?
Solved

S/MIME with Office 365 and AD CS on Apple iOS(iPhone/iPad) and Android

Posted on 2014-12-31
1
Medium Priority
?
868 Views
Last Modified: 2015-02-18
I'm searching for answer to the following topic:

We need to deploy S/MIME to our mobile users to allow them to send and receive S/MIME signed/encrypted mails inside our organisation.

Problem: Microsoft shows the S/MIME solution for Outlook on Windows, OWA (implemented not so long ago) and Windows Phone, but situation for devices/mail clients on Apple and Android devices regarding using S/MIME certificates is unclear.

In our scenario we must decide to purchase Office 365 (at least Exchange Online Plan1 and Azure Rights Management) for every user to accomplish basic requirements for such setup (now we using third party hosted mail) so this rather expensive decision.

We know that we need to setup:
- AD Certificate Services in our on-premise system
- Dirsync AD Certs with Azure Active Directory (then with Exchange Online tenant)
- rules for mail encryption on Office 365
so that is clear.

What is unclear - are the Office 365 via EAS distribute:
1. all internal users public certificates to Apple/Android devices Address Books to use when device user try to send S/MIME encrypted message inside organistation ?

2. private certificate of device user to use when user receiving S/MIME encrypted mail (this is less problematic as we can distribute this via other methods)?

thx in advance for any help
0
Comment
Question by:RMPL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40526381
indeed for Windows Mobile, it is as per shared and detailed setup  found in MS blog.
(detailed steps)
http://blogs.technet.com/b/exchange/archive/2014/12/15/how-to-configure-s-mime-in-office-365.aspx
(summary)
http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/

Also some key pt from blog are some basis for any S/MIME client to work with Exchange online and Azure AD are
- Requires SST (Microsoft serialized certificate store) to be used for S/MIME certificate validation for Exchange online
- Requires to publish user’s certificate to the Exchange GAL to exchange S/MIME encrypted messages. The user must first have the certificate installed on their local machine before publish. Note certificate in Exchange online GAL (Contact) currently not supported.
- Requires two key attributes in a user object where certificate information stored to have are UserCertificate (default for on premise exchanges) and UserSMimeCertificate (available for GAL lookup). Of course include the trusted CA and its  intermediate CA cert in the store
- Requires the certificate usage specified for signing and/or encryption (enterprise should go for smartcard user to use different user cert in each usage case)

Hence for other mobile OS such as
a) iOS
- Native Email client does support S/MIME. It search the GAL for the recipient whom is Exchange user and for non Exchange users, we need their public cert in the iOS device. As per http://support.apple.com/en-sg/HT202345
- No OWA support for S/MIME in its current Apps for O365. E.g. User can read digitally signed mail but cannot verify signatures, cannot read encrypted mail and cannot create/send digitally signed or encrypted mail. As per http://community.office365.com/en-us/w/mobile/owa-for-iphone-and-owa-for-ipad.aspx

Note also from the blog, it stated the app uses Exchange Web Services (EWS) protocol, not Exchange ActiveSync (EAS) protocol. The EAS policy on S/MIME related only support iOS 7 and 8 above.

b) Android - No S/MIME support as far as I know.

May want to see this link on the comparison btw Mobile OS and it include S/MIME and EAS policy
(free registration) http://www.infoworld.com/article/2604692/mobile-device-management/mobile-security-ios-vs-android-vs-blackberry-vs-windows-phone.html
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Enabling the Skype for Business Meeting Scheduler in Hybrid OWA
how to add IIS SMTP to handle application/Scanner relays into office 365.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question