iOS IV: Use S/MIME Signing and Encryption

Prerequisites

• Supported Server Operating Systems
  • Certificate Authority is installed on Windows Server 2008 R2
  • Certificate Authority is installed on Windows Server 2012
  • Certificate Authority is installed on Windows Server 2016 
  • Certificate Authority is installed on Windows Server 2019
• Certification Authority Server needs the following configured roles
  • Certification Authority
  • Certification Authority Web Enrollment 
• Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
• Certification Authority and Silverback Server are joined to the same Active Directory Domain
  • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined
• Service Account for publishing certificates  into Active Directory User Object 
• Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group
• An enrolled iOS device

Certificate Authority

• Log into your Certification Authority server

Create Enrollment Agent Certificate Request

• Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
• Open Internet Explorer
• Enter URL for the Certification Authority Web Enrollment web site 
  • https://ca01.imagoverum.com/certsrv 
• Click Continue to this website
• Login with your Service Account 

• Click Request a certificate
• Click advanced certificate request
• Click Create and submit a request to this CA
  • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
    • You will be redirected directly Submit a Certificate Request or Renewal Request Action
    • Open Compatibility View Settings on Internet Explorer
    • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
    • Navigate back to Request a certificate step and try again (maybe refresh your browser)
• After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
  • If you don't see this and your CSP keeps loading,  open Internet options
  • Navigate to Security
  • Select Trusted Sites
  • Click Sites
  • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
  • Click Close
  • Click OK
  • Refresh this page, you should see now the pop-op
• Click Yes
• Change Certificate Template to Silverback Enrollment Agent
• Click Submit
• Click Yes

Add Certification Authority

• Open your Silverback Management Console
• Login as an Settings Administrator
• Navigate to Certificates
• Under Certificate Deployment enable Individual Client
• Enter your Certificate Authority in the following format:
  • ca.imagoverum.com\domain-server-CA

Add Templates and Subject Names 

• Under Templates add your previously issued User Certificate Template
  • e.g. SilverbackUser
• Under S/MIME Settings add the following:
  • Encryption Template Name: SilverbackSMIMEEncryption
  • Encryption Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Encrypt
  • Ensure that Publish encryption certificate to AD is enabled
  • Signing Template Name: SilverbackSMIMESigning
  • Signing Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Signing
  • Ensure that Publish signing certificate to AD is enabled
  • Agent Certificate: Select from the drop down list the previously created Enrollment Agent Certificate
    • Or if you are running with a Cloud Connector, paste the thumbprint manually: e.g. ‎d17843663fbaa87f49c4e97cd860867efc2c20b6
• Click Save
• Confirm with OK 

Additional Tasks with Cloud Connector

If you are running Silverback with the Cloud Connector, please perform the additional tasks:

• Navigate to Cloud Connector
• Ensure to have enabled Send LDAP requests through Tunnel 
• Ensure to have enabled Request Client Certificates through Tunnel
• Press Save
• Restart your Cloud Connector Services on your Cloud Connector Server

Additional Tasks for On-Premise Installations without Cloud Connector

• Run PowerShell with elevated privileges on your Silverback Server
• Run the following command:
  • restart-service w3svc,silv*,epic*,mat*

Change User

• Logout as Settings Administrator
• Login as Administrator

Create a new Certificate Trust Tag

• Navigate to Tags
• Click New Tag
  • Name it e.g. iOS Certificate Trusts
  • Enter as description e.g. Certificate Trusts for S/MIME (optional)
  • Enable Profile under Enabled Features
  • Enable your desired devices, e.g. iPhone or iPad
  • Click Save

Create Certificate Trust Profile

• Navigate to Profile
  • Navigate to Exchange Certificate Trusts
  • Add all your required Root and Intermediate Certificates
• Navigate to Definition
  • Click Associated Devices
  • Click Attach More Devices
  • Select your enrolled devices
  • Click Attach Selected Devices
  • Click OK
  • Click Close
  • Click Push to devices
  • Click OK

Check Device

• On your device open Settings
  • Navigate to General
  • Navigate to Profiles & Device Management
  • Select Silverback MDM Profile
  • Select More Details
  • Check under Certificates if your Certificate Trust certificates are listed

Create a new Exchange ActiveSync Tag

• Navigate to Tags
• Click New Tag
  • Name it e.g. iOS Exchange ActiveSync 
  • Enter as description e.g. Exchange with certificate based authentication and S/MIME (optional)
  • Enable Profile under Enabled Features
  • Enable your desired device, e.g. iPhone or iPad
  • Click Save

Create Exchange ActiveSync Profile

• Navigate to Profile
  • Navigate to Exchange ActiveSync
  • Click New Profile
  • Enter a Label Name: e.g. Imagoverum Exchange
  • Enter a Server Name: e.g. mail.imagoverum.com
  • Enable Certificate Distribution for signing certificates with the following settings: 
    • Enable S/MIME Signing and/or
    • Allow user to enable or disable S/MIME signing
  • Enable Certificate Distribution for encryption certificates with the following settings: 
    • Enable Enable S/MIME encryption by default and/or
    • Allow user to enable or disable S/MIME encryption
  • Configure Additional S/MIME Settings
  • Configure Additional Settings
  • Click Save
  • Click OK
• Navigate to Definition
  • Click Associated Devices
  • Click Attach More Devices
  • Select your enrolled devices
  • Click Attach Selected Devices
  • Click OK
  • Click Close
  • Click Push to devices
  • Click OK

Check Device

• On your device open Settings
  • Navigate to General
  • Navigate to Profiles & Device Management
  • Select Silverback MDM Profile
  • Select More Details
    • You should now see two new certificates
      • e.g. u_Tim.Tober_Encrypt
      • e.g. u_Tim.Tober_Sign
  • Tab on the top Profile
  • Navigate to Accounts
  • Your previously created Exchange Account should be listed
  • Tab on the Account
  • Check your configured S/MIME Settings
• Open Mail 
  • You should be logged in automatically
  • You should receive now emails

Check Certification Authority

• Go back to your Certification Authority
  • Navigate to Issued Certificates
  • Right click and click refresh
  • First, you should see now a newly issued certificate with the requester name Domain\Silverback$  with the SilverbackUser Template
  • Second, you should see now a newly issued certificate with the requester name (e.g. tim.tober)  with the Silverback SMIME Encryption Template
  • Third, you should see now a newly issued certificate with the requester name (e.g. tim.tober)  with the Silverback SMIME Signing Template

Check Active Directory

• Open Active Directory User and Computers
• Open your corresponding User Object
• Navigate to Published Certificates
  • Here you should see 2 new certificates
• As an alternative navigate to Attribute Editor
  • Scroll down to userCertificate
  • Click Edit
  • Here you should see new certificates in an encrypted format