Solved

S/MIME with Office 365 and AD CS on Apple iOS(iPhone/iPad) and Android

Posted on 2014-12-31
1
683 Views
Last Modified: 2015-02-18
I'm searching for answer to the following topic:

We need to deploy S/MIME to our mobile users to allow them to send and receive S/MIME signed/encrypted mails inside our organisation.

Problem: Microsoft shows the S/MIME solution for Outlook on Windows, OWA (implemented not so long ago) and Windows Phone, but situation for devices/mail clients on Apple and Android devices regarding using S/MIME certificates is unclear.

In our scenario we must decide to purchase Office 365 (at least Exchange Online Plan1 and Azure Rights Management) for every user to accomplish basic requirements for such setup (now we using third party hosted mail) so this rather expensive decision.

We know that we need to setup:
- AD Certificate Services in our on-premise system
- Dirsync AD Certs with Azure Active Directory (then with Exchange Online tenant)
- rules for mail encryption on Office 365
so that is clear.

What is unclear - are the Office 365 via EAS distribute:
1. all internal users public certificates to Apple/Android devices Address Books to use when device user try to send S/MIME encrypted message inside organistation ?

2. private certificate of device user to use when user receiving S/MIME encrypted mail (this is less problematic as we can distribute this via other methods)?

thx in advance for any help
0
Comment
Question by:RMPL
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40526381
indeed for Windows Mobile, it is as per shared and detailed setup  found in MS blog.
(detailed steps)
http://blogs.technet.com/b/exchange/archive/2014/12/15/how-to-configure-s-mime-in-office-365.aspx
(summary)
http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/

Also some key pt from blog are some basis for any S/MIME client to work with Exchange online and Azure AD are
- Requires SST (Microsoft serialized certificate store) to be used for S/MIME certificate validation for Exchange online
- Requires to publish user’s certificate to the Exchange GAL to exchange S/MIME encrypted messages. The user must first have the certificate installed on their local machine before publish. Note certificate in Exchange online GAL (Contact) currently not supported.
- Requires two key attributes in a user object where certificate information stored to have are UserCertificate (default for on premise exchanges) and UserSMimeCertificate (available for GAL lookup). Of course include the trusted CA and its  intermediate CA cert in the store
- Requires the certificate usage specified for signing and/or encryption (enterprise should go for smartcard user to use different user cert in each usage case)

Hence for other mobile OS such as
a) iOS
- Native Email client does support S/MIME. It search the GAL for the recipient whom is Exchange user and for non Exchange users, we need their public cert in the iOS device. As per http://support.apple.com/en-sg/HT202345
- No OWA support for S/MIME in its current Apps for O365. E.g. User can read digitally signed mail but cannot verify signatures, cannot read encrypted mail and cannot create/send digitally signed or encrypted mail. As per http://community.office365.com/en-us/w/mobile/owa-for-iphone-and-owa-for-ipad.aspx

Note also from the blog, it stated the app uses Exchange Web Services (EWS) protocol, not Exchange ActiveSync (EAS) protocol. The EAS policy on S/MIME related only support iOS 7 and 8 above.

b) Android - No S/MIME support as far as I know.

May want to see this link on the comparison btw Mobile OS and it include S/MIME and EAS policy
(free registration) http://www.infoworld.com/article/2604692/mobile-device-management/mobile-security-ios-vs-android-vs-blackberry-vs-windows-phone.html
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Adoption of Microsoft’s Enterprise Mobility and Security solution and Office 365 will re-order the File Sync and Share market Microsoft has stated that its Enterprise Mobility + Security (EMS) is the fastest growing product in the history of the …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question