thread-0), Responding back to
ENS,POST,192.168.2.34,null,d10c08a4-49cd-4240-bcc0-
ba9bb81f74f0,82B15D853CC14CA3989020257158BFC1,"82B15D853CC14CA3989020257158BFC1:200",200,200,6
73,1815,11969,0,188,1543892807874
2018-12-04 10:31:33.786, DEBUG, (vert.x-eventloop-thread-2), Responding back to
ENS,POST,192.168.2.34,null,3844719b-73c6-4b77-91d8-8a7d8b9a97c0,82B15D853CC14CA3989020257158BF
C1,"82B15D853CC14CA3989020257158BFC1:200",200,200,1632,3028,2563,15,516,1543937490692
The Ews-transaction log sample filtered using the 544ef2b7.
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestReadHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Incoming EWS request, Path: /EWS/Exchange.asmx.
Headers are
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsHelper]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Collected ENS devices:
[6C30D0304E7A4EE795494DEB0F465B72]
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestReadHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Getting device policy for request device
6C30D0304E7A4EE795494DEB0F465B72
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0)
[c.a.s.e.h.EwsComplianceCheckHandler] - 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Device list:
[6C30D0304E7A4EE795494DEB0F465B72]
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0)
[c.a.s.e.h.EwsComplianceCheckHandler] - 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Checking
compliance for device 6C30D0304E7A4EE795494DEB0F465B72
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0)
[c.a.s.e.h.EwsComplianceCheckHandler] - 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Device
6C30D0304E7A4EE795494DEB0F465B72 is compliant
2018-12-03 17:20:13.133 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestProxyHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 KCD authentication is (true), upn is
2018-12-03 17:20:15.680 DEBUG (pool-7-thread-5) [c.a.s.e.h.EwsRequestProxyHandler] -
544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Successfully got kerberos token for UPN
[email protected] - token length 2024
2018-12-03 17:20:15.680 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestProxyHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Proxying request to EWS
2018-12-03 17:20:15.680 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestProxyHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - EWS client request headers:
2018-12-03 17:20:15.696 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestProxyHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - EWS client response headers:
2018-12-03 17:20:15.696 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsHelper] -
544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - Response headers from SEG to ENS:
X-AW-SEG-TRANSACTION-ID : 544ef2b7-9ca3-4009-b116-8a9f6513f2c7
2018-12-03 17:20:15.696 DEBUG (vert.x-eventloop-thread-0) [c.a.s.e.h.EwsRequestProxyHandler]
- 544ef2b7-9ca3-4009-b116-8a9f6513f2c7 - EWS response status 200, length 1147
Email Notification Service 2 (ENS2)
VMware, Inc. 90
The possible errors and solutions you might see during an interaction between the ENS2 and
Exchange with SEGv2 as the proxy is listed as follows:
Error: 404 / https://[segURL]/EWS/Exchange.asmx is not found
If you see this error in the ENS logs, then ensure you have enabled the EWS proxy in the SEG
server. If you have not enabled the EWS proxy in the SEG server then perform the following
steps.
1 Navigate to the SEG > Config folder using the File explorer.
2 Select the application.properties file and edit the file.
3 Select the enable.boxer.ens.ews.proxy value and update the value to
enable.boxer.ens.ews.proxy=true.
4 Save the file.
5 Restart the VMware AirWatch Secure Email Gateway service.
Sample of the application.properties file.
##############################################################################################
#########################################
############################# Start - HTTP endpoint path for SEG active-sync, syncML and REST
API. ##################################
##############################################################################################
#########################################
# SEG HTTP server context path. This should be same as the context path of Email/Exchange
server as Device won't know
# if it's sending request to email server or SEG Proxy. This value generally don't change but
we want to give
# the ability to the Admin to change it, if needed in some exceptional cases.
# Right now Vertx doesn't support "ignore-case" on path, and also doesn't allow mounting sub-
routers on RegEx.
# For now we're trying to avoid using RegEx anyway - https://groups.google.com/forum/#!topic/
vertx/ck95b4juj4A
activesync.context.paths=/Microsoft-Server-ActiveSync,/microsoft-server-activesync# Context
path when SEG works as EWS proxy for ENS. EWS endpoint will be deactivated by default.
enable.boxer.ens.ews.proxy=true
ews.proxy.context.paths=/EWS,/ews
# Flag used to remove unsupported www-authenticate header such as NTLM and Negotiate (in
absense of certificate) from EWS response to ENS.
remove.unsupported.auth.for.ews=true
Error: 401 - Please check the authentication type enabled in exchange (EWS endpoint)
If you see this error in the ENS logs, then the SEGv2 does not support the NTLM authentication. If
both the Basic and NTLM authentication mechanisms are enabled for the EWS endpoint, then the
SEGv2 version prior to version 2.9.0.1 cannot prefer Basic authentication over the unsupported
NTLM authentication.
