🚀 Overview

Secure/Multipurpose Internet Mail Extensions (S/MIME) serves as the industry-standard protocol for enhancing email security through digital signatures and encryption. For IT Administrators managing Exchange Online environments, implementing S/MIME for Outlook on iOS and Android ensures that mobile communication maintains the same level of integrity and confidentiality as desktop clients. This guide outlines the technical framework required to support S/MIME, focusing on the infrastructure prerequisites in Exchange Online and the two primary delivery models for digital certificates: manual end-user installation and automated deployment via Microsoft Endpoint Manager (Intune).

🛡️ Key Technical Details

Infrastructure Prerequisites

• Exchange Online Configuration: Before mobile deployment, S/MIME must be fully operational within the tenant. This involves establishing a virtual certificate collection and ensuring the Certificate Revocation List (CRL) is published and accessible via the public internet.
• Trust Verification: Exchange Online performs a rigorous validation of the certificate chain. It traverses the path from the user’s certificate through intermediate authorities until it reaches a trusted root. This process relies on the Authority Information Access (AIA) attribute and successful CRL queries. If the root is undiscoverable or the CRL is unreachable, the certificate is flagged as untrusted.
• Identity Matching: Outlook for iOS and Android strictly validates the user’s primary SMTP address against the certificate’s Subject or Subject Alternative Name (SAN). A mismatch here will prevent the application from utilizing the certificate for signing or encryption.

⚙️ Certificate Delivery Methods

1. Manual Delivery

In this scenario, users export their digital certificates (typically as a .pfx file) and send them to their own mobile devices via email. Upon opening the attachment in Outlook, the app initiates the installation.

⚠️ Important: Administrators must enforce the use of complex passwords during the export process to protect the private key during transit.

2. Automated Delivery (Microsoft Endpoint Manager)

This is the recommended enterprise approach, but it requires that Microsoft Endpoint Manager (Intune) acts as the enrollment provider.

• iOS Architecture: Due to Apple’s security model, third-party apps cannot access the system keychain. Certificates must be placed in the Microsoft publisher keychain. Only Microsoft-signed apps, such as the Company Portal, have the permissions to inject certificates into this specific vault for Outlook to consume.
• Android Architecture: Outlook for Android utilizes Endpoint Manager for certificate delivery and approval across various enrollment types, including Device Administrator, Android Enterprise Work Profile, and Fully Managed modes.

📋 Configuration Steps for Intune Policies

Admins must create App Configuration Policies for “Managed devices” targeting Microsoft Outlook. Key settings include:

• Enable S/MIME: Activates the feature within the app. Admins can lock this setting or allow users to toggle it.
• Certificate Profile Types:
  • SCEP: Generates unique keys directly on the device, ideal for non-repudiation.
  • PKCS Imported Certificates: Useful for users with existing certificates that need to be synchronized across multiple devices.
  • Derived Credentials: Supports NIST 800-157 standards for high-security environments.
• Automation Requirements: Requires the deployment of Trusted Root profiles, the installation of the PFX Certificate Connector for Microsoft Intune, and device enrollment.

🌐 LDAP Support for Recipient Lookup

Outlook for mobile can query secure LDAP endpoints to retrieve public keys for recipients not found in the local cache or Microsoft Entra ID.

Requirements: The LDAP endpoint must be unauthenticated. The configuration is pushed via Intune using formats such as:

ldaps://contoso.com

ldap://contoso.com:389

contoso.com:636

⚠️ Impact

On Administrators

Admins gain centralized control over security posture. By leveraging App Configuration Policies, they can enforce “Sign All” or “Encrypt All” mandates. However, they must also manage the lifecycle of the PFX Connector and ensure that Certificate Revocation Lists remain reachable to avoid service interruptions.

On End Users

Manual Setup: Users must manually toggle S/MIME in the Settings > Account > Security menu.

Notification Flow: In automated scenarios, users receive push notifications or emails directing them to the Company Portal to “collect” their certificates.

Operational Experience:

• Users see a visual status bar indicating the S/MIME health of an email.
• Recipients’ public keys can be installed directly from the status bar into the publisher keychain (iOS) or System KeyStore (Android).
• Outlook provides a 30-day proactive warning before a certificate expires to prevent loss of encrypted communication capabilities.

Official Source: Read the full article on Microsoft.com