Certificate based SSO from an iPhone for Exchange with APM

There's two important considerations when using certificates for authentication:

1. In and of itself, a certificate is a single factor of identity assertion, like a username. Exchange, SharePoint, and really anything that relies on AD, won't simply support a certificate as a way to authenticate a user, unless perhaps you terminate the client-server SSL session directly at the Exchange/SharePoint server. That's not usually an easy config, and it generally eliminates anything more functional than layer 4 load balancing. Instead, you may want to consider doing Kerberos SSO to your Exchange environment - a native and well-supported approach. Prompt the client for certificate on the client side of APM, optionally do some certificate revocation checking and other vetting, and then apply a Kerberos SSO profile that consumes the userPrincipalName from the certificate.

    

2. As I mentioned in the beginning, a certificate is a single factor of identity assertion. There are ways to make certificates multi-factor, like deploying them in smartcards that require a unique PIN to access, but generally speaking the "software" certificates that will be installed on the users' mobile devices will be as much tied to the device as to the user. If the device is compromised, there's really nothing to protect from rogue use of the certificate other than having it revoked (or whatever MDM controls you have in place). Considering the complexity required to compromise most modern phones though, that may be an acceptable risk (probably still better than a password).