How to Configure SSL.com S/MIME Certificates for Microsoft Outlook on iOS and Android

Configure SSL.com S/MIME certificates for Microsoft Outlook on iOS and Android using Microsoft Intune to secure mobile email with digital signatures and end-to-end encryption.

Secure email is essential for protecting sensitive business communications. S/MIME (Secure/Multipurpose Internet Mail Extensions) enables users to digitally sign messages to verify sender identity and encrypt email to prevent unauthorized access.

Organizations using Microsoft Exchange Online and Microsoft Outlook for iOS or Android can deploy SSL.com S/MIME certificates to provide end-to-end email security across mobile devices. Depending on your environment, certificates can be distributed manually or automatically using Microsoft Intune.

This guide explains the prerequisites, deployment options, and configuration steps required to use SSL.com S/MIME certificates with Microsoft Outlook for iOS and Android.

Before You Begin

Before deploying S/MIME certificates to mobile devices, ensure the following requirements are met:

  • An SSL.com S/MIME certificate has been issued for each user.
  • Microsoft Exchange Online has been configured to support S/MIME.
  • Exchange Online is configured with a virtual certificate collection.
  • Certificate Revocation Lists (CRLs) are publicly accessible.
  • Trusted root and intermediate CA certificates are available in Exchange Online’s virtual certificate collection.
  • Mobile devices are enrolled in Microsoft Intune if using automated deployment.

For Exchange Online configuration requirements, refer to Microsoft’s documentation for configuring S/MIME in Exchange Online.

How Outlook Validates S/MIME Certificates

Before Outlook enables signing or encryption, Exchange Online validates the certificate chain by:

  • Verifying each certificate in the chain
  • Confirming the presence of a trusted root certificate
  • Checking the certificate’s revocation status

Additionally, Outlook for iOS and Android compares the user’s primary SMTP email address with the email address contained in the certificate’s Subject or Subject Alternative Name (SAN).

If these values do not match exactly, Outlook will not make the certificate available for signing or encrypting email.

Choose a Certificate Distribution Method

Microsoft Outlook supports two methods for deploying S/MIME certificates.

Manual Certificate Distribution

Manual installation is appropriate for small organizations or individual users.

The user exports their personal certificate as a password-protected PFX file and sends it to themselves using Outlook. Opening the attachment from Outlook on iOS or Android automatically begins certificate installation.

For instructions on exporting a certificate, see this Microsoft guide

Although simple, manual distribution requires each user to install and manage their own certificate.

Automated Certificate Distribution with Microsoft Intune

For larger organizations, Microsoft recommends automated certificate deployment through Microsoft Intune.

Automated deployment simplifies certificate lifecycle management, reduces administrative overhead, and ensures users always receive the correct signing and encryption certificates.

iOS Architecture Considerations

On iOS, certificates used by Outlook must reside in Microsoft’s publisher keychain rather than the system keychain.

Because Apple restricts third-party applications from accessing certificates stored in the system keychain, Outlook for iOS can only use certificates delivered through Microsoft-managed applications such as Company Portal.

Android Architecture

Outlook for Android supports automated certificate delivery through Microsoft Intune across multiple enrollment models, including:

  • Android Enterprise Work Profile
  • Fully Managed Android Enterprise
  • Device Administrator (where supported)

Prerequisites for Automated Deployment

Before deploying certificates through Intune, complete the following tasks.

Deploy Trusted Root Certificates

Deploy all required trusted root and intermediate certificates. For more details, refer to this guide: Trusted root certificate profiles for Microsoft Intune

This allows Outlook to establish a complete chain of trust when validating user certificates.

Import User Encryption Certificates

Import users’ encryption certificates into Microsoft Intune using PKCS imported certificates. For more details, refer to this guide: Configure and use imported PKCS certificates with Intune

These certificates will be distributed automatically to enrolled devices.

Install the Microsoft Intune PFX Certificate Connector

Install and configure the Microsoft Intune PFX Certificate Connector. For more details, refer to this guide: Download, install, and configure the PFX Certificate Connector for Microsoft Intune

The connector securely delivers user certificates from your PKI environment to managed devices.

Enroll User Devices

Ensure all target iOS and Android devices are enrolled in Microsoft Intune before assigning certificate profiles or Outlook configuration policies.

