Enabling per-message S/MIME for iOS

Per-message S/MIME for iOS allows iOS device users to decide whether they wish to enable or disable S/MIME encryption for individual emails. Allowing users to forgo encryption for emails that do not require such security precautions could save company resources such as bandwidth.

WARNING: S/MIME encryption is incompatible with Sentry attachment encryption. It is recommended that you enable either S/MIME encryption or Sentry attachment encryption, but not both. If you would like to enable attachment security along with S/MIME for email, you can use the Docs@Work attachment control feature, in which all attachments can only be opened with a predefined set of device apps.

Organizations with varying security needs may wish to configure two Microsoft Exchange servers to handle default and optional use of S/MIME. An example might be an organization with one set of email users defined on one Exchange server that rarely need to encrypt their emails with S/MIME, and another set of email users defined on another Exchange server who use S/MIME encryption for most of their email.

In this scenario, Exchange profile 1 might be configured to enable S/MIME encryption on all email by default, and point to one particular Exchange server. Exchange profile 2 might be configured to enable S/MIME per-message encryption and point to a second Exchange server.

Note the following:

  • Recipients of all emails sent with S/MIME encryption must have a certificate.
  • A user sending an encrypted email must have the recipient’s certificate so that its public key can be used to encrypt the message. This means that both the sender and recipient must be in the same organization, or if they are in different organizations, the sender and recipient must arrange to obtain their respective certificates prior to sending the first encrypted email.
  • Both the sender and recipient must maintain historical archives of expired private keys, such that past emails encrypted by any expired certificates are still readable.

Procedure 

The main steps for enabling per-message S/MIME encryption for iOS devices are as follows:

  1. Upload a trusted root certificate to Core from an in-house or public certificate authority (Uploading a trusted root certificate to Core).
  2. Create a user-provided certificate enrollment setting (Creating a user-provided certificate enrollment setting for S/MIME certificates).
  3. Upload the user-provided P12 certificates with the Core user portal or the Web Services API (Uploading user signing and encryption certificates with the User Portal and Uploading user certificates with the Web Services API).
  4. Create an Email or Exchange setting that references the user-provided certificate enrollment setting you created (Creating an Email setting for per message S/MIME encryption or Creating an Exchange setting for per message S/MIME encryption).
  5. Push your settings to the relevant devices (Pushing per-message S/MIME changes to devices).

iOS devices will not use SSL with an untrusted certificate.

For information about using per-message S/MIME encryption on an iOS device, see the following Apple article: http://support.apple.com/en-us/HT4979

Uploading a trusted root certificate to Core

Upload a trusted root certificate to Core, and then push the root certificate to iOS devices. The root certificate verifies the signature of the certificate authority presented with an email sender’s transmission.

  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. Select Add New > Certificates.
  3. In the New Certificate Setting dialog box, fill in the following fields for the certificate setting:
    • Name: Enter a name for the certificate setting.
    • Description: Enter a meaningful description for the certificate setting.
    • File Name: Browse for the certificate file.
  4. Click Save.

Creating a user-provided certificate enrollment setting for S/MIME certificates

Create a user-provided certificate enrollment setting that specifies the use of S/MIME certificates, and push the user-provided certificate enrollment setting to the relevant devices.

If users are uploading both a signing certificate and an encryption certificate you must create two separate user-provided certificate enrollment settings.

  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. Click Add New > Certificate Enrollment > User-Provided. The New User-Provided Certificate Enrollment Setting dialog box opens.
  3. Fill in or select the following fields:
    • Name: Enter brief text that identifies this group.
    • Description: Enter additional text that clarifies the purpose of the setting.
    • Display Name: Enter a name describing the purpose of a user-provided certificate. For example, enter "S/MIME Encryption". On the user portal, when the user uploads a certificate, the user selects a display name (called “Configuration” on the user portal). The user’s selection associates the uploaded certificate with a user-provided certificate enrollment setting. The user can upload the same certificate, or different certificates, for each display name.
    • Require Password: This is selected by default and is required for the certificate enrollment option.
    • Delete Private Keys After Days: Select an option between None - 15 days.
  4. Click Save.
  5. The Configurations page refreshes with the new certificate enrollment.
  6. (Optional) If users are uploading both a signing certificate and an encryption certificate, repeat these steps to create a second user-provided certificate enrollment setting.

