Before starting the technical part, which contains a unique and full solution to deploy S/MIME certificates with MEM Intune to clients, I will highlight why it is important to implement S/MIME within your environment.
I started the work on this topic as we had the internal discussion at baseVISION if and how we could achieve S/MIME. Especially, the how was problematic as there is no end to end solution available and the certificate provider like SwissSign, DigiCert, Comodo are not really specialized on automatic deployment of such certificates. Their core business is still SSL certificates and therefore all documentations on their side and as well on Microsoft side is only partly available.
Available Gateway solutions are not an end-to-end solution and would still allow modifications before signature is applied and if an attacker was able to breach the credentials of a user he is able to send signed messages too.
You just want to implement, then go directly to Github.
Table of Contents
In short: S/MIME is a standard based on private/public key cryptography to sign and/or encrypt messages.
To use encryption the sender and receiver need to trust the certificate authority of the counterpart. So, using an internal Certificate Authority is suboptimal for external communication. Additionally, encryption is challenging because the email is encrypted with a specific certificate and internal deployment methods like SCEP/PKCS is always delivering a different certificate on each request.
- You must have the private key of the certificate that encrypted the email on the device where you’re reading the email so it can be decrypted.
- Before a certificate on a device expires, you should import a new certificate so devices can continue to decrypt new email. Renewal of these certificates isn’t supported.
- Encryption certificates are renewed regularly, which means that you might want to keep past certificate on your devices, to ensure that older email can continue to be decrypted
The signature is helping to ensure that nobody modified the message (non-repudiation) by using Digital Signature. Each recipient can verify this by using the public key which is sent with the message. If the receiver does not trust the certificate, then he will see a warning which can happen when an internal certificate authority is used. Therefore, we recommend using a public CA. Also with the signature it’s helpful to use the same certificate on all devices as then the receiver has just to trust one certificate and also the costs are lower.
Because of that certificate deployment methods like SCEP or PKCS can or should not be used and the “Imported PKCS” of MEM should be followed.
Trust is the key
In today’s word it’s important to provide trust to partners, customers and suppliers that a specific mail was sent from the expected person and not by an malicious. The S/MIME signature is the perfect solution for that. It guarantees non-reputation!