Skip to main content
Matrix42 Self-Service Help Center

iOS IV: Use S/MIME Signing and Encryption

Prerequisites

  • Supported Server Operating Systems
    • Certificate Authority is installed on Windows Server 2008 R2
    • Certificate Authority is installed on Windows Server 2012
    • Certificate Authority is installed on Windows Server 2016 
  • Certification Authority Server needs the following configured roles
    • Certification Authority
    • Certification Authority Web Enrollment 
  • Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
    • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined
  • Service Account for publishing certificates  into Active Directory User Object 
  • Silverback or Cloud Connector Computer Object is added to the Silverback Mobile Device Manager group
  • An enrolled iOS device

Certificate Authority

  • Log into your Certification Authority server

Create Enrollment Agent Certificate Template 

You might created the Enrollment Agent Certificate Template already during the previous Guide

  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click Enrollment Agent in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback Enrollment Agent
  • Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
  • Now navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Proceed with Yes at prompt for wish to change the certificate purpose
    • Include symmetric algorithms allowed by the subject: Enabled
    • Allow private key to be exported: Enabled
    • Select Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Ensure the following values are configured:
    • Built from this Active Directory information: Enabled
    • Subject Name is set to Fully distinguished name
    • User principal name (UPN): Enabled
Security
  • Navigate to Security
  • Click Add
  • Enter in the "Enter the object names to select " the service account you want to use
  • Click Check Names
  • Select the service account that you want to use 
  • Click OK
  • Allow Read and Enroll Permissions
  • Click OK to finish Template Configuration

Create User Certificate Template

  • Right Click User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback User
  • Enter as Template name: SilverbackUser (will be filled automatically)
  • Uncheck Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements
  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked
Extensions
  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encrypting File System
  • Click Remove
  • Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security
  • Navigate to Security
  • Select Authenticated Users
  • Ensure that Read Permissions are enabled
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Select Domain Users
  • Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future. 

  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Create Signing Certificate Template

  • Right Click Exchange Signature Only in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback SMIME Signing
  • Enter as Template name: SilverbackSMIMESigning (will be filled automatically)
  • Enabled Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements
  • Navigate to Issuance Requirements
  • Enable This number of authorized signatures and keep default value 1
  • Change Application policy to Certificate Request Agent
Security
  • Navigate to Security
  • Select Authenticated Users
  • Ensure that Read Permissions are enabled
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Select Domain Users
  • Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future. 

  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Create Encryption Certificate Template

  • Right Click Exchange User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback SMIME Encryption
  • Enter as Template name: SilverbackSMIMEEncryption (will be filled automatically)
  • Enabled Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements
  • Navigate to Issuance Requirements
  • Enable This number of authorized signatures and keep default value 1
  • Change Application policy to Certificate Request Agent
Security
  • Navigate to Security
  • Select Authenticated Users
  • Ensure that Read Permissions are enabled
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Select Domain Users
  • Click Remove

Review other present users or groups and take into account to decrease the permission for these users or groups as well. At least one administrative account should have Read and Write permissions to adjust Template settings in the future. 

  • Click OK to finish Template Configuration
  • Close Certificate Templates Console window

Issue Certificate Templates 

  • Navigate to Certification Authority window
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback Enrollment Agent
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback User
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback SMIME Signing
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback SMIME Encryption
  • Click OK

Create Enrollment Agent Certificate Request

  • Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
  • Open Internet Explorer
  • Enter URL for the Certification Authority Web Enrollment web site 
  • Click Continue to this website
  • Login with your Service Account 

If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account

  • Click Request a certificate
  • Click advanced certificate request
  • Click Create and submit a request to this CA
    • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
      • You will be redirected directly Submit a Certificate Request or Renewal Request Action
      • Open Compatibility View Settings on Internet Explorer
      • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
      • Navigate back to Request a certificate step and try again (maybe refresh your browser)
  • After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
    • If you don't see this and your CSP keeps loading,  open Internet options
    • Navigate to Security
    • Select Trusted Sites
    • Click Sites
    • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
    • Click Close
    • Click OK
    • Refresh this page, you should see now the pop-op
  • Click Yes
  • Change Certificate Template to Silverback Enrollment Agent
  • Click Submit
  • Click Yes

Install Certificate

  • Click Install this certificate
  • Your new certificate should be successfully installed

Export Certificate from Current User

  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certmgr.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
    • Right Click the installed certificate
    • Click All Tasks
    • Click Export
    • Click Next
    • Click Yes, export the private key
    • Click Next
    • Uncheck Include all certificates in the certification path if possible
    • Click Next
    • Enable Password
      • Enter a Password
      • Confirm Password
    • Click Next
    • Click Browse
    • Choose your location and save it as a *.pfx file
    • Click Next
    • Click Finish
    • Click OK

Import Certificate to Local Computer

  • Login to your Silverback or Cloud Connector server as a Domain Administrator
  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certlm.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
  • Perform a right click in the right pane
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your *.pfx file

Change Search to All Files (*.*)

  • Click Open
  • Click Next
  • Enter your created password
  • Enable Mark this key as exportable
  • Click Next
  • Ensure that Personal is selected
  • Click Next
  • Click Finish
  • Click OK

