S/MIME functionality available in Outlook for iOS TestFlight
Published Jul 02 2019 10:23 AM 53.9K Views
Microsoft

Important: S/MIME in Outlook for iOS is now available. The below article has been replaced by product content found at http://aka.ms/omsmime

 

Secure/Multipurpose Internet Mail Extension (S/MIME) functionality in Outlook for iOS and Android has been a top request for several of our enterprise customers. As some of you may have heard, late last week we released support for S/MIME in Outlook for iOS in Office Insiders via TestFlight (v3.30.0 and later). For those not familiar with TestFlight, it is Apple’s platform for distributing pre-release builds. This allows us to get features in the hands of early adopters to gather feedback before releasing to all customers.

 

S/MIME provides encryption, which protects the content of e-mail messages, and digital signatures, which verify the identity of the sender of an e-mail message. In order to use S/MIME with Outlook for iOS, the user’s mailbox must be in Exchange Online.

 

Deploying S/MIME certificates

Outlook for iOS supports manual certificate delivery. Manual certificate delivery is when the certificate is emailed to the user and the user taps on the certificate attachment within Outlook for iOS to initiate the certificate’s installation.

 

Note: Outlook for iOS and Android will support automated certificate delivery in future releases.

Image1.png

Figure 1: Outlook for iOS manual certificate delivery installation

 

Users can export their own certificate and mail it to themselves using Outlook desktop:

  1. Open Outlook 2013, 2016 or 2019 that has already been configured for S/MIME
  2. Click File -> Options -> Trust Center -> Trust Center Settings
  3. Click Email Security
  4. Under Digital ID’s click Import/Export
  5. Click Export Your Digital ID to a file
  6. Click Select and select the correct certificate
  7. Click Browse and select a location to save the file
  8. Complete your password and then click OK
  9. Create a new E-mail and attach the exported PFX file. Send the E-mail to yourself.

Important: When exporting the certificate, ensure the exported certificate is password protected with a strong password.

Enabling S/MIME in the app

S/MIME must be enabled for Outlook for iOS and Android to view or create S/MIME-related content.

 

End users will need to enable S/MIME functionality manually by accessing their account settings, tapping Security, and tapping the S/MIME control, which is off by default.

Image2.png

Figure 2: Outlook for iOS S/MIME security setting

 

When the S/MIME setting is enabled, Outlook for iOS and Android will automatically disable the Organize By Thread setting. This is because S/MIME encryption becomes more complex as a conversation thread grows. By removing the threaded conversation view, Outlook for iOS and Android reduces the opportunity for issues with certificates across recipients during signing and encryption. As this is an app-level setting, this change affects all accounts added to the app.

 

Note: Outlook for iOS and Android will support the ability for IT administrators to manage the S/MIME setting via general app configuration for enrolled devices in future releases.

Consuming and Creating S/MIME messages

After the certificates have been installed and S/MIME has been enabled in the app, users can read S/MIME related content and compose using S/MIME certificates.

 

In the message view, users can view messages that are S/MIME signed or encrypted. In addition, users can tap the S/MIME status bar to view more information about the message’s S/MIME status.

Image3.png

Figure 3: Consuming S/MIME messages in Outlook for iOS

 

Users can install a sender’s public certificate key by tapping the S/MIME status bar. The certificate will be installed on the user’s device, specifically in the Microsoft publisher keychain in iOS.

Image4.png

Figure 4: Outlook for iOS sender public certificate key installation

 

When composing an email in Outlook for iOS and Android, the sender can choose to encrypt and/or sign the message (signed messages are sent clear-signed). By tapping on the ellipse and tapping Sign and Encrypt, the various S/MIME options are presented. Selecting an S/MIME option enables the respective action on the email when it is sent (drafts are not signed or encrypted), assuming the sender has a valid certificate.

 

Important: In order to compose an encrypted message, the target recipient’s public certificate key must be available either in the Global Address List or stored on the local device. In order to compose a signed message, the sender’s private certificate key must be available on the device.

Image5.png

Figure 5: Outlook for iOS options for applying S/MIME to a message

 

Outlook for iOS will evaluate all recipients prior to sending an encrypted message and confirm that a valid public certificate key exists for each recipient. The Global Address List () is checked first; if a certificate for the recipient does not exist in the GAL, Outlook queries the Microsoft publisher keychain in iOS to locate the recipient’s public certificate key. For recipients without a public certificate key (or an invalid key), Outlook will prompt for their removal. The message will not be sent unencrypted to any recipient unless the encryption option is disabled by the sender during composition.

