Requirements for S/MIME Setup
To ensure optimal security in Exchange Online, it’s crucial to configure S/MIME according to the guidelines specified in the ‘Configure S/MIME in Exchange Online‘ manual. This process involves establishing a virtual certificate collection and making the certificate revocation list publicly available on the internet.
In both manual and automated certificate distribution methods, it’s vital that the certificates’ trusted root chains are accessible within your Exchange Online’s virtual collection for effective trust verification. Exchange Online confirms the validity of a certificate by verifying each link in the certificate chain, with a focus on locating a trusted root certificate and confirming its status against the revocation list. For Outlook users on iOS and Android, the app cross-references the primary SMTP address in the user’s account profile with the certificate’s subject or alternative name to validate the S/MIME certificate; mismatches result in the unavailability of certificate options for signing or encrypting messages.
Manual Certificate Distribution
Outlook for iOS and Android offers a feature for manual certificate installation where users receive their certificates via email. To install, users simply tap on the attachment within the app, initiating the setup process.
A user has the capability to export their personal certificate and send it to their own email using Outlook.
For additional details, refer to this article: Exporting a digital certificate.
Automated Certificate Distribution
Outlook for iOS and Android integrates automated certificate delivery exclusively through Microsoft Endpoint Manager as the enrollment provider.
The unique architecture of the iOS keychain, which differentiates between system and publisher keychains and restricts third-party app access to the system keychain, necessitates that certificates for Outlook for iOS be stored in the Microsoft publisher keychain. This allows Outlook for iOS to access these certificates, with only Microsoft’s own apps, such as Company Portal, authorized to place certificates in this keychain.
Conversely, Outlook for Android’s automated delivery and approval of S/MIME certificates are facilitated by the Endpoint Manager across various Android enrollment frameworks, including device administrator, Android Enterprise work profile, and fully managed Android Enterprise scenarios.
To successfully deliver certificates to Outlook for iOS and Android, certain key requirements must be met:
- Trusted root certificates need to be deployed using Endpoint Manager. Guidance on creating trusted certificate profiles can be found in this relevant documentation: Create trusted certificate profiles.
- It’s necessary to import encryption certificates into Endpoint Manager; Instructions can be found here: Configure and use imported PKCS certificates with Intune.
- The PFX Connector for Microsoft Intune should be installed and configured. Steps can be found here: Download, install, and configure the PFX Certificate Connector for Microsoft Intune.
- Finally, devices must be enrolled to automatically receive trusted root and S/MIME certificates from Endpoint Manager.
Outlook iOS automated distribution of certificates
- Log into Microsoft Endpoint Manager.
- Navigate to Apps and then select App configuration policies.
- On the App Configuration policies, click Add and choose Managed devices to initiate the creation of an app configuration policy.
- In the ‘Basics‘ section, input a ‘Name‘ and, if desired, a ‘Description‘ for your app configuration settings.
- Select ‘iOS/iPadOS‘ under ‘Platform‘.
- For ‘Targeted app‘, click on ‘Select app‘, then on the ‘Associated app‘ page, pick ‘Microsoft Outlook‘ and confirm with ‘OK‘.
- Proceed to ‘Configuration settings‘ to input your configuration details.
- Click on ‘S/MIME‘ to access the specific settings for Outlook S/MIME.
- Set ‘Enable S/MIME‘ to ‘Yes‘. You have the option to allow users to alter this setting by selecting ‘Yes (app default)’, or to restrict changes by opting for ‘No‘.
- Decide whether to ‘Encrypt all emails‘ by choosing ‘Yes‘ or ‘No‘, and similarly, permit or restrict user alteration of this setting.
- Determine whether to ‘Sign all emails‘ by selecting ‘Yes‘ or ‘No‘, with the same options for allowing or preventing user adjustments.
- If necessary, implement an LDAP URL for recipient certificate lookup.
- Ensure you set ‘Deploy S/MIME certificates from Intune‘ to ‘Yes‘.
- Under Signing certificates next to Certificate profile type, consider one of these three options:
- SCEP: This option generates a unique certificate for both the device and user, suitable for Microsoft Outlook’s signing purposes. To understand the prerequisites for SCEP certificate profiles, refer to the guide on configuring infrastructure to support SCEP with Intune.
