Last week, Microsoft announced MC182605 in their admin Message Center. It describes a long awaited and needed email security feature. Microsoft Outlook mobile apps will soon have built-in support for S/MIME (Secure Multipurpose Internal Mail Extensions). The feature is currently in development, and now expected to start rolling out after mid-July 2019.
History of Secure Email with Outlook
The desktop Microsoft Outlook client has fully supported S/MIME signatures and encryption for well over a decade now. It allows for enterprises using their own keys/PKI, or 3rd party issued certificates to send and receive signed and encrypted S/MIME emails from end-to-end. However, a major problem existed for users of S/MIME: you HAD to use your desktop client to view your encrypted emails and validate any signed emails. Users could not view their S/MIME emails on a browser via Outlook Web App (OWA). They also couldn’t view their S/MIME emails on their smartphones via the Outlook mobile app. Other mobile email apps DO exist to utilize S/MIME on your phone, such as Samsung Galaxy’s built-in email app, Ciphermail, etc.
Caveats for S/MIME in OWA
OWA has limited support for S/MIME. There are many hurdles to navigate to use S/MIME with OWA.
- Internet Explorer 9+ or Edge browser is required; no Chrome support.
- An ‘S/MIME control’ must be installed within the browser to view S/MIME emails, even signed emails.
- You can’t view the email contents or validate signatures in the normal reading pane; you must ‘double-click’ each secured email to open it in a new popup window for the S/MIME control to work. Otherwise you cannot view the email content.
- Only internal S/MIME is supported: The recipients must be in your address book and have a discoverable public certificate.
- When sending to multiple recipients where only some have usable certificates, OWA will still send the S/MIME email to all recipients, rendering the message unreadable to those without a certificate!
Caveats with Outlook Mobile
- S/MIME will be only available for Office 365 customers using the Microsoft sync technology for Outlook mobile. No support for On-premise Exchange users.
- At launch, each user will need to manually deliver their certificates to their phone/tablet via by sending them in an email attachment. This is cumbersome and a potential security risk.
- Only internal S/MIME is supported: Users can only use S/MIME to those in their address book. “If you send an encrypted message to someone outside your organization, they will not be able to decrypt and read the message.”
- You must use Microsoft Intune or your existing MDM solution to set up automatically delivery of the certificates for your Android devices, once it’s available. See how to set up your certificate profile here.
- It will not support derived credentials at launch.
Despite all these limitations, it is still a great functional enhancement. At the very least, mobile users will now be able to read/verify most digitally signed emails sent to them.
End-to-End Vs. Gateway S/MIME
Even with the addition of S/MIME support to Outlook mobile apps, you can see the caveats and limitations are almost crippling. It’s still a major headache to manage and implement end-to-end S/MIME for even a single person across all their devices, much less across an entire organization.
Gateway level S/MIME can simplify the entire process by drastically reducing both end user frustrations and administrative overhead. With a solution like the Securemail Gateway™, you can centrally manage ALL your users’ S/MIME signing and encryption certificates. This is true whether you’re using GlobalCerts’ default issued certificates, or using 3rd party certificates issued by a commercial CA.
Best of all, SecureTier™ automatically connects ALL GlobalCerts users so there’s no need to search through LDAP certificate repositories or manually send signed emails back and forth to share certificates. You can also import and manage partner organizations’ S/MIME certificates. This enables ALL your users, across ALL devices to send signed and encrypted emails to external parties.
It is certainly promising that the Outlook mobile apps will soon support S/MIME for Office 365 customers. This is great news for both end-to-end S/MIME users as well as gateway S/MIME organizations. In both cases their digital signatures will now be viewable when recipients are viewing their emails via their mobile app.
The availability of this feature within Outlook mobile gives organizations even more reason to digitally sign all outgoing emails as standard practice. Signing with an S/MIME certificate issued by a commercial CA like GlobalSign will give the recipient automatic and irrefutable proof the message hasn’t been tampered, and originated from the reported sender. This type of assurance is absolutely vital to preserve your brand and reputation, and to combat phishing attacks via email spoofing.
https://portal.office.com/adminportal/home#/MessageCenter?id=MC182605&MCLinkSource=DigestMail (Requires Microsoft Login)