iOS IV: Use S/MIME Signing and Encryption

Prerequisites

Supported Server Operating Systems
- Certificate Authority is installed on Windows Server 2008 R2
- Certificate Authority is installed on Windows Server 2012
- Certificate Authority is installed on Windows Server 2016
Certification Authority Server needs the following configured roles
- Certification Authority
- Certification Authority Web Enrollment
Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site)
Certification Authority and Silverback Server are joined to the same Active Directory Domain
- When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined
Service Account for publishing certificates into Active Directory User Object
Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group
An enrolled iOS device

Certificate Authority

Log into your Certification Authority server

Create Enrollment Agent Certificate Template

You might created the Enrollment Agent Certificate Template already during the previous Guide.

Open the Certification Authority MMC snap-in.
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
Expand the Configuration Tree on the Right until the Certificate Templates section is visible
Right Click Certificate Templates
Click Manage
Right Click Enrollment Agent in the middle pane
Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
- Select Windows Server 2003 Enterprise
- Click OK

General

Navigate to General
Enter as Template Display Name: Silverback Enrollment Agent
Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)

Request Handling

Now navigate to Request Handling
Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Proceed with Yes at prompt for wish to change the certificate purpose
- Include symmetric algorithms allowed by the subject: Enabled
- Allow private key to be exported: Enabled
- Select Enroll subject without requiring any user input

Subject Name

Navigate to Subject Name
Ensure the following values are configured:
- Built from this Active Directory information: Enabled
- Subject Name is set to Fully distinguished name
- User principal name (UPN): Enabled

Security

Navigate to Security
Click Add
Enter in the "Enter the object names to select " the service account you want to use
Click Check Names
Select the service account that you want to use
Click OK
Allow Read and Enroll Permissions
Click OK to finish Template Configuration

Create User Certificate Template

Right Click User in the middle pane
Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK

General

Navigate to General
Enter as Template Display Name: Silverback User
Enter as Template name: SilverbackUser (will be filled automatically)
Uncheck Publish certificate in Active Directory

Request Handling

Navigate to Request Handling
Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input

Subject Name

Navigate to Subject Name
Enable Supply in the request
Click OK to confirm

Issuance Requirements

Navigate to Issuance Requirements
Ensure that CA certificate manager approval is unchecked

Extensions

Navigate to Extensions
Select Application Policies
Click Edit
Select Encrypting File System
Click Remove
Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security

Navigate to Security
Select Authenticated Users
Ensure that Read Permissions are enabled
Click Add
Enter in the "Enter the object names to select": Silverback
Click Check Names
Select Silverback Enterprise Device Management
Click Ok
Enable Read and Enroll Permissions
Select Domain Users
Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future.

Click OK to finish Template Configuration
Close Certificate Templates Console window

Create Signing Certificate Template

Right Click Exchange Signature Only in the middle pane
Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK

General

Navigate to General
Enter as Template Display Name: Silverback SMIME Signing
Enter as Template name: SilverbackSMIMESigning (will be filled automatically)
Enabled Publish certificate in Active Directory

Request Handling

Navigate to Request Handling
Make sure that the configuration will be the following:
- Purpose: Signature
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input

Subject Name

Navigate to Subject Name
Enable Supply in the request
Click OK to confirm

Issuance Requirements

Navigate to Issuance Requirements
Enable This number of authorized signatures and keep default value 1
Change Application policy to Certificate Request Agent

Security

Navigate to Security
Select Authenticated Users
Ensure that Read Permissions are enabled
Click Add
Enter in the "Enter the object names to select": Silverback
Click Check Names
Select Silverback Enterprise Device Management
Click Ok
Enable Read and Enroll Permissions
Select Domain Users
Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future.

Click OK to finish Template Configuration
Close Certificate Templates Console window

Create Encryption Certificate Template

Right Click Exchange User in the middle pane
Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK

General

Navigate to General
Enter as Template Display Name: Silverback SMIME Encryption
Enter as Template name: SilverbackSMIMEEncryption (will be filled automatically)
Enabled Publish certificate in Active Directory

Request Handling

Navigate to Request Handling
Make sure that the configuration will be the following:
- Purpose: Encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input

Subject Name

Navigate to Subject Name
Enable Supply in the request
Click OK to confirm

Issuance Requirements

Navigate to Issuance Requirements
Enable This number of authorized signatures and keep default value 1
Change Application policy to Certificate Request Agent

Security

Navigate to Security
Select Authenticated Users
Ensure that Read Permissions are enabled
Click Add
Enter in the "Enter the object names to select": Silverback
Click Check Names
Select Silverback Enterprise Device Management
Click Ok
Enable Read and Enroll Permissions
Select Domain Users
Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future.