- PKCS Imported Certificates: Opting for this utilizes a user-specific certificate that may be used across multiple devices, having been imported into Endpoint Manager by the administrator for the user. This certificate is automatically assigned to any device registered by the user, with Endpoint Manager selecting the appropriate signing certificate for each enrolled user. For details on utilizing PKCS imported certificates, see the instructions on configuring and using PKCS certificates with Intune.
- Derived Credentials: This choice involves using a pre-existing certificate on the device designated for signing. It requires retrieving the certificate on the device through Intune’s derived credentials processes.
- Under Encryption certificates next to Certificate profile type, consider one of the following options:
- PKCS Imported Certificates: This choice enables the delivery of encryption certificates, previously imported into Endpoint Manager by an administrator, across all devices enrolled by a user. Endpoint Manager will autonomously select the suitable imported certificate or certificates that facilitate encryption, distributing them to the devices of the enrolled user.
- Derived Credentials: This option utilizes an existing certificate on the device for encryption purposes. The certificate should be procured on the device via the derived credentials workflows in Intune.
- For end-user notifications regarding certificate retrieval, administrators have the option to select either Company Portal or Email as the notification method. On iOS, users are required to use the Company Portal app for retrieving their S/MIME certificates, where they will be alerted through the app’s Notifications section, a push notification, or an email. These notifications direct users to a specific landing page that displays the progress of certificate retrieval, after which they can utilize S/MIME in Microsoft Outlook for iOS for email signing and encryption.
End-user notifications for certificate retrieval are available in two distinct options:- Company Portal: Choosing this option will send a push notification to the user’s device, directing them to the Company Portal landing page where they can access their S/MIME certificates.
- Email: Selecting email notification will send a message to the end user, prompting them to open the Company Portal to retrieve their S/MIME certificates.
Outlook Android automated distribution of certificates
- Log in to Microsoft Endpoint Manager.
- Create either a SCEP or PKCS certificate profile and assign it to your mobile users.
- Go to ‘Apps‘, then select ‘App configuration policies‘.
- In the ‘App Configuration policies‘ section, click ‘Add‘ and choose ‘Managed devices‘ to initiate the app configuration policy setup.
- In the ‘Basics‘ area, provide a ‘Name‘ and an optional ‘Description‘ for your app configuration settings.
- Select ‘Android Enterprise‘ as the ‘Platform‘ and ‘All Profile Types‘ as the ‘Profile Type‘.
- Under ‘Targeted app‘, choose ‘Select app‘, then on the ‘Associated app‘ page, select ‘Microsoft Outlook‘ and confirm with ‘OK‘.
- Click on ‘Configuration settings‘ to input specific settings. Opt for ‘Use configuration designer‘ next to ‘Configuration settings format‘, adjusting the default settings as required.
- Access the ‘S/MIME‘ section to adjust Outlook’s S/MIME settings.
- Set ‘Enable S/MIME‘ to ‘Yes‘, with the option for administrators to allow or restrict users from changing this setting.
- Decide if you want to ‘Encrypt all emails‘, giving administrators the choice to permit users to alter this setting.
- Choose whether to ‘Sign all emails‘, again with the ability for administrators to control user access to this setting.
- Finally, use ‘Assignments‘ to allocate the app configuration policy to the appropriate Microsoft Entra groups.
Activating S/MIME in the client
For users to view or create content related to S/MIME in Outlook for iOS and Android, it’s essential that S/MIME is activated. This requires end users to manually turn on S/MIME functionality within their account settings by navigating to the Security section and toggling the S/MIME control, which is initially set to off.
LDAP support
LDAP (Lightweight Directory Access Protocol) is an industry-standard protocol for accessing and managing directory information services. It is commonly used for storing and retrieving information about users, groups, organizational structures, and other resources in a network environment.
Integrating LDAP with S/MIME certificates involves utilizing LDAP as a directory service to store and manage user certificates. By integrating LDAP with S/MIME certificates, organizations can centralize certificate management, enhance security, and streamline the process of certificate retrieval and authentication in various applications and services that leverage LDAP as a directory service.
For a guide on LDAP integration with SSL.com S/MIME certificates, please refer to this article: LDAP Integration with S/MIME Certificates.