S/MIME support in Email+ for iOS
Email+ for iOS includes support for Secure/Multipurpose Internet Mail Extensions (S/MIME). This functionality provides the following features:
- The device user sending the email can digitally sign the email.
On the receiving side, Email+ for iOS validates the sender’s identity and determines whether the email has been tampered with.
- The device user sending the email can encrypt the email.
On the receiving side, Email+ for iOS decrypts the email.
- Email+ for iOS automatically encrypts emails when replying to or forwarding an encrypted email thread.
Using S/MIME requires a user certificate on the device running Email+ for iOS. You can import encryption certificates in one of two ways:
Before you set up S/MIME for Email+ for iOS
Before you set up S/MIME do the following:
- Make users’ public encryption keys accessible to all users.
To send an encrypted email, a user needs the recipient’s public key. If you provide users’ public keys in the Active Directory, Email+ for iOS uses global address lookup to retrieve a public key as needed.
Another way for one user to have the public key of another user is to receive an email from a user with one certificate for both signing and encryption. When receiving a signed email where the signing certificate and encryption certificate are the same, Email+ for iOS now has the sender’s public key. The recipient can now send an encrypted email to the sender of the signed email.
- Make sure users’ encryption certificates are the same on all devices.
Users need their private keys and certificates to read encrypted emails. A user’s encryption key and certificate must be the same on all the user’s email apps that use S/MIME, including desktop email apps.
- When an encryption key/certificate is renewed, the existing email on a device cannot be decrypted unless the original key certificate is available. Keep a backup copy of the encryption key and certificate or consider using a third-party escrow service.
- To restore an encryption key and certificate from backup, users can send themselves the key/certificate as an email attachment, as described in Importing S/MIME certificates to the device through email.
Pushing S/MIME certificates from Ivanti EPMM
Pushing S/MIME certificates from Ivanti EPMM is a two-step process:
Enabling per-message S/MIME for iOS
See the “Enabling per-message S/MIME for iOS” section in the Ivanti EPMM Device Management Guide for iOS and macOS Devices for iOS device to set up the encryption and signing certificates for S/MIME.
Configuring key-value pairs
The key-value pairs define the encryption and signing certificates to be used in Email+. The value for each key is the certificate enrollment setting you created. You enter the key-value pairs in the AppConnect app configuration you created for Email+ for iOS.
- In the Ivanti EPMM Admin Portal, go to Policy & Configs > Configurations.
- Select the app configuration you created in Creating an AppConnect app configuration for Email+.
- Click Edit.
- Add the following key-value pairs in the App-specific Configurations section:
- email_encryption_certificate: This key specifies the certificate to use for encrypting S/MIME emails. Select the SCEP setting you want to use from the dropdown list.
- email_signing_certificate: This key specifies the certificate to use for signing S/MIME emails. Select the SCEP setting you want to use from the dropdown list.
Use of expired or revoked certificates for signing and encryption not supported. Also, the expired certificates are not displayed in the signing or encryption selection lists.
Pushing S/MIME certificates from Ivanti Neurons for MDM
To enable S/MIME encryption, set up the certificates you will use for S/MIME in Ivanti Neurons for MDM. You will reference the certificates in the Email+ configuration to distribute the certificates to devices. Certificates are sent to the devices to which the configuration is distributed. Email+ imports the certificates into the keychain and selects the certificates as the encryption and signing certificates, respectively. Device users can then use the certificates in Email+ for iOS.
- Set up certificates: Create a Certificate or Identity Certificate setting from Configurations > +Add. Before creating an Identity Certificate, you must have also added a certificate authority in Admin > Certificate Authority. See Ivanti Neurons for MDM Help for information about setting up certificates in Ivanti Neurons for MDM.
- Configure the S/MIME key-value pairs in the Email+ configuration: The key-value pairs define the encryption and signing certificates to be used in Email+ for iOS. The value for each key is the certificate setting you created in Set up certificates: Create a Certificate or Identity Certificate setting from Configurations > +Add. Before creating an Identity Certificate, you must have also added a certificate authority in Admin > Certificate Authority. See Ivanti Neurons for MDM Help for information about setting up certificates in Ivanti Neurons for MDM.
See the key-value pairs for customization, for the S/MIME key-value pairs for the encryption and signing certificates.
Importing S/MIME certificates to the device through email
Device users can import the signing and encryption certificates to their device from email.
- Device users email themselves the certificate they use for S/MIME as an attachment. The certificate must be sent as a PFX file.
- Open the email using Email+ for iOS on the device
- Tap to open the attachment. Email+ for iOS prompts the user for the certificate password.
- Enter the certificate password. Email+ for iOS imports the certificate into its keychain.
- Enable S/MIME signing and encryption in the mail settings in Email+ for iOS.
- In Email+ for iOS, tap Settings > Mail.
- Tap Security.
- Tap Sign. The user’s signing certificate is automatically selected. Users may optionally tap Always Sign to always sign emails with their certificate, and Sign As Clear Text.
- Tap Encrypt. The user’s signing certificate is automatically selected. Users may optionally tap Always Encrypt to encrypt every email they send through Email+ for iOS.