S/MIME with the Outlook app for Apple IOS and Android only possible with devices managed via Intune

If you want to make S/MIME certificates available to your users on the smartphone as well, you may be surprised to discover that this is not possible with the Outlook app unless you also use Microsoft Intune as a management solution for the devices.

Microsoft has published in an article "Sensitivity labeling and protection in Outlook for iOS and Android" now clarified that this is due to the respective system architecture.

For Outlook for iOS, this is due to the iOS keychain architecture. iOS offers a system keychain and publisher keychains. iOS prevents third-party apps from accessing the system keychain (only first-party apps and the Safari webview controller can access the system keychain). In order to deliver certificates that can be accessed by Outlook for iOS, the certificates must reside in the Microsoft publisher keychain to which Outlook for iOS has access. Only Microsoft published apps, like the Company Portal, can place certificates into the Microsoft publisher keychain.

For iOS, this means that apps (in this case, Mobile Device Management and the Outlook app) can only use a shared keystore if they come from the same publisher. So this is not a restriction invented by Microsoft, but one of the iOS operating system or its security model.

Outlook for Android relies on Endpoint Manager to deliver and approve the S/MIME certificates. Automatic certificate delivery is supported with Android enrollment scenarios: device administrator, Android Enterprise work profile, and Android Enterprise fully managed.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.