Solved

S/MIME with Office 365 and AD CS on Apple iOS(iPhone/iPad) and Android

Posted on 2014-12-31
1
632 Views
Last Modified: 2015-02-18
I'm searching for answer to the following topic:

We need to deploy S/MIME to our mobile users to allow them to send and receive S/MIME signed/encrypted mails inside our organisation.

Problem: Microsoft shows the S/MIME solution for Outlook on Windows, OWA (implemented not so long ago) and Windows Phone, but situation for devices/mail clients on Apple and Android devices regarding using S/MIME certificates is unclear.

In our scenario we must decide to purchase Office 365 (at least Exchange Online Plan1 and Azure Rights Management) for every user to accomplish basic requirements for such setup (now we using third party hosted mail) so this rather expensive decision.

We know that we need to setup:
- AD Certificate Services in our on-premise system
- Dirsync AD Certs with Azure Active Directory (then with Exchange Online tenant)
- rules for mail encryption on Office 365
so that is clear.

What is unclear - are the Office 365 via EAS distribute:
1. all internal users public certificates to Apple/Android devices Address Books to use when device user try to send S/MIME encrypted message inside organistation ?

2. private certificate of device user to use when user receiving S/MIME encrypted mail (this is less problematic as we can distribute this via other methods)?

thx in advance for any help
0
Comment
Question by:RMPL
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40526381
indeed for Windows Mobile, it is as per shared and detailed setup  found in MS blog.
(detailed steps)
http://blogs.technet.com/b/exchange/archive/2014/12/15/how-to-configure-s-mime-in-office-365.aspx
(summary)
http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/

Also some key pt from blog are some basis for any S/MIME client to work with Exchange online and Azure AD are
- Requires SST (Microsoft serialized certificate store) to be used for S/MIME certificate validation for Exchange online
- Requires to publish user’s certificate to the Exchange GAL to exchange S/MIME encrypted messages. The user must first have the certificate installed on their local machine before publish. Note certificate in Exchange online GAL (Contact) currently not supported.
- Requires two key attributes in a user object where certificate information stored to have are UserCertificate (default for on premise exchanges) and UserSMimeCertificate (available for GAL lookup). Of course include the trusted CA and its  intermediate CA cert in the store
- Requires the certificate usage specified for signing and/or encryption (enterprise should go for smartcard user to use different user cert in each usage case)

Hence for other mobile OS such as
a) iOS
- Native Email client does support S/MIME. It search the GAL for the recipient whom is Exchange user and for non Exchange users, we need their public cert in the iOS device. As per http://support.apple.com/en-sg/HT202345
- No OWA support for S/MIME in its current Apps for O365. E.g. User can read digitally signed mail but cannot verify signatures, cannot read encrypted mail and cannot create/send digitally signed or encrypted mail. As per http://community.office365.com/en-us/w/mobile/owa-for-iphone-and-owa-for-ipad.aspx

Note also from the blog, it stated the app uses Exchange Web Services (EWS) protocol, not Exchange ActiveSync (EAS) protocol. The EAS policy on S/MIME related only support iOS 7 and 8 above.

b) Android - No S/MIME support as far as I know.

May want to see this link on the comparison btw Mobile OS and it include S/MIME and EAS policy
(free registration) http://www.infoworld.com/article/2604692/mobile-device-management/mobile-security-ios-vs-android-vs-blackberry-vs-windows-phone.html
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now