 

Summary

If you are interested in testing S/MIME in Outlook for iOS, sign-up for TestFlight access at http://aka.ms/outlookinsiders. Apple imposes a limit to the volume of available testers per app. If TestFlight link indicates the program is full check back in a few weeks as we routinely scrub inactive accounts.

 

We hope access to S/MIME in TestFlight will enable you to validate S/MIME functionality in your environments. For any issues, please file an in-app support ticket with clear instructions/details on the issue. S/MIME support in Outlook for iOS and Android will begin rolling out for general availability later this summer.

 

We recognize that not all customers need S/MIME functionality; in fact, many of our customers are adopting Microsoft Information Protection to classify and protect content. We’re busy putting the final touches on sensitive labeling support in Outlook for iOS and Android. Stay tuned!

 

If you have any questions, please let us know.

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

90 Comments
Copper Contributor

Great progress! However not everyone has the knowledge to use S/MIME or PGP and also both standards are not compatible with each other. We build a product (based on MICROSOFT Azure) which works for everyone and is simple even it cannot be compared 1:1. Check out MAILINJA - Encrypt & Legitimate E-Mails. But Simple. (https://mailinja.com). Greetings from Germany, Volkan

Brass Contributor

@Ross Smith IV 

I'm eagerly awaiting the S/MIME functionality in iOS, thanks for your very informative post.

 

Three questions I really hope you can answer:

1) Will Outlook for iOS support fetching public S/MIME details from AD/AAD from the UserCertificate and/or UserSmimeCertificate attribute?

 

2) Will Outlook for iOS support  fetching public S/MIME details from a connected LDAP Address book, just like Outlook for Windows?

 

3) Will Outlook for iOS support a way for third party solutions such as MDM or other Certificate Life Cycle Management solutions , to configure a present Outlook for iOS with relevant S/MIME and address book settings?

 

Reason why I'm asking are all related to end-user experience.

A techie person will understand how to manually configure an S/MIME and manually configure an addressbook, and will likely be annoyed but understand why a recipients certificate will first need to be save and installed onto iOS before being able to send a message.

But most users have no clue and need to be able to simply use the Outlook for iOS app with S/MIME support for encryption and/or signing.

 

 

Also you state that not everybody needs S/MIME and likely will have sufficient use with Microsoft's proprietary encryption solution. However many countries are adopting a requirement for example for S/MIME based email signing when privacy sensitive information is shared such as medical data. So expect hundreds of thousands if not millions worldwide of non-techie people who professionally are being forced into  S/MIME simply due to (GDPR) regulations

Microsoft

@Mike22April thanks for the questions.

 

In order to compose an encrypted message, the target recipient’s public certificate key must be available either in the Global Address List or stored on the local device (in the Microsoft publisher keychain). The cert gets populated in the GAL using the UserCertificate / UserSmimeCertificate attributes.

 

Outlook for iOS and Android does not support use of an LDAP directory for obtaining certificates (or connecting to an LDAP directory for address book functionality).

 

For automated certificate delivery, Outlook for iOS will only support Intune for enrollment. iOS has two keychains – system and publisher.  Any MDM can push certs to the system keychain.  However, only first party Apple apps can use that keychain. Outlook only has access to Microsoft publisher keychain. Intune is building a cert delivery channel (outside of the MDM channel), to securely deliver certs into the Microsoft publisher keychain. Third-party MDMs won’t have access to the Microsoft publisher keychain because they are not a Microsoft signed application and thus, can’t deliver certs there for Outlook to use.

Brass Contributor

@Ross Smith IV 

Again thanks for your time answering my questions, really helpful.

 

I'm looking forward to seeing / reading more information once available on the separate  channel via Intune to deliver certificates into the Microsoft publisher keychain, especially those that normally would reside in an LDAP key server related to email addresses outside the corporate domain domain.

 

 

Copper Contributor

This is really an enterprise grade feature we are long waiting for and already opened dozens of tickets for it. :smile: 

 

Questions:

- Are S/MIME signed mails always verified - even when there is no local S/MIME certificate installed on the device?  I'm asking that because a lot of companies use central S/MIME gateways for e-mail signing and do not deploy the S/MIME certs directly on the device.

- When is the Global Go Live expected?

 

 

 

Microsoft

@M_LE_ - In order to validate that the signature is valid, S/MIME must be enabled in the app and the user's certificate must be installed. Clear-signed messages will always have their message bodies rendered, even if the S/MIME functionality is disabled in the app. Regarding when this functionality will ship, please follow http://aka.ms/m365roadmap to keep up to date.

Copper Contributor

Hi Ross - thanks for quick answer.

Does that mean if S/MIME is enabled and no local S/MIME certificate is installed then a S/MIME signed mail still does not show up as signed with a seal/mark/banner and just the attachment smime.p7m is added as in current iOS Outlook mobile versions?

Native iOS mail validates every signature even when no local S/MIME cert is installed - it would be great if outlook also offers that functionality. Verifying identities is crucial sometimes...

 

Copper Contributor
When testing this functionality my SMIME certificate installed fine, however when I go to compose a message it says "We couldn't find your S/MIME certificate. Install a certificate or contact your IT help desk." Any idea why it's not picking up my certificate? If I try to install it again it states that it is already installed.
Microsoft

@Michael Nickels - it's possible that Exchange Online isn't properly configured. Ensure S/MIME has been properly configured in Exchange Online by following the steps outlined in S/MIME for message signing and encryption in Exchange Online. This includes setting up the virtual certificate collection and publishing the certificate revocation list to the Internet.

 

If those items have been configured, the best thing to do is open an in-app support ticket so we can analyze the issue.

Copper Contributor
Hello, is any ETA available for Outlook for android s/mime support even beta testing?
Microsoft

@techcommunity965 - See http://aka.ms/m365roadmap for up to date information on release plans. We have nothing to announce at the moment regarding an early access program for Outlook for Android, but the feedback is noted.

Copper Contributor
Hi, I installed the Outlook from TestFlight, emailed a pfx (I tried p12 as well) with my cert to myself, and installed the cert, but I still can’t sign or encrypt messages as Outlook doesn’t see any cert. When I tried to install it again, I just got an error saying the cert’s already installed. Does anyone see this issue too? Also, I can activate S/MIME only for my O365 account, but not for my G-Suite account. Will there be support for non-365 accounts added in any future release?
Copper Contributor

@Ross Smith IV 

After RTW answering my own question above for outlook on iOS:

For S/MIME verification (certifying the sender identity) it is enough to just have the S/MIME setting activated. There is no need to install a own S/MIME certificate on the device. The certificate is just needed for E-Mail encryption.

 

@mgilan 

What I can also  commit after my tests is - that S/MIME verification just works for O365 accounts in Outlook iOS mobile. Free hotmail/outlook or any other e-mail accounts don't do the S/MIME verification and just attach the digital signature as smime.p7m  attachment - which you can not open.

 

I agree that at least S/MIME verification for all kind of e-mail accounts would be a great security boost for the fight against phishing and fraud mails...

Copper Contributor
@M_LE_ That’s odd. I still can’t sign or encrypt messages—the error is “We couldn’t find your S/MIME certificate. Install a certificate or contact your IT help desk.”. I’m just thinking if this could be because my certs are installed via an MDM profile.
Copper Contributor
You won't be able to deploy S/MIME certs through the MDM (at least on iOS). Those certs go to the system keychain which can only be accessed by Apple apps. iOS Outlook would not have any visibility into that keychain.
Microsoft

@Michael Nickels - Later this calendar year, we plan to support automatic certificate delivery on iOS devices when the MDM provider is Intune. This is because Intune can publish certificates into the publisher keychain, which Outlook has access.

Copper Contributor

Hi,

 

i got this error: “We couldn’t find your S/MIME certificate. Install a certificate or contact your IT help desk.”. I installed it without MDM!

 

Any ideas?

Brass Contributor

@xtoasty 

 

Quote:

"For automated certificate delivery, Outlook for iOS will only support Intune for enrollment. iOS has two keychains – system and publisher.  Any MDM can push certs to the system keychain.  However, only first party Apple apps can use that keychain. Outlook only has access to Microsoft publisher keychain. Intune is building a cert delivery channel (outside of the MDM channel), to securely deliver certs into the Microsoft publisher keychain. Third-party MDMs won’t have access to the Microsoft publisher keychain because they are not a Microsoft signed application and thus, can’t deliver certs there for Outlook to use."

