Secure email is essential for protecting sensitive business communications. S/MIME (Secure/Multipurpose Internet Mail Extensions) enables users to digitally sign messages to verify sender identity and encrypt email to prevent unauthorized access.
Organizations using Microsoft Exchange Online and Microsoft Outlook for iOS or Android can deploy SSL.com S/MIME certificates to provide end-to-end email security across mobile devices. Depending on your environment, certificates can be distributed manually or automatically using Microsoft Intune.
This guide explains the prerequisites, deployment options, and configuration steps required to use SSL.com S/MIME certificates with Microsoft Outlook for iOS and Android.
Before You Begin
Before deploying S/MIME certificates to mobile devices, ensure the following requirements are met:
- An SSL.com S/MIME certificate has been issued for each user.
- Microsoft Exchange Online has been configured to support S/MIME.
- Exchange Online is configured with a virtual certificate collection.
- Certificate Revocation Lists (CRLs) are publicly accessible.
- Trusted root and intermediate CA certificates are available in Exchange Online’s virtual certificate collection.
- Mobile devices are enrolled in Microsoft Intune if using automated deployment.
For Exchange Online configuration requirements, refer to Microsoft’s documentation for configuring S/MIME in Exchange Online.
How Outlook Validates S/MIME Certificates
Before Outlook enables signing or encryption, Exchange Online validates the certificate chain by:
- Verifying each certificate in the chain
- Confirming the presence of a trusted root certificate
- Checking the certificate’s revocation status
Additionally, Outlook for iOS and Android compares the user’s primary SMTP email address with the email address contained in the certificate’s Subject or Subject Alternative Name (SAN).
If these values do not match exactly, Outlook will not make the certificate available for signing or encrypting email.
Choose a Certificate Distribution Method
Microsoft Outlook supports two methods for deploying S/MIME certificates.
Manual Certificate Distribution
Manual installation is appropriate for small organizations or individual users.
The user exports their personal certificate as a password-protected PFX file and sends it to themselves using Outlook. Opening the attachment from Outlook on iOS or Android automatically begins certificate installation.
For instructions on exporting a certificate, see this Microsoft guide.
Although simple, manual distribution requires each user to install and manage their own certificate.
Automated Certificate Distribution with Microsoft Intune
For larger organizations, Microsoft recommends automated certificate deployment through Microsoft Intune.
Automated deployment simplifies certificate lifecycle management, reduces administrative overhead, and ensures users always receive the correct signing and encryption certificates.
iOS Architecture Considerations
On iOS, certificates used by Outlook must reside in Microsoft’s publisher keychain rather than the system keychain.
Because Apple restricts third-party applications from accessing certificates stored in the system keychain, Outlook for iOS can only use certificates delivered through Microsoft-managed applications such as Company Portal.
Android Architecture
Outlook for Android supports automated certificate delivery through Microsoft Intune across multiple enrollment models, including:
- Android Enterprise Work Profile
- Fully Managed Android Enterprise
- Device Administrator (where supported)
Prerequisites for Automated Deployment
Before deploying certificates through Intune, complete the following tasks.
Deploy Trusted Root Certificates
Deploy all required trusted root and intermediate certificates. For more details, refer to this guide: Trusted root certificate profiles for Microsoft Intune
This allows Outlook to establish a complete chain of trust when validating user certificates.
Import User Encryption Certificates
Import users’ encryption certificates into Microsoft Intune using PKCS imported certificates. For more details, refer to this guide: Configure and use imported PKCS certificates with Intune
These certificates will be distributed automatically to enrolled devices.
Install the Microsoft Intune PFX Certificate Connector
Install and configure the Microsoft Intune PFX Certificate Connector. For more details, refer to this guide: Download, install, and configure the PFX Certificate Connector for Microsoft Intune
The connector securely delivers user certificates from your PKI environment to managed devices.
Enroll User Devices
Ensure all target iOS and Android devices are enrolled in Microsoft Intune before assigning certificate profiles or Outlook configuration policies.