Email Notification Service 2 (ENS2)
VMware, Inc. 91
This results in the ENS attempting the NTLM-based authentication for requests through the SEG,
that eventually causes 401 error responses as observed in the ews-transaction.log. If the user is
unable to deactivate the NTLM authentication mechanism for the EWS endpoint, and is using any
lower version of the SEG, then setup the KCD authentication for the ENS-SEG integration to work
correctly.
If you connect directly to the EWS endpoint on the SEGv2 proxy through the https://
[segURL]/EWS/Exchange.asmx URL, you might receive a 400 error message unless you connect
using a permitted device.
Error: The request was aborted: Could not create SSL/TLS secure channel
In the ENS logs, if you see the following error during the registration process, then the error
might be due to a cipher mismatch.
2019-12-05 15:33:40.5081|DEBUG|
MailNotificationService.BusinessImpl.ExchangeRetriesHandler.SubscribeForNotificationsAsync|
3ed2219d-42f2-4a2a-b857-ab7639ad1858|User Id:
[af03aa8bb3cae692442ec673b207fbe5666e0762bf3ca62cbaaa61c4208cd7bd] EWSUrl used to subscribe:
[https://uag.testdomain.com/ews/exchange.asmx]
2019-12-05 15:33:40.5550|WARN|
MailNotificationService.BusinessImpl.SubscriptionBusiness.SubscribeV2Async|3ed2219d-42f2-4a2a-
b857-ab7639ad1858|User Id:[af03aa8bb3cae692442ec673b207fbe5666e0762bf3ca62cbaaa61c4208cd7bd]
Service request exception occured for userId
[af03aa8bb3cae692442ec673b207fbe5666e0762bf3ca62cbaaa61c4208cd7bd], Inner exception message
[The request was aborted: Could not create SSL/TLS secure channel.].
To fix the cipher mismatch error, perform the following steps:
1 Run a TCP dump on the UAG or SEG. Check the reason for the handshake failure, using the
following commands. See the
Troubleshooting Firewall and Connection Issues
section in the
Deploying and Configuring VMware Unified Access Gateway
guide.
/etc/vmware/gss-support/install.sh
tcpdump -i any -n -v tcp port any -w /tmp/vmware/capture.pcap
2 Open the TCP dump logs using the Wireshark or any supported application. Filter the logs
based on the IP source and IP destination and check for the client hello request as shown in
the following log.
Use the tls.alert_message.level filter to search for the SSL error or alert in the Wireshark.
Identify the source and destination IP, right click, and select Follow > Follow → TLS stream.
Email Notification Service 2 (ENS2)
VMware, Inc. 92
3 Right click and open the Client Hello information.
Email Notification Service 2 (ENS2)
VMware, Inc. 93
4 Click the Show packet > TLS 1.2 Record Layer > Handshake Protocol : Client Hello >
Transport Layer Security > Cipher Suits. You can see a list of cipher suites that the
client ENS is sending to initiate a secure communication as shown in the following image.
5 Ensure that the UAG or the SEG server has enabled the ciphers listed in the Client hello
Request.
Note To check for the enabled cipher suites in the UAG or the SEG server, you can use the
SSL report. Enter your SEG or UAG URL and wait for the test to complete. When the test is
complete, you might see the following result.
Email Notification Service 2 (ENS2)
VMware, Inc. 94
The following table lists all the response codes and messages in the SEG logs.
Response Code Message Description
204 No Content Indicates that the policy data is
not loaded in the SEG to run the
compliance check on the requesting
devices.
403 Forbidden Indicates that none of the devices
listed in the ENS request headers are
compliant.
400 Bad Request Indicates that none of the devices
listed in the ENS request header are
found in the SEG device policy cache.
5xx Indicates the server errors.
Troubleshooting Connection Issues to the ENS Database
When installing ENS, use the SQL authentication and not the Windows authentication to access
the ENS database. This topic is applicable for ENS on-premise installation only.
Problem: In case you connect to the ENS database using the Windows authentication then you
might receive the following error:
2018/11/05 19:55:40.800 EUROPA 80000005-0001-ff00-b63f-84710c7967bb [0000000-0000000]
(35) Error MailNotificationService.ProviderImpl.ApiTokensDataHandler.ApiTokensAsync
User Id:[ ] Error While loading the api tokens Exception [Cannot open database "ENS"
requested by the login. The login failed.