Add Permission

  • Right click the new imported enrollment agent certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Enter network
  • Click Check Names
  • Select Network Service
  • Click OK
  • Click OK
  • Ensure that only Read is allowed
    • Uncheck Full control
  • Click Apply
  • Click OK

Silverback

Add Certification Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Certificate Authority in the following format:
    • ca.imagoverum.com\domain-server-CA

Add Templates and Subject Names 

  • Under Templates add your previously issued User Certificate Template
    • e.g. SilverbackUser
  • Under S/MIME Settings add the following:
    • Encryption Template Name: SilverbackSMIMEEncryption
    • Encryption Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Encrypt
    • Signing Template Name: SilverbackSMIMESigning
    • Signing Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Signing
    • Agent Certificate: Select from the drop down list the previously created Enrollment Agent Certificate
  • Click Save
  • Confirm with OK 

From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate

Restart IIS

  • Run PowerShell with elevated priviledges
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Certificate Trusts

Create a new Certificate Trust Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. iOS Certificate Trusts
    • Enter as description e.g. Certificate Trusts for S/MIME (optional)
    • Enable Profile under Enabled Features
    • Enable your desired devices, e.g. iPhone or iPad
    • Click Save

Create Certificate Trust Profile

  • Navigate to Profile
    • Navigate to Exchange Certificate Trusts
    • Add all your required Root and Intermediate Certificates
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your enrolled devices
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to General
    • Navigate to Profiles & Device Management
    • Select Silverback MDM Profile
    • Select More Details
    • Check under Certificates if your Certificate Trust certificates are listed

Exchange Active Sync

Create a new Exchange ActiveSync Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. iOS Exchange ActiveSync 
    • Enter as description e.g. Exchange with certificate based authentication and S/MIME (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. iPhone or iPad
    • Click Save

Create Exchange ActiveSync Profile

  • Navigate to Profile
    • Navigate to Exchange ActiveSync
    • Click New Profile
    • Enter a Label Name: e.g. Imagoverum Exchange
    • Enter a Server Name: e.g. mail.imagoverum.com
    • Enable Certificate Distribution for signing certificates with the following settings: 
      • Enable S/MIME Signing and/or
      • Allow user to enable or disable S/MIME signing
    • Enable Certificate Distribution for encryption certificates with the following settings: 
      • Enable Enable S/MIME encryption by default and/or
      • Allow user to enable or disable S/MIME encryption
    • Configure Additional S/MIME Settings
    • Configure Additional Settings
    • Click Save
    • Click OK
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your enrolled devices
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to General
    • Navigate to Profiles & Device Management
    • Select Silverback MDM Profile
    • Select More Details
      • You should now see two new certificates
        • e.g. u_Tim.Tober_Encrypt
        • e.g. u_Tim.Tober_Sign
    • Tab on the top Profile
    • Navigate to Accounts
    • Your previously created Exchange Account should be listed
    • Tab on the Account
    • Check your configured S/MIME Settings
  • Open Mail 
    • You should be logged in automatically
    • You should receive now emails

Check Certification Authority

  • Go back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • First, you should see now a newly issued certificate with the requester name Domain\Silverback$  with the SilverbackUser Template
    • Second, you should see now a newly issued certificate with the requester name (e.g. tim.tober)  with the Silverback SMIME Encryption Template
    • Third, you should see now a newly issued certificate with the requester name (e.g. tim.tober)  with the Silverback SMIME Signing Template

Check Active Directory

  • Open Active Directory User and Computers
  • Open your corresponding User Object
  • Navigate to Published Certificates
    • Here you should see 2 new certificates
  • As an alternative navigate to Attribute Editor
    • Scroll down to userCertificate
    • Click Edit
    • Here you should see new certificates in an encrypted format

Swap Certificates and send mails

  • On your first device open Mail
    • Create a new Message
    • Enter the Email address of your S/MIME partner
    • Ensure that the Mail will be unencrypted (Lock Symbol)
    • Enter as Subject e.g. Signing Certificate Exchange
    • Enter something as a Text
    • Send the email to your S/MIME Partner
  • On your S/MIME Partner Device 
    • Open the sent mail
    • Tab on the Senders Name 
    • Select View Encryption Certificate
      • Click Install
      • Click Done 
    • Write a new mail to your S/MIME partner
      • Enter the Email address of your S/MIME partner
      • Ensure that the Mail will be unencrypted (Lock Symbol)
      • Enter as Subject e.g. Signing Certificate Exchange
      • Enter something as a Text
      • Send the email to your S/MIME Partner
  • On first S/MIME Partner Device 
    • Open the sent mail
    • Tab on the Senders Name 
    • Select View Encryption Certificate
      • Click Install
      • Click Done 
    • Write a new mail to your S/MIME partner
      • Enter the Email address of your S/MIME partner
      • Ensure that the Mail will be encrypted this time (Lock Symbol)
      • Enter as Subject e.g. Encrypted Message
      • Enter as Text e.g. This is an encrypted message
      • Send the email to your S/MIME Partner
  • On your S/MIME Partner Device 
    • Open the new message
    • You should be able to read the encrypted message
    • Crosscheck on any other available device, there you should not be able to read the message.
  • Was this article helpful?