markfrancis

Q: S/MIME certificates in mobileconfig file iOS 8

We use S/MIME encryption in our company, with certificates generated by our own Root CA.

Up until now, I was able to create a mobileconfig file with iPhone Configuration Utility and install the public certificates for the CA and individual users as Credentials payloads. I would then do the same for the private key for the owner of the device.

The certificates were automatically used in the Mail app when mail was addressed to a matching address. This made email encryption relatively painless for the user.

Now, with iOS 8, Mail doesn't seem to pay any attention to certificates installed an a mobileconfig file. The only way I have been able to get encryption to work is by receiving a signed message from another user, clicking on their name and then viewing and installing their certificate. I can certainly manage this, but when we have 70 users with varying technical skills, there are going to be a lot of unencrypted messages sent that shouldn't be.

I am hoping that I am just missing a setting. I am going to have to recommend that users avoid upgrading to iOS 8 until a solution is found.

iPhone 5c, iOS 8

Posted on Oct 10, 2014 9:40 AM

Close

Q: S/MIME certificates in mobileconfig file iOS 8

  • All replies
  • Helpful answers

  • by Fred Hyden,

    Fred Hyden Fred Hyden Oct 29, 2014 11:36 AM in response to markfrancis
    Level 1 (4 points)
    Oct 29, 2014 11:36 AM in response to markfrancis

    I spoke with Apple this morning and was able to email my description of the problem to a technical person. She will get back to me in a few days. I will post a summary of what I learn. Here is the text I sent to her...

     

    I’m having trouble installing public keys for S/MIME on my new iPad Air 2 running iOS 8.1. In the past I was able to install public keys by emailing a .cer file or by using Apple Configurator. These methods still work except that mail ignores the certificate and won’t allow email encryption to the corresponding recipient. As a work-around, I have asked my email correspondents to send me a signed email which I use to install the public key. This works just fine but is, of course, inconvenient. Please restore the other methods to install public keys. See https://discussions.apple.com/message/26806237?tstart=0#26806237 for a description of the problem from another user. Thanks.

  • by Fred Hyden,

    Fred Hyden Fred Hyden Dec 9, 2014 10:01 AM in response to Fred Hyden
    Level 1 (4 points)
    Dec 9, 2014 10:01 AM in response to Fred Hyden

    Bad news. Apple has decided that this is a feature, not a bug. I was working with Senior Technical Advisor Ashley Beaty who told me…

    “My engineers just got back to me saying that adding the signature is how we use s/MIME in iOS 8. They suggested that you can go to apple.com/feedback and suggest that this be changed but in iOS 8 this is expected behavior.”

    I did my best to make it clear that the behavior was a regression, something that worked in iOS 7 doesn’t work iOS 8. Unfortunately, the senior technical advisor was not familiar with the technology involved. I think this factor was key to my failure.

    So, I’m giving up on this. Perhaps someone else can pursue the issue with Apple.

    The case number was 701195170.

  • by cyborgsam,

    cyborgsam cyborgsam May 14, 2015 4:07 PM in response to Fred Hyden
    Level 1 (24 points)
    Servers Enterprise
    May 14, 2015 4:07 PM in response to Fred Hyden

    Fred & Mark->

     

    I just wasted a couple of days trying to figure out why my iPhone with iOS 8.3 reported "Unable to encrypt" for a handful of my 50 users. I installed profiles using both Apple Configurator in Yosemite and iPhone Configuration Utility in Snow Leopard, same results. I also tried my iPad running iOS 8.3, same results.

     

    After finding this thread I tried emailing a couple of problematic certificates via signed messages to my iPhone. Sure enough both started encrypting. Same for my iPad.

     

    Since I use Apple Mail, I do all my certificate acquiring and account testing in Thunderbird.

    I installed the exact same certificates on my iPhone as I installed in Thunderbird.

     

    Flakey: After installing two certificates from signed messages on my iPad, several others that had not worked started working. But some still failed.

     

    Even flakier: after trying a few more some of the ones that just worked went back to "Unable to encrypt." The ones I installed the certs from signed emails continued to work.

     

    Great. now I have to tell about 40 people who are among the least tech savvy how to get this to work.

  • by Fred Hyden,

    Fred Hyden Fred Hyden Oct 7, 2015 8:49 AM in response to markfrancis
    Level 1 (4 points)
    Oct 7, 2015 8:49 AM in response to markfrancis

    I did some testing with iOS 9.0.2 and it appears that the bug introduced in iOS 8 is still with us.

  • by cyborgsam,

    cyborgsam cyborgsam Nov 5, 2015 2:38 PM in response to Fred Hyden
    Level 1 (24 points)
    Servers Enterprise
    Nov 5, 2015 2:38 PM in response to Fred Hyden

    The problem is still in the latest 9.2 beta. Email public certificates installed via Apple Configurator still fail to encrypt. These are commercial Comodo certificates with the user's name and email encoded.

     

    I installed profiles using Apple Configurator 2.1 in El Capitan (10.11.1 and 10.11.2 beta). I even tried iPhone Configuration Utility 3.5 in Snow Leopard.

     

    Making the situation worse is installing email public certificates from within the body of an email doesn't work. They're installed into individual profiles, but emails are Unable to Encrypted.

     

    The only method that works is installing from a signed received message. It's logistically infeasible for 60 people to each email the other 59, then for 60 people to read 59 emails and install certificates from each.

     

    Fred: can you please contact me? I'm going to contact Apple and would more details about your case. sherschbein is my apple moniker.

  • by cyborgsam,

    cyborgsam cyborgsam Jan 14, 2016 2:44 PM in response to cyborgsam
    Level 1 (24 points)
    Servers Enterprise
    Jan 14, 2016 2:44 PM in response to cyborgsam

    The problem still exists in the latest iOS 9.3 beta using the latest Apple Configurator 2 beta running in the latest El Capitan 10.11.4 beta.

  • by Fred Hyden,

    Fred Hyden Fred Hyden Jun 16, 2016 3:24 PM in response to markfrancis
    Level 1 (4 points)
    Jun 16, 2016 3:24 PM in response to markfrancis

    Does anyone know if this bug has been fixed?

  • by Fred Hyden,

    Fred Hyden Fred Hyden Sep 10, 2016 1:39 PM in response to markfrancis
    Level 1 (4 points)
    Sep 10, 2016 1:39 PM in response to markfrancis

    The problem still exists in iOS 10.0.1 (14A403). I emailed a public key in a .cer file and installed it. The profile was properly created. However, it was not possible to send an encrypted email. Processing a signed email from the person worked as always.