Login failed for user 'NT AUTHORITY\LOCAL SERVICE'.] StackTrace[ at
System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity,
SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo,
String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance,
SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool
pool, String accessToken, Boolean applyTransientFaultHandling)
Cause:
Email Notification Service 2 (ENS2)
VMware, Inc. 95
Connecting to the ENS database using the Windows authentication might cause this issue.
Use the SQL authentication to connect to your ENS database. In the solutions steps provided,
the NT AUTHORITY\LOCAL SERVICE is the name of the user account and the database role
membership for the NT AUTHORITY\LOCAL SERVICE account must have the db_owner and
public enabled.
To add an SQL account to the ENS database, perform the following steps:
1 Open the SQL Server Management Studio.
2 Navigate to Security > Logins and add NT AUTHORITY\LOCAL SERVICE.
3 Navigate to Security > Logins > NT AUTHORITY\LOCAL SERVICE > User Mapping
4 Select the ENS database and add the required permissions.
Troubleshooting SSL Errors
Use the SSL pinning certificate tool when the notifications are not delivered to the devices. This
tool is only used for troubleshooting purpose and is not a mandatory step during installation.
The following error message appears in the ENS logs while posting the notifications to CNS: The
underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure
channel.
Before you begin:
Download the latest certificate from the CNS Public Certificate.
The following procedure describes the steps to upload the SSL pinning certificate to the ENS.
1 Click the SSLPinningCertTool shortcut on the ENS server,
or navigate to the <ENS_INSTALL_DIR>\Email Notification
Service\Tools\SSLPinningCertTool\SSLPinningCertTool.exe file.
2 Click the Upload CNS Certificate button.
Email Notification Service 2 (ENS2)
VMware, Inc. 96
3 Select the certificate to be uploaded and click Submit.
Results: If the following screen appears, then the certificate is successfully added to the ENS
configuration file. Click OK to continue. After uploading the SSL pinning certificate on the
ENS, the tool adds the public key of the certificate to the ENS configuration file. When the
ENS posts payload to the CNS, the certificate validation is done against the newly added
certificate public key.
If the following screen appears, then the certificate is added successfully to the
resubscription configuration file. After uploading the SSL pinning certificate, the tool adds the
public key of the certificate to the resubscription configuration file. When the resubscription
mechanism posts payload to the CNS, the certificate validation is done against the newly
added certificate public key.
If the certificate is already present in both the configuration files, then the following prompt
message appears:
Email Notification Service 2 (ENS2)
VMware, Inc. 97
The upload pinning certificate process works as follows:
n The SSL pinning certificate tool tries to upload the certificate to the ENS configuration
file only if the provided certificate is not present in the ENS configuration file. If the given
certificate is already present, then the tool does not prompt any message and continues
to upload the same certificate to the resubscription configuration file.
n The SSL pinning certificate tool tries to add the certificate to the resubscription
configuration file only if the provided certificate is not present in the resubscription
configuration file. If the given certificate is present, then the tool does not prompt any
message to user.
n If the certificate is added to the resubscription configuration file, then restart the
AirWatch Resubscription Mechanism service in the Services tab.
Troubleshooting AirWatch AutoDiscovery Checker Service Errors
Email Notification Service 2 (ENS2)
VMware, Inc. 98
ENS2 depends on the CNS service to deliver email notifications to the devices. If the existing CNS
certificate expires then the CNS certificate rotation occurs. The autodiscovery checker service
gets the latest certificate and adds the certificate in the ENS server. If the autodiscovery checker
service fails to fetch the CNS certificate and add the certificate in the ENS, then ENS cannot
send the notifications to devices and receives an SSL error. Perform the following steps to
troubleshoot the Airwatch AutoDiscovery Checker service error.
1 Ensure that the Airwatch AutoDiscovery Checker service is running correctly.
2 Review the logs for the service at \{ENS installation directory}\Email Notification
Service\Services and ensure you are able to see the following log statements without
errors: New Certificate Added Successfully.
3 Review the file at \{ENS installation directory}\Email Notification
Service\Website\web.config and ensure that at least 8 pinned certificate elements are listed
under the <pinnedCertificates> section.
Email Notification Service 2 (ENS2)
VMware, Inc. 99
Troubleshooting Installer Error
The following VMware AirWatch root certificate error might occur if the installer is unable to
install the VMware AirWatch root certificate. To resolve this problem, ensure that the installer has
the appropriate privileges to install the certificate on the server.
