S/MIME with Office 365 and AD CS on Apple iOS(iPhone/iPad) and Android

I'm searching for answer to the following topic:

We need to deploy S/MIME to our mobile users to allow them to send and receive S/MIME signed/encrypted mails inside our organisation.

Problem: Microsoft shows the S/MIME solution for Outlook on Windows, OWA (implemented not so long ago) and Windows Phone, but situation for devices/mail clients on Apple and Android devices regarding using S/MIME certificates is unclear.

In our scenario we must decide to purchase Office 365 (at least Exchange Online Plan1 and Azure Rights Management) for every user to accomplish basic requirements for such setup (now we using third party hosted mail) so this rather expensive decision.

We know that we need to setup:
- AD Certificate Services in our on-premise system
- Dirsync AD Certs with Azure Active Directory (then with Exchange Online tenant)
- rules for mail encryption on Office 365
so that is clear.

What is unclear - are the Office 365 via EAS distribute:
1. all internal users public certificates to Apple/Android devices Address Books to use when device user try to send S/MIME encrypted message inside organistation ?

2. private certificate of device user to use when user receiving S/MIME encrypted mail (this is less problematic as we can distribute this via other methods)?

thx in advance for any help
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
indeed for Windows Mobile, it is as per shared and detailed setup  found in MS blog.
(detailed steps)

Also some key pt from blog are some basis for any S/MIME client to work with Exchange online and Azure AD are
- Requires SST (Microsoft serialized certificate store) to be used for S/MIME certificate validation for Exchange online
- Requires to publish user’s certificate to the Exchange GAL to exchange S/MIME encrypted messages. The user must first have the certificate installed on their local machine before publish. Note certificate in Exchange online GAL (Contact) currently not supported.
- Requires two key attributes in a user object where certificate information stored to have are UserCertificate (default for on premise exchanges) and UserSMimeCertificate (available for GAL lookup). Of course include the trusted CA and its  intermediate CA cert in the store
- Requires the certificate usage specified for signing and/or encryption (enterprise should go for smartcard user to use different user cert in each usage case)

Hence for other mobile OS such as
a) iOS
- Native Email client does support S/MIME. It search the GAL for the recipient whom is Exchange user and for non Exchange users, we need their public cert in the iOS device. As per http://support.apple.com/en-sg/HT202345
- No OWA support for S/MIME in its current Apps for O365. E.g. User can read digitally signed mail but cannot verify signatures, cannot read encrypted mail and cannot create/send digitally signed or encrypted mail. As per http://community.office365.com/en-us/w/mobile/owa-for-iphone-and-owa-for-ipad.aspx

Note also from the blog, it stated the app uses Exchange Web Services (EWS) protocol, not Exchange ActiveSync (EAS) protocol. The EAS policy on S/MIME related only support iOS 7 and 8 above.

b) Android - No S/MIME support as far as I know.

May want to see this link on the comparison btw Mobile OS and it include S/MIME and EAS policy
(free registration) http://www.infoworld.com/article/2604692/mobile-device-management/mobile-security-ios-vs-android-vs-blackberry-vs-windows-phone.html
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.