Solved

S/MIME with Office 365 and AD CS on Apple iOS(iPhone/iPad) and Android

Posted on 2014-12-31
1
651 Views
Last Modified: 2015-02-18
I'm searching for answer to the following topic:

We need to deploy S/MIME to our mobile users to allow them to send and receive S/MIME signed/encrypted mails inside our organisation.

Problem: Microsoft shows the S/MIME solution for Outlook on Windows, OWA (implemented not so long ago) and Windows Phone, but situation for devices/mail clients on Apple and Android devices regarding using S/MIME certificates is unclear.

In our scenario we must decide to purchase Office 365 (at least Exchange Online Plan1 and Azure Rights Management) for every user to accomplish basic requirements for such setup (now we using third party hosted mail) so this rather expensive decision.

We know that we need to setup:
- AD Certificate Services in our on-premise system
- Dirsync AD Certs with Azure Active Directory (then with Exchange Online tenant)
- rules for mail encryption on Office 365
so that is clear.

What is unclear - are the Office 365 via EAS distribute:
1. all internal users public certificates to Apple/Android devices Address Books to use when device user try to send S/MIME encrypted message inside organistation ?

2. private certificate of device user to use when user receiving S/MIME encrypted mail (this is less problematic as we can distribute this via other methods)?

thx in advance for any help
0
Comment
Question by:RMPL
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40526381
indeed for Windows Mobile, it is as per shared and detailed setup  found in MS blog.
(detailed steps)
http://blogs.technet.com/b/exchange/archive/2014/12/15/how-to-configure-s-mime-in-office-365.aspx
(summary)
http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/

Also some key pt from blog are some basis for any S/MIME client to work with Exchange online and Azure AD are
- Requires SST (Microsoft serialized certificate store) to be used for S/MIME certificate validation for Exchange online
- Requires to publish user’s certificate to the Exchange GAL to exchange S/MIME encrypted messages. The user must first have the certificate installed on their local machine before publish. Note certificate in Exchange online GAL (Contact) currently not supported.
- Requires two key attributes in a user object where certificate information stored to have are UserCertificate (default for on premise exchanges) and UserSMimeCertificate (available for GAL lookup). Of course include the trusted CA and its  intermediate CA cert in the store
- Requires the certificate usage specified for signing and/or encryption (enterprise should go for smartcard user to use different user cert in each usage case)

Hence for other mobile OS such as
a) iOS
- Native Email client does support S/MIME. It search the GAL for the recipient whom is Exchange user and for non Exchange users, we need their public cert in the iOS device. As per http://support.apple.com/en-sg/HT202345
- No OWA support for S/MIME in its current Apps for O365. E.g. User can read digitally signed mail but cannot verify signatures, cannot read encrypted mail and cannot create/send digitally signed or encrypted mail. As per http://community.office365.com/en-us/w/mobile/owa-for-iphone-and-owa-for-ipad.aspx

Note also from the blog, it stated the app uses Exchange Web Services (EWS) protocol, not Exchange ActiveSync (EAS) protocol. The EAS policy on S/MIME related only support iOS 7 and 8 above.

b) Android - No S/MIME support as far as I know.

May want to see this link on the comparison btw Mobile OS and it include S/MIME and EAS policy
(free registration) http://www.infoworld.com/article/2604692/mobile-device-management/mobile-security-ios-vs-android-vs-blackberry-vs-windows-phone.html
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now