Troubleshooting AutoDiscoveryChecker.log File Errors
The following list describes the possible errors for the AutoDiscoveryChecker.log file:
n Error while searching for public key in an existing config file
n Error occurred while updating the config file
n Exception while obtaining the latest certificates from auto discovery
The following errors might be displayed for the AutoDiscoveryChecker.log file:
n If the following URL is not reachable https://awtrustdiscovery.awmdm.com/autodiscovery/
HostRegistry.aws?URL=cns.awmdm.com
n If the error is a result of a temporary network failure, the service must attempt to connect to
the endpoint again after 24 hours.
Email Notification Service 2 (ENS2)
VMware, Inc. 100
n If the ENS server is configured behind a reverse proxy, or if the outgoing traffic
is going through a proxy then the auto discovery service does not go through the
proxy and the firewall rules must be updated to allow the IP address 192.30.68.111
for the ENS auto discovery service to be able to reach the following URL http://
awtrustdiscovery.awmdm.com/autodiscovery/HostRegistry.aws?URL=cns.awmdm.com.
ENS2 Response Code and Error Code Details
If the Boxer application sends a request to the ENS, the ENS processes the request and sends a
response with a response code and message to the Boxer application. The following table lists all
the response codes and messages in the Boxer application logs and the ENS logs.
Response Code Message Description
14 SubscribeAgain If a subscription failed, then the ENS
sends a subscribe again message to
the Boxer application.
8 ErrorSubscribeOrUpdateDb When you try to add a user or
device details to the database during
subscription, you might receive this
error .
23 UnAuthorizedRequest Authentication failed (API token
mismatch) for the request from the
Boxer application.
32 Failed (Handled Exception) Registration failed with a handled
exception. For example, the URL is not
in the correct format.
17 Success Indicates that the registration is
successful.
3 UpdateSuccess The Boxer application receives this
response when the:
n Get the Public Key request is
successful and the database is
updated accordingly.
n The synchronization key for the
user success and the database is
updated accordingly.
n Any device details updated in
database, such as, update device
token is successful.
4 UpdateFail ENS sends this response for multiple
reasons. When you receive this
response, verify the corresponding
ENS logs and troubleshoot based on
the message in the logs.
Email Notification Service 2 (ENS2)
VMware, Inc. 101
Response Code Message Description
5 TokenDoesNotExists ENS sends this response when the
device record is absent.
When you send a force register, (by
changing the notification sound in
the Boxer application setting) a new
device is created on the ENS server.
6 UserAlreadySubscribed ENS sends this response when a user
is already subscribed on the ENS
server.
7 UserSubscribed User subscription is successful.
9 NoRecordExists ENS sends this response when a user
record is absent.
When you send a force register, (by
changing the notification sound in the
Boxer application setting) a new user is
created on the ENS server.
15 UserSubscribedNotUpdatedInDb User subscribed but failed to add
device details in the database. In this
case, ensure that the connection from
the ENS to the database is working
correctly or the user has permission to
update the database.
16 FailedToGetEwsUrlFromAutoDiscove
ry
Unable to determine the Exchange
version after autodiscovery.
21 EmailFetchfailed Fetching email information from the
EWS failed.
24 DeviceUnregisteredUserUnsubscribe
d
Unsubscribe successful and the user is
unregistered.
25 DeviceUnregistered The device is deleted from the
database.
26 DeviceNotRegistered The device is not registered.
28 UserSubscriptionNotFound User record does not exist.
29 UserRecordPresentNotSubscribed User records are present but not
subscribed.
30 SubscribedNeedsUpdate User has already subscribed and must
be added to the database.
34 InvalidDecryptedPayload Payload is encrypted with a wrong
public key.
35 EWSUrlMismatch Unsubscribing with the wrong EWS
URL. The EWSUrl for the register
request and Exchange service is not
the same.
36 InvalidAuthType Indicates the invalid authentication
type.
Email Notification Service 2 (ENS2)
VMware, Inc. 102
Troubleshooting the CNS Errors
Error: Keyset does not exist
In the ENS logs, while posting the notifications to CNS if you see the following error then it could
be due to the permission issue.
