Note the following:
- Recipients of all emails sent with S/MIME signing and encryption must have a certificate.
- A user sending an encrypted or signed email must have the recipient’s certificate so that its public key can be used to encrypt the message. This means that both the sender and recipient must be in the same organization, or if they are in different organizations, the sender and recipient must arrange to obtain their respective certificates prior to sending the first encrypted or signed email.
- Both the sender and recipient must maintain historical archives of expired private keys, such that past emails encrypted by any expired certificates are still readable.
The main steps for enabling S/MIME encryption and signing for iOS devices are as follows:
- Upload a trusted root certificate to Ivanti EPMM from an in-house or public certificate authority (Uploading a trusted root certificate to Ivanti EPMM).
- Create a user-provided certificate enrollment setting (Creating a user-provided certificate enrollment setting for S/MIME certificates).
- Upload the user-provided P12 certificates with the Ivanti EPMM user portal or the Web Services API (Uploading user signing and encryption certificates with the User Portal and Uploading user certificates with the Web Services API).
- Create an Email or Exchange setting that references the user-provided certificate enrollment setting you created (Configuring S/MIME encryption and signing for iOS devices).
- Push your settings to the relevant devices (Pushing per-message S/MIME changes to devices).
iOS devices will not use SSL with an untrusted certificate.
You can configure S/MIME encryption and/or signing settings for your ActiveSync server. The S/MIME settings you configure allow managed iOS devices to use S/MIME encryption and signing features, depending on how you have configured them.
For example, you can enable S/MIME encryption only, without signing, or you can enable both S/MIME encryption and signing, while also allowing device users to decide whether they want to use these features. You can also specify separate certificates for signing and encryption. If you do not specify a certificate,
If an Exchange profile already exists on managed devices, then attempts to distribute new ActiveSync settings using Ivanti Endpoint Manager Mobile will fail.
Before you begin
You need to complete the following tasks before configuring S/MIME for iOS devices:
- Uploading a trusted root certificate to Ivanti EPMM
- Creating a user-provided certificate enrollment setting for S/MIME certificates
- In the Admin Portal, go to Policies & Configs > Configurations.
- If using an Exchange setting:
Select the Exchange setting you want to modify, and select Edit.
Alternatively, create a new Exchange setting by selecting Add New > Exchange.
- Continue configuring the Exchange settings as needed. For more information, see Exchange settings.
- If using an Email setting:
Select the Email setting you want to modify, and select Edit.
Alternatively, create a new Email setting by selecting Add New > Email.
- Enter the information required to configure your mail server, as described in Configuring POP and IMAP email settings (for iOS and macOS).
Configure your S/MIME Settings using the table below.
- Select Save.
- Push your settings to devices, as described in Pushing per-message S/MIME changes to devices.
Table 1. S/MIME Settings
Enable for iOS 9.3.3 (or earlier)
Select to enable S/MIME signing and encryption on devices running iOS 9.3.3 or earlier.
Encryption by Default
Disabled by default.
Encryption Identity: User Overrideable
Select to allow the user to set the S/MIME encryption identity and enable encryption.
Per-Message Encryption Switch
Per-message S/MIME for iOS allows device users to enable or disable S/MIME encryption for each email they send.
S/MIME encryption is incompatible with Sentry attachment encryption.