Use S/MIME to send encrypted messages in an Exchange environment in iOS

iOS offers support for S/MIME so that you can send encrypted email messages. 

To send encrypted messages, you need the recipient's certificate (public key). Mail accesses this certificate using one of two methods, depending on whether the recipient is in your Exchange environment. This article explains both methods.

Message encryption

When configuring S/MIME for your account, you can choose to "Encrypt by Default" when composing new messages.

In iOS 13.4 and later, when you reply or forward a message, the encryption state of your message will match the state of the incoming message rather than your system default setting. You can also change the encryption state of an outgoing message using the blue lock icon:



Send encrypted messages to people in your Exchange environment

If your recipient is a user in the same Exchange environment, iOS can find the necessary certificate for message encryption.

Follow these steps to send encrypted messages to contacts in your Exchange environment:

  1. Compose a new message in Mail. Notice the unlocked lock icon, indicating that message encryption is enabled for your Exchange account.
  2. Begin addressing the message to a recipient in your Exchange organization.
  3. Mail consults the GAL to discover the recipient's S/MIME certificate.
  4. When Mail finds a certificate, a lock icon appears to the right of the recipient's contact name, and the address is highlighted in blue. Notice the larger blue lock icon—it can be used to toggle encryption for the message allowing you to easily compose both encrypted and an unencrypted messages.
  5. If you add a recipient and Mail can’t find the certificate, that address is highlighted in red and an unlocked icon appears to the right of the recipient's address. The message designation will now show unlocked and Unable to Encrypt.

Send an encrypted message to someone outside your Exchange environment

If the intended recipient is outside the sender's Exchange environment or if the sender isn't using an Exchange account, the recipient's certificate must be installed on the device. Use these steps.

  1. In a signed message from your intended recipient, tap the sender's address. Invalid signatures have a red question mark   to the right of the sender's address. Mail indicates valid signatures with a blue check mark   to the right of the sender's address.
  2. If the sender's certificate was issued by an unknown certificate authority, you can manually install the certificate for this email address. Tap View Certificate.

  3. To install and trust the sender's signing certificate, tap Install.
  4. The Install button changes color to red and reads Remove. Tap Done in the upper-right to complete the certificate-installation process.
  5. iOS associates this digital certificate with the recipient's email address, allowing for message encryption.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: