SMIME certificates increase the complexity for certificate distribution as it involves recovering a certificate that may already have been issued and installed on other devices so that users can decrypt and view emails on multiple devices.
To distribute a SMIME certificate via MDM protocols, Workspace ONE UEM requires the private key and password to be stored in the database at least temporarily. This is a limitation based on operating systems like Apple iOS, which do not have the ability to prompt a user for the certificate password via the native OS. The certificate password is encrypted to prevent unauthorized access and as an additional mitigation measure, Workspace ONE UEM supports the configuration of an SMIME certificate retention period that marks certificates for deletion. The certificates marked for deletion are then removed from the database based on a scheduled task.
Customers that opt out of temporarily storing the certificate with the private key and password have the following alternatives:
- Distribute the certificate for SMIME independently of Workspace ONE UEM
- SMIME certificates can be distributed outside of Workspace ONE by allowing users to access a web portal to download the certificate or, alternatively, by sending the certificate without a password, to the end user, via email and allowing users to import the certificate into Workspace ONE Boxer where the user will be prompted to enter the certificate password
- Leverage a Derived credential PKI vendor
- Store the certificate private key and password locally on the device using Workspace ONE PIV-D Manager
Note: The alternatives above have a significant impact to the end user experience and require users to manually complete the email configuration to leverage SMIME.