2022/06/29 07:12:22.766 ENSUPGRADE 0f72abe9-d91d-4544-9608-02f38a8613a0 [000000 -0000000]
(9) Error MailNotificationService.JwtTokenGenerator.JwtTokenGenerator.GenerateCnsJwtToken
User Id:[ ] Exception occurred while generating jwt token
[System.Security.Cryptography.CryptographicException: Keyset does not exist2022/06/29
07:12:22.766 ENSUPGRADE 0f72abe9-d91d-4544-9608-02f38a8613a0 [000000 -0000000] (9) Error
MailNotificationService.JwtTokenGenerator.JwtTokenGenerator.GenerateCnsJwtToken User Id:[ ]
Exception occurred while generating jwt token
[System.Security.Cryptography.CryptographicException: Keyset does not exist
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean
randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType
keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize,
SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at
System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at
System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters
parameters, Boolean useDefaultKeySize) at
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at
System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Ce
rtificate2 certificate) at
Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKey() at
Microsoft.IdentityModel.Tokens.X509SecurityKey.get_PrivateKeyStatus() at
Microsoft.IdentityModel.Tokens.AsymmetricSignatureProvider..ctor(SecurityKey key, String
algorithm, Boolean willCreateSignatures) at
Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider(SecurityKey key,
String algorithm, Boolean willCreateSignatures, Boolean cacheProvider) at
Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateForSigning(SecurityKey key, String
algorithm, Boolean cacheProvider) at
Microsoft.IdentityModel.JsonWebTokens.JwtTokenUtilities.CreateEncodedSignature(String input,
SigningCredentials signingCredentials) at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateJwtSecurityTokenPrivate(String
issuer, String audience, ClaimsIdentity subject, Nullable`1 notBefore, Nullable`1 expires,
Nullable`1 issuedAt, SigningCredentials signingCredentials, EncryptingCredentials
encryptingCredentials, IDictionary`2 claimCollection, String tokenType) at
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateJwtSecurityToken(SecurityTokenDe
scriptor tokenDescriptor) at
MailNotificationService.JwtTokenGenerator.JwtTokenGenerator.GenerateCnsJwtToken()]
Depending on the type of SQL login, perform the following steps to resolve the permission issue:
Login Type: SQL Server Login (user/password)
1 Enter the SQL server login username and password.
Email Notification Service 2 (ENS2)
VMware, Inc. 103
2 If the customer is using SQL user to communicate with the database, then by default ENS
application pool identity account is set to NetworkService.
3 Change the application pool identity from NetworkService to LocalSystem to resolve the
issue as the local system has higher privilege to access the system level resources.
Email Notification Service 2 (ENS2)
VMware, Inc. 104
Login Type: Windows user or Active Directory (AD) user: If the customer is using AD user to
communicate with the database, then by default ENS application pool identity account is set to
AD user. To resolve the issue, add the AD user as a member of the Domain Admins and restart
the ENS machine.
In the following example, BSB02\avinash is an AD user and the identity is set to the AD user
itself.
Email Notification Service 2 (ENS2)
VMware, Inc. 105
Ensure that the AD user is a member of the Domain admins in the Active Directory > User
Properties.
Enable Trace Level Logging for Enhanced Debugging
To help debug and troubleshoot rare issues, ENS2 version 1.5 or later supports trace level
logging. To enable trace level logging, you must upgrade to ENS 1.5 or later and perform the
following steps to change the log level to ActivityTrace.
1 Navigate to <INSTALL_FOLDER>\Email Notification Service\WebSite\Web.config
path.
2 Change the value of <loggingConfiguration level="Verbose" /> to <loggingConfiguration
level="ActivityTrace" />
3 Navigate to <INSTALL_FOLDER>\Email Notification
Service\Services\ReSubscriptionMechanism.exe.config path.
4 Change the value of <loggingConfiguration level="Verbose" /> to <loggingConfiguration
level="ActivityTrace" />
Result
You can view the trace level logs in the log files within 30 minutes to an hour.
Note The trace logs might contain PII information which the customer might not wish to share. In
such cases, you can mask the PII information.
Email Notification Service 2 (ENS2)
VMware, Inc. 106
To mask the PII information, you must manually replace the text with *. For more information, see
the following example.
Original trace log without masking:
Trace logs after masking, that is, manually replacing text with *.
Deactivate Trace Logging
You must deactivate trace logging after you enable trace logging and debug the issue.
To deactivate trace logging, change the loggingConfiguration level value from ActivityTrace to
Verbose in all the configuration files where the changes were previously made.
Email Notification Service 2 (ENS2)
VMware, Inc. 107
Frequently Asked Questions
about ENS2 Functionality
11
This section lists and describes some of the frequently asked questions (FAQs) about the ENS2
functionality.
How are the credentials or authentication tokens handled?
Although the client shares the credentials or tokens with the ENS2 environment upon
registration, the credentials or tokens are not saved on the Workspace ONE UEM servers. The
Exchange server sends the encrypted authentication information to the Workspace ONE UEM
as part of a notification when a new email is available. From that notification (Exchange to the
ENS2), the credentials are decrypted and used to make any requests necessary to the Exchange
server. The credentials are discarded after performing the necessary requests.