Click OK to finish Template Configuration
Close Certificate Templates Console window

Issue Certificate Templates

Navigate to Certification Authority window
Right Click Certificate Templates
Select New
Click Certificate Template to Issue
Select Silverback Enrollment Agent
Click OK
Right Click Certificate Templates
Select New
Click Certificate Template to Issue
Select Silverback User
Click OK
Right Click Certificate Templates
Select New
Click Certificate Template to Issue
Select Silverback SMIME Signing
Click OK
Right Click Certificate Templates
Select New
Click Certificate Template to Issue
Select Silverback SMIME Encryption
Click OK

Create Enrollment Agent Certificate Request

Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
Open Internet Explorer
Enter URL for the Certification Authority Web Enrollment web site
- https://ca01.imagoverum.com/certsrv
Click Continue to this website
Login with your Service Account

If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account

Click Request a certificate
Click advanced certificate request
Click Create and submit a request to this CA
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
  - You will be redirected directly Submit a Certificate Request or Renewal Request Action
  - Open Compatibility View Settings on Internet Explorer
  - Click Add to add your domain (e.g. imagoverum.com) and Close the Window
  - Navigate back to Request a certificate step and try again (maybe refresh your browser)
After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm
- If you don't see this and your CSP keeps loading, open Internet options
- Navigate to Security
- Select Trusted Sites
- Click Sites
- Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
- Click Close
- Click OK
- Refresh this page, you should see now the pop-op
Click Yes
Change Certificate Template to Silverback Enrollment Agent
Click Submit
Click Yes

Install Certificate

Click Install this certificate
Your new certificate should be successfully installed

Export Certificate from Current User

Right click Windows Icon in taskbar
Click Run
Enter certmgr.msc
Click OK or press enter
Expand Personal
Expand Certificates
- Right Click the installed certificate
- Click All Tasks
- Click Export
- Click Next
- Click Yes, export the private key
- Click Next
- Uncheck Include all certificates in the certification path if possible
- Click Next
- Enable Password
  - Enter a Password
  - Confirm Password
- Click Next
- Click Browse
- Choose your location and save it as a *.pfx file
- Click Next
- Click Finish
- Click OK

Import Certificate to Local Computer

Login to your Silverback or Cloud Connector server as a Domain Administrator
Right click Windows Icon in taskbar
Click Run
Enter certlm.msc
Click OK or press enter
Expand Personal
Expand Certificates
Perform a right click in the right pane
Select All Tasks
Select Import
Click Next
Click Browse
Select your *.pfx file

Change Search to All Files (*.*)

Click Open
Click Next
Enter your created password
Enable Mark this key as exportable
Click Next
Ensure that Personal is selected
Click Next
Click Finish
Click OK

Add Permission

Right click the new imported enrollment agent certificate
Select All Tasks
Select Manage Private Keys
Click Add
Enter network
Click Check Names
Select Network Service
Click OK
Click OK
Ensure that only Read is allowed
- Uncheck Full control
Click Apply
Click OK

Silverback

Add Certification Authority

Open your Silverback Management Console
Login as an Settings Administrator
Navigate to Certificates
Under Certificate Deployment enable Individual Client
Enter your Certificate Authority in the following format:
- ca.imagoverum.com\domain-server-CA

Add Templates and Subject Names

Under Templates add your previously issued User Certificate Template
- e.g. SilverbackUser
Under S/MIME Settings add the following:
- Encryption Template Name: SilverbackSMIMEEncryption
- Encryption Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Encrypt
- Signing Template Name: SilverbackSMIMESigning
- Signing Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Signing
- Agent Certificate: Select from the drop down list the previously created Enrollment Agent Certificate
  - Or if you are running with a Cloud Connector, paste the thumbprint manually: e.g. ‎d17843663fbaa87f49c4e97cd860867efc2c20b6
Click Save
Confirm with OK

From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate

Restart IIS

Run PowerShell with elevated priviledges
Run the following command:
- restart-service w3svc,silv*,epic*,mat*