Configuring a user-provided certificate enrollment setting

Uploading user signing and encryption certificates with the User Portal

Allowing users to control their own S/MIME encryption per message requires users to upload their personal PKCS 12 files containing their certificates and private keys. Users can upload their certificates through the user portal.

Alternatively, the certificates can be uploaded using the Web Services API, as described in Uploading user certificates with the Web Services API.

To upload an S/MIME certificate through the user portal:

  1. Go to https://<Core_Server_FQDN>/user.

  2. Click on the device user’s name in the top right corner.
  3. Click on Settings in the drop down menu.

    The page including User-Provided CertificateManagement appears.

  4. Click Upload New Certificate.

    The Upload User-Provided Certificate page appears.

  5. In the Configuration field, select the configuration for which you want the certificate to be used.
  6. Click Browse to navigate to the location of the certificate and select the certificate.
  7. Enter the Password associated with the certificate.
  8. Click Upload Certificate to upload the certificate.

    The User-Provided CertificateManagement page appears.

    Device users can view, replace, or delete the S/MIME certificate.

Uploading user certificates with the Web Services API

Instead of having users upload their certificates to the Core user portal, you can upload the user certificates using a Web Services API. For more information about using the API, see the Core V2 API Guide.

If you used the now unavailable V1 API to upload user certificates to Core, the API associated the user certificate with a certificate type: All, WIFI, VPN, SMIMESIGNING, SMIMEENCRYPTION, EMAIL or EXCHANGE. Core still supports using those certificates and their associated type. However, you should migrate to uploading certificates that are associated with a user-provided certificate enrollment setting by using the V2 API .

Creating an Email setting for per message S/MIME encryption

Create an email setting so that device users can access their email with the ability to toggle S/MIME encryption per message.

If your email is managed by an Exchange Server, or you are using ActiveSync, you can create an Exchange setting instead, as described in Exchange settings.

  1. In the Admin Portal go to Policies & Configs > Configurations.
  2. Click Add New > Email. The New Email Setting dialog box opens.
  3. Enter the information requested, as described in the table of settings in Configuring POP and IMAP email settings (for iOS and macOS).
  4. Configure the following to enable per-message S/MIME encryption:

    Section

    Field Name

    Description

    S/MIME Settings

     

    S/MIME 

     

     

    Enable for iOS 9.3.3 (or earlier)

    Select to enable S/MIME signing and encryption on Android devices and devices running iOS 9.3.3 or earlier.

    You must select this option for the fields in the S/MIME Signing and S/MIME Encryption sections to apply to devices running iOS 9.3.3 or earlier.

    S/MIME 
    Encryption

     

     

    Encryption by Default

    Disabled by default. Select to enable S/MIME encryption.

     

    Encryption Identity

    Select a certificate enrollment setting as an encryption identity. If you do not make a selection, then the device user will be prompted to select from the certificates that are already installed on the device. If the device has no certificate, then S/MIME encryption will not be functional on the device.

    Certificate Enrollment settings.

     

    Encryption Identity: User Overrideable

    iOS 12.0 or supported newer versions.

    Select to allow the user to set the S/MIME encryption identity and enable encryption.

     

    Per-Message Encryption Switch

    Per-message S/MIME for iOS allows device users to enable or disable S/MIME encryption for each email they send.

    S/MIME encryption is incompatible with Sentry attachment encryption.

  5. Click Save.

Creating an Exchange setting for per message S/MIME encryption

If your organization uses Microsoft Exchange Server or ActiveSync to manage email, create an Exchange setting to enable devices to access email.

