When creating the profile using the Kerio Connect feature to integrate with the device (EAS, IMAP/CalDAV/CardDAV), the S/MIME settings are automatically pulled from the Kerio Connect server using a profile on the iOS.
This article provides additional clarifications about S/MIME encryption with iOS mobile devices.
For a Kerio Connect user, if you have message encryption enabled in the Webmail when you integrate the account on an iOS device by using the automatic creation of the account, the setting in the devices cannot be changed, as they are hardcoded and handled within the Kerio profile that is installed.
If a user has enabled the secured messages, the auto-config tool will automatically install the personal cert and enable S/MIME. The S/MIME Sign and Encrypt by Default options will be set to Yes.
However, this does not mean that the user will not be able to send unencrypted messages. When composing an email and sending it to a user that does not have an encryption setup, a prompt that the email cannot be encrypted appears in the iOS new mail window. This is because, for encryption to be successful, both parties need to have the feature enabled and to have the proper certificates installed so that the recipient can decrypt the received message.