 

 

Apparently you MUST use Intune, or it wont work for automated deployment.

 

 

You can still send the certificate and key as a PFX/P12 attachment by email , and having the user open it in Outlook to install it, after which it should work 

Copper Contributor

Has anyone experienced any issues after the PFX is installed on iOS? 

 

I have some users that are receiving the following error message when they attempt to reply/send a new signed or signed and encrypted email message on iOS 13.

 

"Can't Save Draft  Please copy and paste your draft content into a new message to continue"

 
Copper Contributor

I'm also receiving this error message after installing my S/MIME certs via email:

 

“We couldn’t find your S/MIME certificate. Install a certificate or contact your IT help desk.”

 

I opened a ticket with Microsoft, and so far they have been unable to determine the cause.

Copper Contributor
Referring to original exchange between Mike22April and Ross Smith IV re request for LDAP support in addition to GAL for "userCertificate:binary" LDAP type. First, wonderful to see a full fledged Outlook rolling out to mobile devices. Thank you. But too bad certificate lookup will still be limited to relatively static (GAL, cert/key stores, ..etc) databases given the movement toward ubiquitous end-2-end encryption. The LDAP servers we use (w/ Outlook desktop) are dynamic and pull s/mime certs on demand from global sources, across organizational, departmental, boundaries, i.e., from the 'Net. Still this is a great step in the right direction. Guess the beta is full but I will eagerly try again.
Microsoft

@Nate_2020 - This is a known issue that will be resolved in 4.11.0 in Outlook for iOS.

 

@schwantje1 - Make sure your IT admin has configured teh Exchange Online virtual certificate collection and published the CRL to the Internet. for more information, see http://aka.ms/omsmime

 

@naticklamb - Thanks for the feedback regarding LDAP providers, but that isn't something we currently support. S/MIME is supported in both Outlook for iOS and Android production apps. 

Copper Contributor

Is there a way to automatically sign the emails on the iOS, or are you required to tap on the ellipse and tap Sign everytime? 

Microsoft

@WhiteRabbit86 - not today - we only support manually signing/encrypting messages. We're working on bringing support for enabling auto-sign/encrypt.

Copper Contributor

@Ross Smith IV I'm still getting this error whenever I try to reply to or forward signed messages:

 

"Can't Save Draft  Please copy and paste your draft content into a new message to continue"

 

... and I'm on Outlook 4.11.0 on iOS.  S/MIME is turned off, but was previously enabled for testing.  This is in a GCC environment.  Resetting the account, adding/removing the account, and reinstalling Outlook did not fix the problem.

Microsoft

@mruss - given that you are GCC, can you please open a Premier ticket and provide the diagnostic logs (within the app - settings - help & feedback - share diagnostic logs). Thanks!

Copper Contributor

@Ross Smith IV - I have updated my users to Outlook 4.11.0 on iOS and they are still receiving the same error as before, "Can't Save Draft  Please copy and paste your draft content into a new message to continue".  Do we have any other options available to us that might fix this issue?  Thank you for all your help.  

Microsoft
@Nate_2020 - we're aiming to have a fix in next week's build.
Brass Contributor

we are currently struggling in creating new encrypted emails. decrypting emails and replying to encrypted emails is working, however when we try to create a new email from scratch, Outlook Mobile is stating that I don't have a certificate "We couldn't find your S/MIME certificate"

What is "special" about our certificates is that we have a dedicated certificate for signing and a dedicated for encryption. In the Outlook Mobile App, we installed only the encryption certificate which does not contain any key usage for signing. Might this be an issue?

Microsoft

@sebastianheil While you can have two separate certificates (one for encryption and one for signing), Outlook mobile requires both signing and encryption be available in order to the S/MIME functionality. If I interpreted your statement incorrectly, then it may be best to open a support case with Premier.

Brass Contributor

@Ross Smith IVthanks for your reply.

are there any plans to support s/mime (there is an option for "encrypt" only) without having a signing certificate installed? 

Microsoft

@sebastianheil - This will be addressed in a future release.

