S/MIME Certificate Behavior on iOS Devices

Overview

When creating the profile using the Kerio Connect feature to integrate with the device (EAS, IMAP/CalDAV/CardDAV), the S/MIME settings are automatically pulled from the Kerio Connect server using a profile on the iOS.

This article provides additional clarifications about S/MIME encryption with iOS mobile devices.

Information

Note: On iOS 15, you cannot download a profile from the server that has a personal certificate added. Similarly, in the later updates of iOS 14, the automatic profile config tool downloads the profile; however, the personal certificate contained in that profile does not get configured and cannot be added manually either.
ℹ️ The most recent versions of iOS no longer have this limitation, and as tested on iOS 18.4, Integrating EAS Accounts with Kerio Connect on iOS Devices will bundle the SMIME certificates

Automatic profile configuration

For a Kerio Connect user, if you have message encryption enabled in the Webmail when you integrate the account on an iOS device by using the automatic creation of the account, the setting in the devices cannot be changed, as they are hardcoded and handled within the Kerio profile that is installed.

If a user has enabled the secured messages, the auto-config tool will automatically install the personal cert and enable S/MIME. The S/MIME Sign and Encrypt by Default options will be set to Yes.

If the users then disable the secure messages, they will have to re-configure the account on their iPhone.

However, this does not mean that the user will not be able to send unencrypted messages. When composing an email and sending it to a user that does not have an encryption setup, a prompt that the email cannot be encrypted appears in the iOS new mail window. This is because, for encryption to be successful, both parties need to have the feature enabled and to have the proper certificates installed so that the recipient can decrypt the received message.

Manual profile configuration

When you Set up Exchange ActiveSync on your iPhone, iPad, or Apple Vision Pro - Apple Support using the manual method, the SMIME certificates are not imported automatically, since there is no profile that tells the iOS device what certificate to obtain.

Therefore, if you are using this method, you will need to manually import your SMIME certificate by downloading it on your iOS device, and then installing the profile that gets generated by the SMIME certificate.

Once the SMIME certificate is installed, you will be able to enable the S/MIME Sign and Encrypt by Default options and select the SMIME certificate you just downloaded.

Use S/MIME to send encrypted messages in an Exchange environment in iOS

Install SSL certificate on iOS

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment