S/MIME Support

dasyad · 24 Nov 2011 at 12:04

A friend of mine has a BlackBerry Bold and he needs S/MIME support for reading and sending e-mails. The problem is he's telling me that it won't work for him because he is running on BIS and that you need BES for this to actually work, can anyone shed any more light on this?

If you do require BES than I think he is a bit screwed because there's no way he could get one set up at work. I've been trying to Google around for other mobiles OS's and applications to see what support is like but I'm not getting very clear results. This is what I believe support for S/MIME looks like:

Android: Yes, via 3rd party applications
BlackBerry OS: Yes, via BES only
iOS: Yes
Windows Phone 7: No

Is all that correct? I've got zero knowledge about this so appreciate answers from people who do

Myshra · 24 Nov 2011 at 13:41

S/MIME is basically encrypted mail but lets leave that alone for now as it doesn't matter, I expect that's just his mail servers forced flag.

BIS - BIS is a consumer service - Blackberry Internet Service - good for the general public, setting up mails from the likes of google and co. Phones connect to a BIS server (hosted by the telco) and this sends webpages, mails, BBM to the phones over Blackberry's secure protocol. Note that this is a handset to internet setup as BES is a longer chain...

BES - Blackberry Enterprise Services - is a commercial (and expensive) solution where you couple a BES server to your mail server in your internal network, mails get sent from your mail server to the BES server to RIMs network then down to the handset (so sorta BIS-extended to home). Traffic from a handset goes to the BES server within your network encrypted with a secure key (that your BES server generated).

Put it this way, you don't use blackberry's in business without a BES server as it's missing the whole point, it's sold as a service (encrypted E2E mail/traffic that's virtually* uncrackable). If he's got no BES server this is going 100% nowhere.

dasyad · 24 Nov 2011 at 14:01

Thanks for the info Myshra, so basically without BES he's going no where with his BlackBerry.

Okay so if we forget about BlackBerry's for now, does anyone know if e-mail clients for Android, iOS and Windows Phone 7 support S/MIME? If so which? He basically needs to be able to send mail signed by his S/MIME certificate and receive mail signed by others S/MIME certificates. He's all good to go on the PC front because Outlook can handle all this, he just needs mobile access.

Myshra · 24 Nov 2011 at 14:12

Right, I just checked my 2.3 Handset and it allows S/MIME (anyone who wants to check - goto the mailbox to check > menu > account settings > Security Policy List) but I warn you - this is setup in a different method to the above and requires a different setup.

In order to make company mail work on Androids your company needs a public facing exchange server. You'll know if you have one because it looks like this: http://en.wikipedia.org/wiki/Outlook_Web_App (seriously, renamed it to "App"... come on MS) and you can access your work mail from home probably. It's possible to have a public facing exchange server without this (eg a hidden method of access) but rarer from the companies i have dealt with.

Assuming you have this you connect to the mail server by setting up an "exchange mailbox" in android - either through the mail client or through the account sync system. Slap in the credentials, everything should work (you'll probably need to tick "allow all SSL certs"). The whole setup can be described as "exchange via activeSync" if you need to talk to someone technical in your company, this is the real names of the protocol in use here.

EDIT: You may need to provide a cert, I honestly am not sure if it's downloaded or not on first connect (probably not thinking about it). Android allows you to import / enable use of certs in a different menu - settings > location and security > credential storage. Everything else I got no clue about sorry, my mail setup isn't as secure as this.

Edit2: It's probably worth noting if your work policy requires cryptographically signed E-mails then you shouldn't try and do this on your phone as you're probably circumventing a security policy. If this is at a bank/aerospace/clearing house/secure government building or other such secure industry you should probably stop right now as when they see the cert export from your PC to the phone you will be in some extremely serious territory. Cert export is grounds for immediate termination in many companies in these industries.

dasyad · 24 Nov 2011 at 14:20

Brilliant thanks Myshra

.

I'll let him know all of this and also tell him that he seriously needs to speak with someone who knows the ins and outs of this sort of thing in detail.