Copper Contributor
Hallo, S/Mime verschlüsselte Mails lassen sich auf dem iOS Device öffnen und lesen. Allerdings kann ich keine neue Email selbst verschlüsseln. Es kommt eine Fehlermeldung die besagt, dass kein Zertifikat installiert sei ... gibt es da eine Lösung?
Microsoft

@torjubel - While you can have two separate certificates (one for encryption and one for signing), Outlook mobile requires both signing and encryption be available in order to use the S/MIME functionality. This will be addressed in a future release.

Brass Contributor

@Ross Smith IVis there any high level estimate when this feature will be released? 

Copper Contributor

@Ross Smith IV  : Will Outlook for iOS ever support S/MIME for on-premises Exchange 2019?  This is the only thing that prevents us from using the application.  It is artificially hobbled in S/MIME support to just 365 accounts.  iOS Mail, while in many ways inferior to what Microsoft has created with Outlook for iOS, at least supports S/MIME for on-prem.

Microsoft

@SiobhanTX It's possible we'll be able to support S/MIME for on-premises accounts leveraging hybrid modern authentication (http://aka.ms/hmaom) once those accounts are migrated to the native Microsoft sync technology. We require an Exchange Online tenant because we're leveraging the S/MIME virtual cert collection for certificate validation (see http://aka.ms/omsmime for more information).

Copper Contributor

We are troubleshooting an issue with a user who cannot send or read encrypted email. We attempted to and wanted to know if we could remove and reinstall an imported S/MIME certificate.  Even though we removed Outlook and other MS apps and attempt to reimport their certificate, we continue to see errors saying indicating a duplicate certificate.  

 

Can you explain the persistence of the Microsoft publisher keychain when all MS apps have been removed from the device? Should it remain on the device indefinitely? 

Thanks

 

Microsoft

@IWMITRE a future update (later this quarter) will support the removal of certs.

Copper Contributor

Hi,

 

When the SMIME version for IOS was released, it was possible to send SMIME emails (Independent of MDM). With any newer release it didn't work anymore. Intentional or accidental?

 

BR,

xtoasty

Microsoft

@xtoasty - We support manual and automated certificate delivery in Outlook for iOS. Manual certificate delivery can be used regardless of enrollment state. Automated certificate delivery requires Intune as the enrollment provider. See http://aka.ms/omsmime for more information.

Copper Contributor

@Ross Smith IV 

 

thanks for the info, but i installed the certificate manual (like this http://aka.ms/omsmime), enabled the smime in outlook and send myself an e-amil without any affect. The e-mail wasn't singed....

 

 

Microsoft

@xtoasty - The app doesn't by default, sign or encrypt messages once the cert is installed. During message composition, you need to select the ellipse, tap sign and encrypt, and then select the signing option. 

Copper Contributor

@Ross Smith IV and then i got the message: "we could not find all the information necessary to verify this certificate."

Microsoft

@xtoasty - Sounds like all the prereqs listed in the article haven't been implemented within the environment - the Exchange Online virtual certificate collection and publishing the CRL to the Internet.

Deleted
Not applicable

@Ross Smith IV @ross

 

I am using a Email Signing Certificate from sectigo and I do get the same error "we could not find all the information necessary to verify this certificate"

 

I see the instructions on setting up Exchange Online for this.. But curious, I can sign the emails from Outlook on Computer (Outlook for MAC ) with just the Cert and dont need any changes on the Exchange Online Side. Why does Outlook for mobile need this.. Again I am only trying to sign emails being sent.

 

Also, we are a small with no AD Sync, we have the Office365 seperately, so is there some instruction on how to link the certificates, as are not using a Local Certifying authority. 

Microsoft

@Deleted - we're leveraging Exchange Online to handle certificate validation (similar to what OWA utilizes). This is covered in http://aka.ms/omsmime.

Copper Contributor

Hi @Ross Smith IV There is a new update for Outlook (V4.22.0). Right now, i have got an other "error" in the s/mime control panel.

 

Right now there is an info: "certificate invalid", but the sectigo certificate is valid till 11.2022... When i take a look at the Certificate details in the Outlook App, there is a info "check: error in chain assembly". What does it mean?

Microsoft

@xtoasty this is probably better supported for a support case. Can you open one, please?

Copper Contributor

@Ross Smith IV Where can i open it?

Co-Authors
Version history
Last update:
‎Dec 19 2023 01:26 PM
Updated by: