
Digital signing and encryption
Access control lists
Keychain data is partitioned and protected with access control lists (ACLs). As a result, credentials stored by third-party apps can’t be accessed by apps with different identities unless the user explicitly approves them. This protection provides a mechanism for securing authentication credentials in Apple devices across a range of apps and services within the organization.
In the Mail app, users can send messages that are digitally signed and encrypted. Mail automatically discovers appropriate RFC 5322 case-sensitive email address subject or subject alternative names on digital signing and encryption certificates on attached Personal Identification Verification (PIV) tokens in compatible smart cards. If a configured email account matches an email address on a digital signing or encryption certificate on an attached PIV token, Mail automatically displays the signing button in the toolbar of a new message window. If Mail has the recipient’s email encryption certificate or can discover it in the Microsoft Exchange global address list (GAL), an unlocked icon appears in the new message toolbar. A locked lock icon indicates the message will be sent encrypted with the recipient’s public key.
Users can also create a list of specific email domains. Mail messages that are addressed to domains not in the approved list are marked in red. For example, a user can have example.com and group.example.com in a list of known domains. If this user addresses a mail message to anyone@acme.com, that address is marked in red. The user then knows that the domain acme.com isn’t in the approved list.
Per-message S/MIME
iOS, iPadOS, and macOS support per-message S/MIME. This means that S/MIME users can choose to always sign and encrypt messages by default or to selectively sign and encrypt individual messages.
Identities used with S/MIME can be delivered to Apple devices using a configuration profile, a mobile device management (MDM) solution, the Simple Certificate Enrollment Protocol (SCEP), or Microsoft Active Directory Certificate Authority.