If credentials are not saved, what data does the ENS save? How secure is the ENS?
n Workspace ONE stores a list of devices and a list of public private key-pairs used to decrypt
the credentials when the notifications are sent from the Exchange. The database is saved on
a Virtual Private Cloud (private subnet) secured using firewall. There is no direct access from
the Internet to this subnet. All access is controlled using VPC and firewall rules and only web
servers with a single account have access to the database.
n Workspace ONE saves the log files to help debug issues and monitor the system. The log
does not contain any private information (PI) of the customers and access is secured using
the account permissions. ENS logs the first five characters of the email subject to help debug
and troubleshoot any issues with the email notifications.
Where is the ENS hosted? Are there instances configured to serve each region based on data
sovereignty laws?
The ENS is hosted in multiple regions. We have various environments spanning the US, Europe,
and Asia regions that permit us to abide by data sovereignty rules.
What data is transmitted through the ENS server without being saved? How is it secured?
n User credentials that are encrypted with the RSA encryption.
n Email subject and sender (sent using HTTPS).
n Future functionality: The functionality to control what data (if any) is sent or fetched for
the notification. You can also control the data from an email that is used in the notification
payload.
VMware, Inc.
108
n All communication is made through HTTPS.
What is the dependency of ENS on cloud services?
n AWS Simple Notification Service (SNS) is used for managing push notification in the AWS
Cloud deployment.
n Cloud Notification Service (CNS) is mandatory for passing notifications to Apple/Android
devices for on-premises deployments.
n AWS Relational Database Service (RDS) is used for the data persistence.
When sending requests to the Exchange which user agent does the ENS2 use?
The ENS2 uses the MailNotificationService/v2 (ExchangeServicesClient/15.00.0913.015) user
agent. The value '15.00.0913.015' changes as new libraries from Microsoft are released and are
updated for using ENS2.
What email folders does ENS2 monitor for incoming messages and actions?
ENS2 only monitors a user’s Inbox folder.
How does the ENS server authenticate a device before subscribing (Boxer application) to the
notifications?
Each ENS tenant is issued an access token, the device provides the token to access the ENS
APIs. In addition, the user credentials are required to create a subscription for a user.
How is the ENS server discovered on the device? Which application is used?
The Boxer application is configured with an ENS endpoint provided by the Workspace ONE
console. The Boxer application manages the ENS subscriptions.
How does the application authenticate the ENS server?
The Boxer application uses certificate pinning to validate the ENS endpoint.
How are the public-private keys generated and managed on the ENS server? One key at the
time of installation or one key (or key-pair) per mailbox or user ID?
The public or private key-pairs are generated in advance and stored in the ENS database. Each
device is assigned a unique key-pair when the device registers with the ENS service.
How many pairs of public-private keys are used for moving credentials from the device?
There is one key-pair for each user that is used to encrypt all sensitive data transmitted from the
client.
How are the keys and secrets managed on the ENS server?
Public or private key-pairs, hashed email ID, device ID, partial certificate, APNS token, EWS URL,
and subscription ID manage the keys and secrets on the ENS server.
When a device initiates a connection to the ENS server what measures are taken on the client
side and the ENS server to prevent against a man-in-the-middle attack?
The device uses TLS pinning to ensure that the device is connected to a valid ENS endpoint.
Email Notification Service 2 (ENS2)
VMware, Inc. 109
What security measures are used in the notification subscription flow to ensure that a user
credentials cannot be intercepted in transmission?
In the older version of the ENS, the device provides the EWS endpoint used for subscriptions or
the Autodiscover dynamically provides the EWS endpoint. In the latest version of the ENS, a set
of EWS endpoints and their associated certificate fingerprints is associated with each API token,
and the ENS server connects to the pre-configured endpoints validated by their fingerprints.
What data is stored by the ENS locally?
Each ENS server is stateless, apart from the API key which is refreshed every one hour.
What data is stored by the ENS on the SQL server?
The ENS stores the public or private key-pairs, hashed email ID, device ID, partial certificate,
APNS token, EWS URL, and subscription ID on the SQL server.
How does the ENS handle connections to the SQL server?
The ENS stores the encrypted connection string in the web.config file which is decrypted and
used to open a connection with the database.
How are credentials to the SQL server managed and secured by the ENS server?
Credentials are present in the configuration file and are encrypted with the
RsaProtectedConfigurationProvider.
How does the connection pooling and failover work with redundant SQL servers?
The ENS fully supports SQL Always ON.
In a deployment scenario where the redundant servers are across different data centers, how is
the data replicated across the data centers?
The ENS does not provide any explicit support for multiple data centers.
Does VMware have any guidelines for hardening the ENS server?
The standard server hardening procedures only apply. The only requirement is that the server
must be accessible through HTTPS.
