User profile for user: Mordenthral
Mordenthral Author
User level: Level 1
4 points

S/MIME certificate through MDM from CA with "Email Protection" EKU

I want to generate certificates from our CA using SCEP for our users to use to digitally sign their emails. For this to work the certificates need to have the "Email Protection 1.3.6.1.5.5.7.3.4" EKU. Without this EKU the certificate:


  1. Will not show up as an available certificate in Outlook.
  2. Will not be used by the Mail app automatically when composing an email.


I have access to Apple-based MDM Mosyle, Microsoft's Intune, and the SCEPman CA. Below are the things I have observed and want to know if there is a shortcoming in Apple's implementation of SCEP, if I'm simply doing something wrong, and if anyone has a solution for this that works.


Scenario One

I generated a free S/MIME certificate and manually installed it on my Mac. When I open Mail and compose a new mail the checkmark appears and it is being used automatically to sign my personal emails from the matching email address that is on the certificate. The certificate has the correct EKU.


Scenario Two

Tangential evidence that requesting such a certificate from SCEPman through an MDM works. I have a configuration profile in Intune that requests such a certificate for our Windows users. In the Intune configuration profile you manually enter which EKUs the certificate should have. The certificates generate with the correct EKU and can be used for digital signatures in Outlook.


Scenario Three

In Mosyle SCEP configurations they have the array of choices shown in the Apple Developer documentation for SCEP. One of the options is a checkbox that says "Use for signing". I am under the assumption, but cannot confirm, that this would be similar to the Intune method of declaring that you want the EKU I am trying to get. The certificate will not generate with the Email Protection EKU and cannot be used for S/MIME.


Scenario Four

As evidence that it isn't just a problem with Mosyle, we have some Macs that have not yet moved from Intune to Mosyle. I created a test configuration profile for one of our Macs and manually specified the Email Protection EKU. The certificate generated fine, but the EKU I asked for was not on the certificate.


As I understand the SCEP process, the MDM sends the payload to the Apple device and it is the SCEP implementation on the Apple device that reaches out to the CA to request the certificate. Knowing that, my questions are:


  1. Am I doing something wrong?
  2. Is this an oversight that needs to be patched by Apple?
  3. Is this something that is specifically by design from Apple?


Edit: From the Dev docs for the signing option..

Posted on Jul 20, 2023 5:40 PM

Reply

Similar questions

1 reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

S/MIME certificate through MDM from CA with "Email Protection" EKU

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up