Setting up Email+ to use derived credentials
Applicable derived credential providers and device platforms
|
Derived credential providers |
Any for iOS Entrust for Android |
|
Device platforms |
iOS, Android AppConnect |
Email+ for iOS and Email+ for Android can use derived credentials for:
| • | S/MIME signing |
| • | S/MIME encryption |
| • | Identifying and authenticating the email user to the email server |
The tasks for configuring derived credentials use in Email+ are:
| 1. | Uploading the root and issuer chain certificates |
| 2. | Adding Email+ for iOS to the App Catalog |
| 3. | Adding Email+ for Android to the App Catalog |
| 4. | Setting up MobileIron Tunnel for iOS if the Exchange server is behind your firewall |
Before you begin
| • | Set up the Microsoft Exchange server to accept certificate authentication. |
See Configuring Certificate-Based Authentication for Microsoft Exchange.
| • | Have available for upload to MobileIron Cloud the certificate authority (CA) root certificate and certificate chain certificates that match your device users’ smart card certificates. |
These certificates are necessary if your device users are using derived credentials to sign or encrypt S/MIME emails. They allow Email+ on the devices receiving the signed or encrypted email to trust the issuer chain certificates of the derived credentials.
| • | MobileIron Email+ for iOS Guide for Administrators |
| • | MobileIron Email+ for Android Guide for Administrators |
Uploading the root and issuer chain certificates
If device users are using derived credentials for S/MIME encryption or signing, you provide a certificate configuration for the CA root certificate and each issuer chain certificate.
Procedure
For the CA root certificate and each issuer chain certificate:
| 1. | In the Admin Portal, go to Configurations. |
| 2. | Click +Add. |
| 3. | Select Certificate. |
| 4. | Enter a name for the certificate configuration. |
| 5. | Drag and drop the certificate to the screen. |
| 6. | Click Next. |
| 7. | Select the devices to distribute the certificate to. |
| 8. | Click Done. |
Adding Email+ for iOS to the App Catalog
Add Email+ for iOS to the App Catalog on the MobileIron Cloud Admin Portal.
Procedure
| 1. | In the Admin Portal, go to Apps > App Catalog. |
| 2. | Click +Add. |
| 3. | In the Business Apps section, select Email+ (iOS). |
| 4. | Click Next. |
| 5. | Click Next. |
| 6. | Select the users and user groups that you want to distribute the app to. |
| 7. | Click Next. |
| 8. | Scroll down to Email+ Configuration. |
| 9. | Select + to add a new Email+ configuration. |
| 10. | Enter a name for the Email+ configuration. |
| 11. | Enter field values according to the following table: |
|
Item |
Description |
|
Email address |
Enter the email address, typically ${userEmailAddress}. |
|
Email Password |
Do not enter a value. |
|
Exchange Host |
Enter the fully qualified domain name of the Exchange server, not the Standalone Sentry. You do not configure a Standalone Sentry for ActiveSync. |
|
Exchange Username |
Enter the user name appropriate for your Exchange environment. For example, typically this value is ${userUID}. Another possibility is ${userUIDLocalPart}. |
|
SSL required |
Select this option to secure communication to the Exchange server using HTTPS. |
|
Minimum Characters for GAL search |
Enter the minimum number of characters for Email+ for iOS to use for automatic Global Address List (GAL) lookup in Mail and Contacts. |
|
Identity Certificate |
Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Authentication. Email+ will use this certificate to identify the device user to the Exchange server. |
|
Trust All Certificates |
Do not select. |
|
Prompt for Password Before Connecting to Server |
Do not select. |
|
Lotus Notes Traveler |
Do not select. |
|
All remaining selections |
Select according to your requirements. For more information, see MobileIron Email+ for iOS Guide for Administrators. |
| 12. | In the AppConnect Certificate Configuration section, add the case-sensitive key-value pairs necessary for Email+ to use derived credentials. Specifically: |
|
Use case |
Key |
Value |
|
Signing S/MIME emails |
email_signing_certificate |
Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Signing. |
|
Encrypting |
email_encryption_certificate |
Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Encryption. |
|
Signing or encrypting |
email_certificate_X where X is 1 through 10 |
Select the CA root certificate or certificate chain certificate from the drop-down list. |
| 13. | Select the users and user groups that you want to distribute the Email+ configuration to. |
| 14. | Click Next. |
| 15. | Click Done. |
| • | MobileIron Email+ for iOS Guide for Administrators |
Adding Email+ for Android to the App Catalog
Add Email+ for Android to the App Catalog on the MobileIron Cloud Admin Portal.
Procedure
| 1. | Go to https://help.mobileiron.com and select the Software tab. |
| 2. | Download the Email+ for Android APK file. |
| 3. | In the Admin Portal, go to Apps > App Catalog. |
| 4. | Click +Add. |
| 5. | Select In-House to upload the app. |
| 6. | Drag and drop the Email+ for Android APK file to the designated area. |
| 7. | Click Next. |
| 8. | In Category, enter a category. |
| 9. | Click Next. |
| 10. | Click Next. |
| 11. | Click Next. |
| 12. | Select the users and user groups that you want to distribute the app to. |
| 13. | Click Next. |
| 14. | Next to Email+ Configuration, click the + sign. |
| 15. | Enter a name for the Email+ configuration. |
| 16. | In the AppConnect Custom Configuration section, add the case-sensitive key-value pair: |
|
Key |
Value |
|
email_exchange_host |
Enter the fully qualified domain name of the Exchange server, not the Standalone Sentry. You do not configure a Standalone Sentry for ActiveSync. |
| 17. | Confirm or change default values for the other key-value pairs in the AppConnect Custom Configuration section. |
| 18. | In the AppConnect Certificate Configuration section, add the case-sensitive key-value pairs necessary for Email+ to use derived credentials. Specifically: |
|
Use case |
Key |
Value |
|
Login certificate |
email_login_certificate |
Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Authentication. Email+ will use this certificate to identify the device user to the Exchange server. |
|
Signing S/MIME emails |
email_signing_certificate |
Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Encryption. |
|
Encrypting |
email_encryption_certificate |
Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Encryption. |
|
Signing or encrypting |
email_certificate_X where X is 1 through 10 |
Select the CA root certificate or certificate chain certificate from the drop-down list. |
| 19. | Select the users and user groups that you want to distribute the AppConnect custom configuration to. |
| 20. | Click Next. |
| 21. | Click Done. |
| • | MobileIron Email+ for Android Guide for Administrators |
Setting up MobileIron Tunnel for iOS if the Exchange server is behind your firewall
Detailed information about setting up MobileIron Tunnel for iOS is available in the MobileIron Tunnel for iOS Guide for Administrators.