If an Exchange profile already exists on managed devices, then attempts to distribute new ActiveSync settings using Core will fail.

  1. In the Admin Portal go to Policies & Configs > Configurations.
  2. Click Add New > Exchange. The New Exchange Setting dialog box opens.
  3. Enter the following ActiveSync information.

    Section

    Field Name

    Description

     

    ActiveSync User Name

    Enter a variable such as $USERID$. This feature supports custom device and user attributes variable names.

    $MANAGED_APPLE_ID$ can be used for Shared iPad devices and User Enrolled devices only.

     

    ActiveSync User Email

    Enter a variable such as $USERID$. This feature supports custom device and user attributes variable names.

    $MANAGED_APPLE_ID$ can be used for Shared iPad devices and User Enrolled devices only.

  4. Configure the following to enable per-message S/MIME encryption:

    Section

    Field Name

    Description

    S/MIME Settings

     

    S/MIME 

     

     

    Enable for Android and iOS 9.3.3 (or earlier)

    Select to enable S/MIME signing and encryption on Android devices and devices running iOS 9.3.3 or earlier.

    You must select this option for the fields in the S/MIME Signing and S/MIME Encryption sections to apply to devices running iOS 9.3.3 or earlier.

    S/MIME 
    Encryption

     

     

    Encryption by Default

    Disabled by default. Select to enable S/MIME encryption.

     

    Encryption Identity

    Select a certificate enrollment setting as an encryption identity. If you do not make a selection, then the device user will be prompted to select from the certificates that are already installed on the device. If the device has no certificate, then S/MIME encryption will not be functional on the device.

    Certificate Enrollment settings.

     

    Encryption Identity: User Overrideable

    iOS 12.0 or supported newer versions.

    Select to allow the user to set the S/MIME encryption identity and enable encryption.

     

    Per-Message Encryption Switch

    Per-message S/MIME for iOS allows device users to enable or disable S/MIME encryption for each email they send.

    S/MIME encryption is incompatible with Sentry attachment encryption.

  5. Configure the following for iOS settings:

    Section

    Field Name

    Description

    iOS 5 or later Settings

    Email access to Third-Party apps: Block

    Select to prevent third-party apps from using the account for email access.

     

    Allow Recent Address syncing (iOS 6 and later)

    Selected by default, indicates recent address syncing. If this check box is cleared, this email account is excluded from address recent syncing.

     

    Use OAuth for Authentication: Enable

    For iOS 12.0 and later.

    If selected, do not require a password.

     

    Communication Service Rules (iOS 10 and later)

    Select to choose a default app to be used when calling contacts from this account.

  6. Continue configuring the Exchange settings as needed.

    For more information about configuring an Exchange setting, see Exchange settings.

  7. Click Save.

Pushing per-message S/MIME changes to devices

To push changes to devices:

  1. In the Admin Portal go to Policies & Configs > Configurations.
  2. From the list of settings, select the Certificate and Email or Exchange settings you created in previous sections, then click Actions > Apply to Label.

    The Apply to Label dialog box opens.

    Do not apply the user-provided certificate enrollment setting to any labels.

  3. Select the labels to which you want to apply the Certificate setting, Email setting or Exchange setting.
  4. Click Apply.

    The settings will be pushed to the devices you specified per the Sync Interval defined in your sync policy, or at the next forced device check-in.

  5. Instruct users to enable S/MIME on their devices as follows:
    1. Go to Settings > Mail, Contacts, Calendars.
    2. Select the email account associated with your client certificate.
    3. Tap the Account button with your email address.
    4. On the Account window, tap S/MIME.
    5. Enable signing by tapping Sign and selecting your certificate.
    6. Enable encryption by tapping Encrypt, and then select your certificate.
  6. Email users the following link for more information on signing and encrypting email on an iOS device:

    http://support.apple.com/en-us/HT4979