Configure Outlook for Android

To configure Outlook on Android:

  1. Sign in to Microsoft Intune Admin Center.
  2. Create and assign either a SCEP or PKCS certificate profile.
  3. Navigate to Apps > App configuration policies.
  4. Select Add > Managed devices.
  5. Choose:
    • Platform: Android Enterprise
    • Profile Type: All Profile Types
  6. Select Microsoft Outlook as the targeted application.
  7. Under Configuration settings, choose Use configuration designer.
  8. Expand the S/MIME section.
  9. Configure:
    • Enable S/MIME
    • Encrypt all email
    • Sign all email
    • User modification permissions
  10. Assign the policy to the appropriate Microsoft Entra ID user groups.

After policy deployment, Intune automatically provisions certificates to enrolled Android devices.

Configure Outlook for iOS

Follow these steps to configure Outlook for iOS to use SSL.com S/MIME certificates.

  1. Sign in to Microsoft Intune Admin Center.
  2. Navigate to Apps > App configuration policies.
  3. Select Add > Managed devices.
  4. Enter a policy name and optional description.
  5. Select iOS/iPadOS as the platform.
  6. Choose Microsoft Outlook as the targeted application.
  7. Open Configuration settings.
  8. Expand the S/MIME section.

Configure the following options as appropriate:

  • Enable S/MIME
  • Encrypt all email
  • Sign all email
  • Allow or prevent users from changing these settings
  • Configure an LDAP URL if recipient certificate lookup is required
  • Enable Deploy S/MIME certificates from Intune

Configure Signing Certificates

Choose one of the following certificate profile types:

SCEP

Creates a unique certificate for each user and device. For more details, refer to this guide: Create and assign SCEP certificate profiles in Intune

PKCS Imported Certificates

Uses administrator-imported user certificates that can be distributed across multiple enrolled devices. For more details, refer to this guide: Configure and use PKCS certificates with Intune

Derived Credentials

Uses an existing credential retrieved through Intune’s derived credential workflow.

Configure Encryption Certificates

Choose one of the following options:

PKCS Imported Certificates

Distributes imported encryption certificates automatically to enrolled devices.

Derived Credentials

Uses an existing device certificate obtained through the Intune derived credential workflow.

Configure User Notifications

When certificates become available, Intune can notify users using one of two methods.

Company Portal

Users receive a push notification directing them to the Company Portal application, where certificate retrieval begins.

Email

Users receive an email instructing them to open the Company Portal and retrieve their S/MIME certificate.

On iOS, users must complete certificate retrieval through the Company Portal before Outlook can use the certificate for signing or encryption.

Enable S/MIME in Outlook

After certificates have been installed, users must manually enable S/MIME within the Outlook mobile application.

To enable S/MIME:

  1. Open Microsoft Outlook.
  2. Open Settings.
  3. Select the appropriate email account.
  4. Navigate to Security.
  5. Turn on S/MIME.

Once enabled, users can digitally sign or encrypt email messages directly from Outlook.

Optional: Configure LDAP for Certificate Lookup

Organizations may configure LDAP (Lightweight Directory Access Protocol) to simplify certificate discovery.

LDAP enables Outlook and other applications to locate recipient certificates automatically, allowing users to encrypt email without manually importing recipient certificates.

Benefits of LDAP integration include:

  • Centralized certificate management
  • Simplified recipient certificate discovery
  • Improved certificate validation
  • Easier enterprise-wide S/MIME deployment

For instructions, see the SSL.com guide:

LDAP Integration with SSL.com S/MIME Certificates

Conclusion

Deploying SSL.com S/MIME certificates with Microsoft Outlook on iOS and Android helps organizations protect sensitive communications through digital signatures and end-to-end email encryption.

Whether certificates are distributed manually for small deployments or automatically through Microsoft Intune for enterprise environments, proper configuration ensures users can securely send authenticated and encrypted email while maintaining compliance with organizational security policies. Automated deployment also reduces administrative effort, simplifies certificate lifecycle management, and provides a consistent user experience across managed mobile devices.

Twitter
Facebook
LinkedIn
Reddit
Email

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

SSL.com

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Privacy Overview
SSL.com

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognizing you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information read our Cookie and privacy statement.

3rd Party Cookies

This website uses Google Analytics & Statcounter to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping these cookies enabled helps us to improve our website.

Show details