S/MIME support in Email+ for Android for identity and encryption

Email+ for Android supports S/MIME (Secure/Multipurpose Internet Mail Extensions). S/MIME allows device users to do the following:

  • Digitally sign emails so that the email can be verified by the recipient.
  • Verify digitally signed emails.
  • Send encrypted emails using the recipient's S/MIME encryption certificate.
  • Decrypt S/MIME encrypted emails using a configured S/MIME encryption certificate.

Using these S/MIME features requires that device users import an S/MIME certificate into Email+. You can use one of the following methods to import the S/MIME certificates:

The following describes S/MIME behavior in Email+

Importing certificates to Email+ for Android using app-specific configuration

For the best user experience, use app-specific configuration to make Email+ automatically import a signing certificate and encryption certificate. This method does not require user action.

Configuring S/MIME certificates for Android AppConnect (Core)

The following describes the configuration in Core.

Procedure 

  1. In the Core Admin Portal, go to Policy & Configs > Configurations.
  2. Select the AppConnect app configuration for Email+ for Android, and click Edit.
  3. In App-specific Configurations, add the following key-value pairs:
    • email_signing_certificate: From the dropdown list, select the certificate enrollment setting you want to use to sign the email.
    • email_encryption_certificate: From the dropdown list, select the identity certificate setting you want to use to encrypt the email.
  4. Click Save.

The key-value pairs are described in Key-value pairs for configuring Email+ for Android AppConnect app behavior.

Configuring S/MIME certificates for Android AppConnect (Cloud)

The following describes the configuration in Cloud.

Procedure 

  1. In Cloud, go to Apps > App Catalog and click on Email+ for Android (AppConnect).
  2. Go to App Configurations > Email+ Configuration.
  3. Click on the Email+ configuration you want to edit, and click Edit.
  4. In AppConnect Certificate Configuration, add the following key-value pairs:
    • email_signing_certificate: From the dropdown list, select the identity certificate setting you want to use to sign the email.
    • email_encryption_certificate: From the dropdown list, select the identity certificate setting you want to use to encrypt the email.
  5. Click Update to save the settings.

The key-value pairs are described in Key-value pairs for configuring Email+ for Android AppConnect app behavior.

Configuring S/MIME certificates for Email+ for Android Enterprise (Core and Cloud)

The following describes the configuration for Android Enterprise. The procedure is applicable in Core and Cloud.

Procedure

  1. Edit the Email+ for Android for Work configuration.
  2. Configure the Email signing certificate and Email encryption certificate restrictions.
  3. Save the settings.

Importing certificates using email attachments

Using app-specific configuration you can set up Email+ to automatically import a signing certificate and encryption certificate. Alternatively, users can send themselves the certificate in an email. This section describes how users can email the certificates and import the certificate into the keystore.

Procedure 

  1. From a computer, users can an email themselves, as an attachment, the certificate that they use for S/MIME on their computers. This certificate must be a PFX file.
  2. Users open the email using Email+ on the device, and tapsto open the attachment.
  3. Email+ prompts users for the certificate’s password.
  4. Users enter the certificate’s password.
  5. Email+ imports the certificate into its keystore.

Importing certificates to Email+ for Android using app-specific configuration.

S/MIME behavior in Email+

Email+ does the following with the S/MIME encryption key it receives:

  • Imports the key into the keystore.
  • Selects the certificate as the encryption certificate.

If you change the certificate, Email+ imports the new certificate into the keystore and selects the new certificate as the encryption certificate. It leaves the previous certificate in the keystore.

If you remove the restriction, Email+ leaves the certificate in the keystore. It changes its settings to specify that no certificate is selected as the encryption certificate.

Using the Email+ user interface, the device user can:

  • change the encryption certificate by manually importing one and selecting it for use.
  • encrypt all emails with the certificate or encrypt a specific email with the certificate. Note that Email+ automatically encrypts emails if the emails in the thread are encrypted.
  • To send an encrypted email, a user needs the recipient’s public key. If you provide users’ public keys in the Active Directory, Email+ uses global address lookup to retrieve a public key as needed. Another way for a user to have the public key of another user is possible, but more limiting. Specifically, if a user receives a signed email, and the signing certificate is the same as the encryption certificate, Email+ now has the sender’s public key. The user can now send an encrypted email to the user who sent the signed email.
  • Make sure users’ encryption certificates are the same on all devices. A user needs his private key and certificate to read encrypted emails. The encryption key and certificate must be the same on all email clients using S/MIME, including desktop email clients.
  • When an encryption key/certificate is renewed, the existing email on a device cannot be decrypted unless the original key certificate is available. Keep a backup copy of the encryption key and certificate or consider using a third-party escrow service.
  • To restore an encryption key and certificate from a backup, the user can send himself the key/certificate as an email attachment, as described in the following section.