Important: S/MIME in Outlook for iOS is now available. The below article has been replaced by product content found at http://aka.ms/omsmime
Secure/Multipurpose Internet Mail Extension (S/MIME) functionality in Outlook for iOS and Android has been a top request for several of our enterprise customers. As some of you may have heard, late last week we released support for S/MIME in Outlook for iOS in Office Insiders via TestFlight (v3.30.0 and later). For those not familiar with TestFlight, it is Apple’s platform for distributing pre-release builds. This allows us to get features in the hands of early adopters to gather feedback before releasing to all customers.
S/MIME provides encryption, which protects the content of e-mail messages, and digital signatures, which verify the identity of the sender of an e-mail message. In order to use S/MIME with Outlook for iOS, the user’s mailbox must be in Exchange Online.
Deploying S/MIME certificates
Outlook for iOS supports manual certificate delivery. Manual certificate delivery is when the certificate is emailed to the user and the user taps on the certificate attachment within Outlook for iOS to initiate the certificate’s installation.
Note: Outlook for iOS and Android will support automated certificate delivery in future releases.
Figure 1: Outlook for iOS manual certificate delivery installation
Users can export their own certificate and mail it to themselves using Outlook desktop:
Open Outlook 2013, 2016 or 2019 that has already been configured for S/MIME
Click File -> Options -> Trust Center -> Trust Center Settings
Click Email Security
Under Digital ID’s click Import/Export
Click Export Your Digital ID to a file
Click Select and select the correct certificate
Click Browse and select a location to save the file
Complete your password and then click OK
Create a new E-mail and attach the exported PFX file. Send the E-mail to yourself.
Important: When exporting the certificate, ensure the exported certificate is password protected with a strong password.
Enabling S/MIME in the app
S/MIME must be enabled for Outlook for iOS and Android to view or create S/MIME-related content.
End users will need to enable S/MIME functionality manually by accessing their account settings, tapping Security, and tapping the S/MIME control, which is off by default.
Figure 2: Outlook for iOS S/MIME security setting
When the S/MIME setting is enabled, Outlook for iOS and Android will automatically disable the Organize By Thread setting. This is because S/MIME encryption becomes more complex as a conversation thread grows. By removing the threaded conversation view, Outlook for iOS and Android reduces the opportunity for issues with certificates across recipients during signing and encryption. As this is an app-level setting, this change affects all accounts added to the app.
Note: Outlook for iOS and Android will support the ability for IT administrators to manage the S/MIME setting via general app configuration for enrolled devices in future releases.
Consuming and Creating S/MIME messages
After the certificates have been installed and S/MIME has been enabled in the app, users can read S/MIME related content and compose using S/MIME certificates.
In the message view, users can view messages that are S/MIME signed or encrypted. In addition, users can tap the S/MIME status bar to view more information about the message’s S/MIME status.
Figure 3: Consuming S/MIME messages in Outlook for iOS
Users can install a sender’s public certificate key by tapping the S/MIME status bar. The certificate will be installed on the user’s device, specifically in the Microsoft publisher keychain in iOS.
Figure 4: Outlook for iOS sender public certificate key installation
When composing an email in Outlook for iOS and Android, the sender can choose to encrypt and/or sign the message (signed messages are sent clear-signed). By tapping on the ellipse and tapping Sign and Encrypt, the various S/MIME options are presented. Selecting an S/MIME option enables the respective action on the email when it is sent (drafts are not signed or encrypted), assuming the sender has a valid certificate.
Important: In order to compose an encrypted message, the target recipient’s public certificate key must be available either in the Global Address List or stored on the local device. In order to compose a signed message, the sender’s private certificate key must be available on the device.
Figure 5: Outlook for iOS options for applying S/MIME to a message
Outlook for iOS will evaluate all recipients prior to sending an encrypted message and confirm that a valid public certificate key exists for each recipient. The Global Address List () is checked first; if a certificate for the recipient does not exist in the GAL, Outlook queries the Microsoft publisher keychain in iOS to locate the recipient’s public certificate key. For recipients without a public certificate key (or an invalid key), Outlook will prompt for their removal. The message will not be sent unencrypted to any recipient unless the encryption option is disabled by the sender during composition.
If you are interested in testing S/MIME in Outlook for iOS, sign-up for TestFlight access at http://aka.ms/outlookinsiders. Apple imposes a limit to the volume of available testers per app. If TestFlight link indicates the program is full check back in a few weeks as we routinely scrub inactive accounts.
We hope access to S/MIME in TestFlight will enable you to validate S/MIME functionality in your environments. For any issues, please file an in-app support ticket with clear instructions/details on the issue. S/MIME support in Outlook for iOS and Android will begin rolling out for general availability later this summer.
We recognize that not all customers need S/MIME functionality; in fact, many of our customers are adopting Microsoft Information Protection to classify and protect content. We’re busy putting the final touches on sensitive labeling support in Outlook for iOS and Android. Stay tuned!
If you have any questions, please let us know.
Ross Smith IV Principal Program Manager Customer Experience Engineering