Configuring S/MIME through the Self-Service Portal

S/MIME through Self-Service Portal Configuration


Setup S/MIME encryption and signature for emails with manual upload of the certificates by each user on the Self-Service Portal. This will allow all devices to sign, encrypt, and decrypt emails.


  • AirWatch 6.2+
  • iOS 5+ and native email client
  • Android SAFE 2+ and native email client
  • ActiveSync server
  • Encryption certificates provided to users


S/MIME is used on Exchange ActiveSync servers to sign and encrypt emails to increase security. Emails are encrypted using the public key of the recipient certificates; hence they can be decrypted only using a unique certificate held by the recipient. (For more information about S/MIME, see This causes maintenance headaches when a user has multiple devices and has to securely install this unique certificate on all of them. AirWatch has developed a solution that enables each user to upload their unique certificates to the Self Service Portal to be pushed securely and used on all of their devices.


Configuration in AirWatch Profile


First, test the S/MIME functionality by uploading the signing/encryption certificate in the payload before asking the users to upload their certificates.

AirWatch Admin Console Setup

  1. In the console, navigate to Menu > Profiles.
  2. Edit the profile that contains the Exchange ActiveSync information.
  3. Select the Credentials payload.
    1. Add a credential payload.
    2. In the Certificate Source drop-down, select User Certificate.
    3. Select the usage that the certificate will be used for: S/MIME Signing Certificate or S/MIME Encryption Certificate.
    4. Repeat steps 2 and 3 if a second certificate is used.
Note: If only one certificate will perform signing and encryption, use S/MIME Signing Certificate. 


  1. Select the Exchange ActiveSync payload.
  2. Select Use S/MIME.
    1. Select the S/MIME Certificate (will be used for signing).
    2. Select the S/MIME Encryption Certificate.

Note: The same certificate can be used for both usages.

Note: The profile will not be pushed onto the devices until certificates are uploaded manually by each user in the Self Service Portal.





Configuration in the Self-Service Portal



The user needs a signing and/or encryption certificate and possibly will have to extract it manually from their PC using the instructions at this link:


Self-Service Portal steps

  1. Log in to the Self-Service Portal (SSP).
  2. Click on the User Name to edit the user preferences.



  1. Select Use S/MIME.
  2. Upload the certificate that will be used for signing and possibly encryption.
  3. If a different certificate is used for Encryption, select Separate Encryption Certificate.
    1. Upload the certificate that will be used for encryption.

Note: The same certificates will be pushed to all the user’s devices.



Have more questions? Submit a request


Article is closed for comments.