Setting up Email+ to use derived credentials

Applicable derived credential providers and device platforms

Derived credential providers	Any for iOS Entrust for Android
Device platforms	iOS, Android AppConnect

 

Email+ for iOS and Email+ for Android can use derived credentials for:

• S/MIME signing

• S/MIME encryption

• Identifying and authenticating the email user to the email server

The tasks for configuring derived credentials use in Email+ are:

1. Uploading the root and issuer chain certificates

2. Adding Email+ for iOS to the App Catalog

3. Adding Email+ for Android to the App Catalog

4. Setting up Tunnel for iOS if the Exchange server is behind your firewall

Before you begin 

• Set up the Microsoft Exchange server to accept certificate authentication.

  See Setting up Microsoft Exchange for certificate authentication

• Have available for upload to Ivanti Neurons for MDM the certificate authority (CA) root certificate and certificate chain certificates that match your device users’ smart card certificates.

These certificates are necessary if your device users are using derived credentials to sign or encrypt S/MIME emails. They allow Email+ on the devices receiving the signed or encrypted email to trust the issuer chain certificates of the derived credentials.

Related topics 

Email+ for Android Guide

Email+ for iOS Guide

Uploading the root and issuer chain certificates

If device users are using derived credentials for S/MIME encryption or signing, you provide a certificate configuration for the CA root certificate and each issuer chain certificate.

Procedure 

For the CA root certificate and each issuer chain certificate:

1. In the Admin Portal, go to Configurations.

2. Click +Add.

3. Select Certificate.

4. Enter a name for the certificate configuration.

5. Drag and drop the certificate to the screen.

6. Click Next.

7. Select the devices to distribute the certificate to.

8. Click Done.

Adding Email+ for iOS to the App Catalog

Add Email+ for iOS to the App Catalog on the Ivanti Neurons for MDM Admin Portal.

Procedure 

1. In the Admin Portal, go to Apps > App Catalog.

2. Click +Add.

3. In the Business Apps section, select Email+ (iOS).

4. Click Next.

5. Click Next.

6. Select the users and user groups that you want to distribute the app to.

7. Click Next.

8. Scroll down to Email+ Configuration.

9. Select + to add a new Email+ configuration.

10. Enter a name for the Email+ configuration.

11. Enter field values according to the following table:

    Item	Description
    Email address	Enter the email address, typically ${userEmailAddress}.
    Email Password	Do not enter a value.
    Exchange Host	Enter the fully qualified domain name of the Exchange server, not the Standalone Sentry. You do not configure a Standalone Sentry for ActiveSync.
    Exchange Username	Enter the user name appropriate for your Exchange environment. For example, typically this value is ${userUID}. Another possibility is ${userUIDLocalPart}.
    SSL required	Select this option to secure communication to the Exchange server using HTTPS.
    Minimum Characters for GAL search	Enter the minimum number of characters for Email+ for iOS to use for automatic Global Address List (GAL) lookup in Mail and Contacts.
    Identity Certificate	Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Authentication. Email+ will use this certificate to identify the device user to the Exchange server.
    Trust All Certificates	Do not select.
    Prompt for Password Before Connecting to Server	Do not select.
    Lotus Notes Traveler	Do not select.
    All remaining selections	Select according to your requirements. For more information, see Email+ for iOS Guide.

12. In the AppConnect Certificate Configuration section, add the case-sensitive key-value pairs necessary for Email+ to use derived credentials. Specifically:

    Use case	Key	Value
    Signing S/MIME emails	email_signing_certificate	Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Signing.
    Encrypting S/MIME emails	email_encryption_certificate	Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Encryption.
    Signing or encrypting S/MIME emails	email_certificate_X where X is 1 through 10	Select the CA root certificate or certificate chain certificate from the drop-down list.

13. Select the users and user groups that you want to distribute the Email+ configuration to.

14. Click Next.

15. Click Done.

Related topics 

Email+ for iOS Guide

Adding Email+ for Android to the App Catalog

Add Email+ for Android to the App Catalog on the Ivanti Neurons for MDM Admin Portal.

Procedure 

1. Go to https://support.mobileiron.com/mi/android-appstation-emailplus/current/ and download the Email+ for Android Appstation APK file.

2. In the Admin Portal, go to Apps > App Catalog.

3. Click +Add.

4. Select In-House to upload the app.

5. Drag and drop the Email+ for Android APK file to the designated area.

6. Click Next.

7. In Category, enter a category.

8. Click Next.

9. Click Next.

10. Click Next.

11. Select the users and user groups that you want to distribute the app to.

12. Click Next.

13. Next to Email+ Configuration, click the + sign.

14. Enter a name for the Email+ configuration.

15. In the AppConnect Custom Configuration section, add the case-sensitive key-value pair:

    Key	Value
    email_exchange_host	Enter the fully qualified domain name of the Exchange server, not the Standalone Sentry. You do not configure a Standalone Sentry for ActiveSync.

16. Confirm or change default values for the other key-value pairs in the AppConnect Custom Configuration section.

17. In the AppConnect Certificate Configuration section, add the case-sensitive key-value pairs necessary for Email+ to use derived credentials. Specifically:

    Use case	Key	Value
    Login certificate	email_login_certificate	Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Authentication. Email+ will use this certificate to identify the device user to the Exchange server.
    Signing S/MIME emails	email_signing_certificate	Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Encryption.
    Encrypting S/MIME emails	email_encryption_certificate	Select an identity certificate configuration for derived credentials from the drop-down list. The identity certificate configuration must have the purpose Encryption.
    Signing or encrypting S/MIME emails	email_certificate_X where X is 1 through 10	Select the CA root certificate or certificate chain certificate from the drop-down list.

18. Select the users and user groups that you want to distribute the AppConnect custom configuration to.

19. Click Next.

20. Click Done.

Related topics 

Email+ for Android Guide

Setting up Tunnel for iOS if the Exchange server is behind your firewall

Detailed information about setting up Tunnel for iOS is available in the Tunnel for iOS Guide.