Change User

Logout as Settings Administrator
Login as Administrator

Certificate Trusts

Create a new Certificate Trust Tag

Navigate to Tags
Click New Tag
- Name it e.g. iOS Certificate Trusts
- Enter as description e.g. Certificate Trusts for S/MIME (optional)
- Enable Profile under Enabled Features
- Enable your desired devices, e.g. iPhone or iPad
- Click Save

Create Certificate Trust Profile

Navigate to Profile
- Navigate to Exchange Certificate Trusts
- Add all your required Root and Intermediate Certificates
Navigate to Definition
- Click Associated Devices
- Click Attach More Devices
- Select your enrolled devices
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK

Check Device

On your device open Settings
- Navigate to General
- Navigate to Profiles & Device Management
- Select Silverback MDM Profile
- Select More Details
- Check under Certificates if your Certificate Trust certificates are listed

Exchange Active Sync

Create a new Exchange ActiveSync Tag

Navigate to Tags
Click New Tag
- Name it e.g. iOS Exchange ActiveSync
- Enter as description e.g. Exchange with certificate based authentication and S/MIME (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. iPhone or iPad
- Click Save

Create Exchange ActiveSync Profile

Navigate to Profile
- Navigate to Exchange ActiveSync
- Click New Profile
- Enter a Label Name: e.g. Imagoverum Exchange
- Enter a Server Name: e.g. mail.imagoverum.com
- Enable Certificate Distribution for signing certificates with the following settings:
  - Enable S/MIME Signing and/or
  - Allow user to enable or disable S/MIME signing
- Enable Certificate Distribution for encryption certificates with the following settings:
  - Enable Enable S/MIME encryption by default and/or
  - Allow user to enable or disable S/MIME encryption
- Configure Additional S/MIME Settings
- Configure Additional Settings
- Click Save
- Click OK
Navigate to Definition
- Click Associated Devices
- Click Attach More Devices
- Select your enrolled devices
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK

Check Device

On your device open Settings
- Navigate to General
- Navigate to Profiles & Device Management
- Select Silverback MDM Profile
- Select More Details
  - You should now see two new certificates
    - e.g. u_Tim.Tober_Encrypt
    - e.g. u_Tim.Tober_Sign
- Tab on the top Profile
- Navigate to Accounts
- Your previously created Exchange Account should be listed
- Tab on the Account
- Check your configured S/MIME Settings
Open Mail
- You should be logged in automatically
- You should receive now emails

Check Certification Authority

Go back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- First, you should see now a newly issued certificate with the requester name Domain\Silverback$ with the SilverbackUser Template
- Second, you should see now a newly issued certificate with the requester name (e.g. tim.tober) with the Silverback SMIME Encryption Template
- Third, you should see now a newly issued certificate with the requester name (e.g. tim.tober) with the Silverback SMIME Signing Template

Check Active Directory

Open Active Directory User and Computers
Open your corresponding User Object
Navigate to Published Certificates
- Here you should see 2 new certificates
As an alternative navigate to Attribute Editor
- Scroll down to userCertificate
- Click Edit
- Here you should see new certificates in an encrypted format

Swap Certificates and send mails

On your first device open Mail
- Create a new Message
- Enter the Email address of your S/MIME partner
- Ensure that the Mail will be unencrypted (Lock Symbol)
- Enter as Subject e.g. Signing Certificate Exchange
- Enter something as a Text
- Send the email to your S/MIME Partner
On your S/MIME Partner Device
- Open the sent mail
- Tab on the Senders Name
- Select View Encryption Certificate
  - Click Install
  - Click Done
- Write a new mail to your S/MIME partner
  - Enter the Email address of your S/MIME partner
  - Ensure that the Mail will be unencrypted (Lock Symbol)
  - Enter as Subject e.g. Signing Certificate Exchange
  - Enter something as a Text
  - Send the email to your S/MIME Partner
On first S/MIME Partner Device
- Open the sent mail
- Tab on the Senders Name
- Select View Encryption Certificate
  - Click Install
  - Click Done
- Write a new mail to your S/MIME partner
  - Enter the Email address of your S/MIME partner
  - Ensure that the Mail will be encrypted this time (Lock Symbol)
  - Enter as Subject e.g. Encrypted Message
  - Enter as Text e.g. This is an encrypted message
  - Send the email to your S/MIME Partner
On your S/MIME Partner Device
- Open the new message
- You should be able to read the encrypted message
- Crosscheck on any other available device, there you should not be able to read the message.