Configure Outlook for Android
To configure Outlook on Android:
- Sign in to Microsoft Intune Admin Center.
- Create and assign either a SCEP or PKCS certificate profile.
- Navigate to Apps > App configuration policies.
- Select Add > Managed devices.
- Choose:
- Platform: Android Enterprise
- Profile Type: All Profile Types
- Select Microsoft Outlook as the targeted application.
- Under Configuration settings, choose Use configuration designer.
- Expand the S/MIME section.
- Configure:
- Enable S/MIME
- Encrypt all email
- Sign all email
- User modification permissions
- Assign the policy to the appropriate Microsoft Entra ID user groups.
After policy deployment, Intune automatically provisions certificates to enrolled Android devices.
Configure Outlook for iOS
Follow these steps to configure Outlook for iOS to use SSL.com S/MIME certificates.
- Sign in to Microsoft Intune Admin Center.
- Navigate to Apps > App configuration policies.
- Select Add > Managed devices.
- Enter a policy name and optional description.
- Select iOS/iPadOS as the platform.
- Choose Microsoft Outlook as the targeted application.
- Open Configuration settings.
- Expand the S/MIME section.
Configure the following options as appropriate:
- Enable S/MIME
- Encrypt all email
- Sign all email
- Allow or prevent users from changing these settings
- Configure an LDAP URL if recipient certificate lookup is required
- Enable Deploy S/MIME certificates from Intune
Configure Signing Certificates
Choose one of the following certificate profile types:
SCEP
Creates a unique certificate for each user and device. For more details, refer to this guide: Create and assign SCEP certificate profiles in Intune
PKCS Imported Certificates
Uses administrator-imported user certificates that can be distributed across multiple enrolled devices. For more details, refer to this guide: Configure and use PKCS certificates with Intune
Derived Credentials
Uses an existing credential retrieved through Intune’s derived credential workflow.
Configure Encryption Certificates
Choose one of the following options:
PKCS Imported Certificates
Distributes imported encryption certificates automatically to enrolled devices.
Derived Credentials
Uses an existing device certificate obtained through the Intune derived credential workflow.
Configure User Notifications
When certificates become available, Intune can notify users using one of two methods.
Company Portal
Users receive a push notification directing them to the Company Portal application, where certificate retrieval begins.
Users receive an email instructing them to open the Company Portal and retrieve their S/MIME certificate.
On iOS, users must complete certificate retrieval through the Company Portal before Outlook can use the certificate for signing or encryption.
Enable S/MIME in Outlook
After certificates have been installed, users must manually enable S/MIME within the Outlook mobile application.
To enable S/MIME:
- Open Microsoft Outlook.
- Open Settings.
- Select the appropriate email account.
- Navigate to Security.
- Turn on S/MIME.
Once enabled, users can digitally sign or encrypt email messages directly from Outlook.
Optional: Configure LDAP for Certificate Lookup
Organizations may configure LDAP (Lightweight Directory Access Protocol) to simplify certificate discovery.
LDAP enables Outlook and other applications to locate recipient certificates automatically, allowing users to encrypt email without manually importing recipient certificates.
Benefits of LDAP integration include:
- Centralized certificate management
- Simplified recipient certificate discovery
- Improved certificate validation
- Easier enterprise-wide S/MIME deployment
For instructions, see the SSL.com guide:
LDAP Integration with SSL.com S/MIME Certificates
Conclusion
Deploying SSL.com S/MIME certificates with Microsoft Outlook on iOS and Android helps organizations protect sensitive communications through digital signatures and end-to-end email encryption.
Whether certificates are distributed manually for small deployments or automatically through Microsoft Intune for enterprise environments, proper configuration ensures users can securely send authenticated and encrypted email while maintaining compliance with organizational security policies. Automated deployment also reduces administrative effort, simplifies certificate lifecycle management, and provides a consistent user experience across managed mobile devices.