Configuring Email+ to use derived credentials

 

Applicable derived credential providers and device platforms

Derived credential providers

Any for iOS

Entrust and Intercede for Android

Device platforms

iOS, Android

 

Email+ for iOS and Email+ for Android can use derived credentials for:

S/MIME signing
S/MIME encryption
S/MIME decryption of older emails (supported in Email+ 3.8 for iOS through the most recently released version as supported by MobileIron).
Identifying and authenticating the email user to the email server

The tasks for configuring derived credentials use in Email+ are:

1. Providing special key-value pairs in the AppConnect app configuration
2. Uploading the root and issuer chain certificates
3. Referring to the root and issuer chain certificates in the AppConnect app configuration
4. Setting up MobileIron Tunnel if the Exchange server is behind your firewall (iOS only)

Related topics 

MobileIron Email+ for iOS Guide for Administrators for MobileIron Core and MobileIron Cloud
MobileIron Email+ for Android Guide for Administrators for Android AppConnect and Android enterprise for MobileIron Core and MobileIron Cloud

Before you begin 

Set up the Microsoft Exchange server to accept certificate authentication.
Have available for upload to MobileIron Core the certificate authority (CA) root certificate and certificate chain certificates that match your device users’ smart card certificates.

These certificates are necessary if your device users are using derived credentials to sign or encrypt, or decrypt S/MIME emails. They allow Email+ on the devices handling the signed or encrypted email to trust the issuer chain certificates of the derived credentials.

Providing special key-value pairs in the AppConnect app configuration

Special key-value pairs are necessary in the AppConnect app configuration for Email+ if it is using derived credentials. Specifically:

If device users will authenticate to the Exchange server with a derived credential’s certificate:
- Set the value of the key email_exchange_host to the Exchange server, not the Standalone Sentry,

Therefore, you do not configure a Standalone Sentry for ActiveSync.

- Set the value of the key email_login_certificate to a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Authentication.
If device users will sign S/MIME emails with a derived credential’s certificate:
- Set the value of the key email_signing_certificate to a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Signing.
If device users will encrypt S/MIME emails with a derived credential’s certificate:
- Set the value of the key email_encryption_certificate to a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Encryption.
 If iOS device users will decrypt older S/MIME emails, for which the original certificate has expired, with a derived credential’s certificate:
- Set the value of the key email_decryption_certificates to a client-provided certificate enrollment setting from the drop-down list. The setting must have the purpose Decryption.
NOTE: The names of keys are case-sensitive.

Procedure 

1. On the Admin Portal, go to Policies & Configs > Configurations.
2. Select Add New > AppConnect > App Configuration.
NOTE: Alternatively, edit the existing AppConnect app configuration for Email+ for iOS or Email+ for Android if you have one already.
3. Enter a name for the AppConnect app configuration, such as Email+ for iOS or Email+ for Android.
4. Enter a description for the AppConnect app configuration.
5. In the Application field:
- For Email+ for iOS, enter com.mobileiron.ios.emailplus.
- For Email+ for Android, select Email+ from the dropdown. It is listed because you added Email+ for Android to the MobileIron Core App Catalog.
6. In the App-specific Configurations section, add the key-value pairs listed above, plus other Email+ key-value pairs you require.
7. Click Save.
8. Select the AppConnect app configuration that you just created.
9. Click More Actions > Apply to Label.
10. Select the labels to which you want to apply this policy.
11. Click Apply.

Related topics 

Adding AppConnect apps to the App Catalog

Uploading the root and issuer chain certificates

Provide a Certificates setting for the CA root certificate and each issue chain certificate if device users are using derived credentials for any of the following:

S/MIME encryption
S/MIME decryption of older emails for which the original encryption certificate has expired
S/MIME signing

Procedure 

1. In the Admin Portal, go to Policies & Configs > Configuration > Add New > Certificates.
2. Enter a Name and Description for the certificate.
3. Click Browse to select the certificate.
4. Click Save.

Referring to the root and issuer chain certificates in the AppConnect app configuration

Procedure 

1. On the Admin Portal, go to Policies & Configs > Configurations.
2. Select the AppConnect app configuration you created for Email+.
3. Click Edit.
4. In the App-specific Configurations section, add a key-value pair for the root certificate and each issuer chain certificate as follows:
- Key: email_certificate_X, where X is 1 through 10
- Value: Select the Certificates setting name from the drop-down list
5. Click Save.

Setting up MobileIron Tunnel if the Exchange server is behind your firewall (iOS only)

If the Exchange server is behind your firewall, use MobileIron Tunnel to tunnel to the Exchange server from mobile devices running Email+. Detailed information about setting up MobileIron Tunnel is available in the MobileIron Tunnel for iOS Guide for Administrators for MobileIron Core and MobileIron Cloud.