Enabling S/MIME encryption and signing on iOS devices

Note the following:

  • Recipients of all emails sent with S/MIME signing and encryption must have a certificate.
  • A user sending an encrypted or signed email must have the recipient’s certificate so that its public key can be used to encrypt the message. This means that both the sender and recipient must be in the same organization, or if they are in different organizations, the sender and recipient must arrange to obtain their respective certificates prior to sending the first encrypted or signed email.
  • Both the sender and recipient must maintain historical archives of expired private keys, such that past emails encrypted by any expired certificates are still readable.

Main steps

The main steps for enabling S/MIME encryption and signing for iOS devices are as follows:

  1. Upload a trusted root certificate to Ivanti EPMM from an in-house or public certificate authority (Uploading a trusted root certificate to Ivanti EPMM).
  2. Create a user-provided certificate enrollment setting (Creating a user-provided certificate enrollment setting for S/MIME certificates).
  3. Upload the user-provided P12 certificates with the Ivanti EPMM user portal or the Web Services API (Uploading user signing and encryption certificates with the User Portal and Uploading user certificates with the Web Services API).
  4. Create an Email or Exchange setting that references the user-provided certificate enrollment setting you created (Configuring S/MIME encryption and signing for iOS devices).
  5. Push your settings to the relevant devices (Pushing per-message S/MIME changes to devices).

iOS devices will not use SSL with an untrusted certificate.

Configuring S/MIME encryption and signing for iOS devices

You can configure S/MIME encryption and/or signing settings for your ActiveSync server. The S/MIME settings you configure allow managed iOS devices to use S/MIME encryption and signing features, depending on how you have configured them.

For example, you can enable S/MIME encryption only, without signing, or you can enable both S/MIME encryption and signing, while also allowing device users to decide whether they want to use these features. You can also specify separate certificates for signing and encryption. If you do not specify a certificate, then the device user will be prompted to select from the certificates that are already installed on the device.

If an Exchange profile already exists on managed devices, then attempts to distribute new ActiveSync settings using Ivanti Endpoint Manager Mobile will fail.

Before you begin

You need to complete the following tasks before configuring S/MIME for iOS devices:

  1. Uploading a trusted root certificate to Ivanti EPMM
  2. Creating a user-provided certificate enrollment setting for S/MIME certificates

  3. Uploading user signing and encryption certificates with the User Portal

    or

    Enabling per-message S/MIME for iOS

Procedure

  1. In the Admin Portal, go to Policies & Configs > Configurations.
    1. If using an Exchange setting:

    2. Select the Exchange setting you want to modify, and select Edit.

      Alternatively, create a new Exchange setting by selecting Add New > Exchange.

  2. Continue configuring the Exchange settings as needed. For more information, see Exchange settings.
    1. If using an Email setting:

    2. Select the Email setting you want to modify, and select Edit.

      Alternatively, create a new Email setting by selecting Add New > Email.

  3. Enter the information required to configure your mail server, as described in Configuring POP and IMAP email settings (for iOS and macOS).

  4. Configure your S/MIME Settings using the table below.

  5. Select Save.
  6. Push your settings to devices, as described in Pushing per-message S/MIME changes to devices.

Table 1. S/MIME Settings

Section

Field Name

Description

S/MIME

Enable for iOS 9.3.3 (or earlier)

Select to enable S/MIME signing and encryption on devices running iOS 9.3.3 or earlier.

You must select this option for the fields in the S/MIME Signing and S/MIME Encryption sections to apply to devices running iOS 9.3.3 or earlier.

S/MIME 

Encryption

Encryption by Default

Disabled by default.Select to enable S/MIME encryption.

 

Encryption Identity

Select a certificate enrollment setting as an encryption identity. If you do not make a selection, then the device user will be prompted to select from the certificates that are already installed on the device. If the device has no certificate, then S/MIME encryption will not be functional on the device.

Related topics 

Certificate Enrollment settings.

 

Encryption Identity: User Overrideable

iOS 12.0 or supported newer versions.

Select to allow the user to set the S/MIME encryption identity and enable encryption.

 

Per-Message Encryption Switch

Per-message S/MIME for iOS allows device users to enable or disable S/MIME encryption for each email they send.

S/MIME encryption is incompatible with Sentry attachment encryption.