Does VMware have any guidelines for hardening the SQL Server (that accepts the connections
from the DMZ hosted on the ENS server?
The standard server hardening procedures only apply. The only requirement is that the ENS
server can connect to the SQL server endpoint.
Does the ENS server work if the connection from the device is bridged at a reverse-proxy or
load-balancer? The connection terminates on the proxy and a spate connection transmits the
payload.
The only requirement is that the device can communicate with the ENS endpoint over plain
HTTPS. Long-running connections or other special behavior is not required, so a standard proxy
might not cause problems.
How are the service account credentials managed on the ENS server?
Email Notification Service 2 (ENS2)
VMware, Inc. 110
The ENS2 does not use any service account.
How are the APNS certificates provisioned and handled on the ENS server?
The ENS servers do not directly require APNS certificates. The ENS notifications are routed
through the CNS, and the communication between the ENS and CNS are authenticated through
the mutual TLS. The CNS certificate is provisioned from the Workspace ONE console and stored
in the web.config file on the ENS.
How does the ENS construct the webhook URL?
Whenever the ENS receives the request, extract the requesturi from the ENS and then use the
requesturi as the webhook URL. When a request is made to the registerdevicev2 endpoint, the
ENS gets the credentials which are in the encrypted format and the same encrypted data is used
and added in the webhook URL query parameters. For the credentials, use the user name and
password in the basic authentication, use the Oauthaccesstoken in the OAuth, and use the CBA
data in CBA.
How are the user credentials encrypted and encoded for the webhook URL?
Encrypt the user credentials with the asymmetric cryptographic algorithm, that is, RSA with
Public-Key Cryptography Standards 1 (PKCS 1) padding using the BouncyCastle crypto library.
After encrypting the credentials, encode the credentials using, the HttpUtility.UrlEncode.
What encryption methods and tools are used to encrypt the user credentials for the webhook
URL?
Use the RSA encryption with the PKCS 1 padding algorithm. For more information on PKCS 1, see
the bcgit/bc-csharp.
If two users share the same password credentials, then the encrypted password in webhook
URL will have the same value?
Since RSA encryption is used, different encrypted payload is obtained even though two inputs or
passwords are the same.
Can local caching storage be used for password storage? After using the plaintext password
(credential) to fetch the email how is the password purged?
The ENS does not store any caching in the local storage after decrypting the credentials. The
ENS synchronizes with the Exchange and the object holding the password is disposed.
How does the flow work when the ENS server decrypts the user credentials (password) to
plaintext to fetch the email?
The ENS decrypts the credentials (that are part of the callback URL on which the ENS receives
notifications from the Exchange) using the private key of the user and synchronizes with the
Exchange to get the email information.
Does the ENS server need a service account for the Exchange server? If yes, what are the
required access privileges?
The ENS is explicitly designed to operate with no service accounts.
Email Notification Service 2 (ENS2)
VMware, Inc. 111
How does the ENS authenticate with the EWS or the Exchange? How are the credentials
managed?
The device initiates all the EWS subscriptions using the user credentials stored on the device.
The device encrypts the user credentials with a unique public or private key-pair and calls the
subscription endpoint. The ENS service decrypts the credentials and uses the credentials to
create the EWS subscription.
The credentials are not stored in memory.
How does the device resubscription to notification function, after a user has changed the
password on the Exchange?
When the ENS endpoint notices that a subscription has failed, the ENS sends a silent push
notification to the device to inform that the subscription must be recreated. In addition, the
device can call a status endpoint on the ENS service to determine if a subscription is active. This
permits the device to determine if the device must resubscribe to the ENS at the application start
time.
How does the ENS protect against device spoofing to ensure only devices enrolled on the
WorkSpace ONE UEM are allowed?
If a strict device compliance is required, the ENS configuration must use a SEG to communicate
with the EWS, instead of connecting to the EWS directly. The ENS server includes the device
IDs in all calls to the SEG. The SEG validates if the device IDs are compliant before allowing the
subscriptions to be created.
Does the ENS check periodically if a device is compromised before sending push notifications
to that device?
When the ENS is configured to communicate with the EWS through the SEG, the SEG prevents
the ENS service from retrieving notifications for the compromised devices.
How is the Boxer application configured for registering with the ENS for email notifications?
The configuration for using the ENS is provided to the Boxer application through the same
channel as all other Boxer configurations.
Assuming there is a URI in the Boxer configuration for making the initial connection to the
ENS,provide a sample URI.
An ENS endpoint URL is similar to https://ens.getboxer.com/api/ens. To find a list of available
cloud ENS endpoints, see the
ENS Endpoints and IP Allowlist
section in the Chapter 4 Configure
your Email Notification Service for Cloud Deployment topic.
How is the webhook URL constructed with the user credentials encrypted encoding inline?
Email Notification Service 2 (ENS2)
VMware, Inc. 112
Example of a sample webhook URL: http://10.89.240.187/mailnotificationservice/api/ens/
pushnotificationlistener?
id=4&f=Plaw5DIs0czKmhmWowIJnj%2bFsjDPNt0Eplgg5EaBqgiVsrAmli%2bIXLy9ik8JIUklQsELIefj
p7z8jBgSA2nxa4p7Hwxze6jUiT39%2bjaAea8df7rMUN3xjAtJPTb60ifXHULlH%2bjLPIRMeN92zNJ
GAU50Cj%2fp2fpq. Here, the id is the userinfoid pertaining to a single user and the parameter f is
the filler key containing the encrypted information.
How is the payload of push notification constructed with any enrichment and/or trimming of
data pulled from the Exchange by the ENS?
On receiving a webhook from the EWS that a new message has arrived, the ENS server decrypts
the credentials in the webhook parameters. The ENS uses the credentials to call back the EWS to
collect the details of any new messages. This data is used to form any APNS notifications to be
sent. The PolicyLimitNotificationText key in the Boxer configuration controls the content of the
generated notifications. The content is later passed to the ENS server. The following options are
available:
Values Description
0 Sender, subject, and preview
1 Sender and subject
2 Sender only
3 Generic message (new message)
4 Set the notification to none (only the badge is updated).
What are the crypto libraries and binaries used by the ENS?
The ENS uses the BouncyCastle.crypto library. For more information about the
BouncyCastle.crypto library, see the Bouncy Castle page.
Are the credentials stored in the memory of the ENS servers. If yes, for how long are the
credentials stored and what are the mitigating controls to prevent an unauthorized person from
accessing this data?
When the ENS receives push notifications from the Exchange with encrypted credentials, the
ENS decrypts the credentials in memory and sends a web request to the Exchange server with
the credentials to retrieve the subject and summary of the new email. The ENS then sends
push notifications through the SNS and discards the credentials from the memory. This process
takes less than a minute. Nobody has access to the credentials data as the data is not stored
anywhere.
Credentials are discarded after performing the necessary requests. Provide more information
on the discarding process?
The ENS runs on the .net which provides garbage collection for unused objects in the memory.
The ENS depends on this process to clean up the memory.
Email Notification Service 2 (ENS2)
VMware, Inc. 113
Can a third-party SIEM tools be integrated with the ENS? Does VMware support any form
of internal monitoring and maintenance of access logs to the ENS to identify suspicious or
malicious events?
Currently, the ENS does not have a solution to feed data into the SIEM solution. You can contact
your support or account team with your requirements.
Describe the monitoring access level the ENS2 has on the Inbox folder. Is ENS able to view the
email details (sender, subject and email body) contained in Inbox folders?
The ENS can only access the sender, subject, and the preview fields. The ENS does not
synchronize or fetch the entire Inbox folder. The ENS only fetches one email data at a time
and discards after constructing a notification.
Are copies of emails stored on the ENS server or does the ENS server act as a middle-man to
pass email details and notifications to the mobile device through the AWS SNS?
Email data is not stored in the ENS server.
Can the OAuth token used to get the mail information (sender, recipients, subject, if
mail attachment) be used for the Exchange notification scope only (and to get only this
information)? Or does the OAuth token have the permission to read or write emails (and see all
content of an email)?
The ENS relies on the EWS.AccessAsUser.All permission to gain access to email information
using the OAuth token. Microsoft does not provide granular permissions for the EWS access. The
EWS.AccessAsUser.All is the only permission you can provide to gain access to the EWS. The
ENS fetches the required information about a new message (sender, recipient, subject, and so
on) when the Exchange notifies the ENS through a push notification. The ENS then sends this
information to the APNS or FCM and discards the information. The ENS never reads any other
information or stores the information on the ENS server.
Both the Boxer application and the ENS share application registration on the Azure AD and the
Boxer application uses these permissions.
Email Notification Service 2 (ENS2)
VMware, Inc. 114
Appendix
12
This section describes the steps to locate your ENS folder or identify the value of ENS install
folder.
How to Locate your ENS Folder?
To locate your ENS folder or to identify the value of your <Install_Folder> perform the following
steps:
1 Open the IIS Manager. For more information to open the IIS Manager, see the Open IIS
Manager (IIS 8) topic.
2 Expand the nodes to locate the MailNotificationService.
3 Right click the MailNotificationService node and click Explore.
4 The Explorer opens and displays the path of the Email Notification Service.
VMware, Inc.
115
