Retrieving S/MIME certificates

You can use certificate retrieval profiles to allow

Android

and

iOS

devices to search for and retrieve recipients' S/MIME certificates from LDAP certificate servers. If a required S/MIME certificate is not already in a device's certificate store, the device retrieves it from the server and imports it into the certificate store automatically.

Android

and

iOS

devices search each LDAP certificate server that you specify in the profile and retrieve the S/MIME certificate. If there is more than one S/MIME certificate and a device is unable to determine the preferred one, the device displays all the S/MIME certificates so that the user can choose which one to use.

You can require that devices use either simple authentication or

Kerberos

authentication to authenticate with LDAP certificate servers. If you require that devices use simple authentication, you can include the required authentication credentials in certificate retrieval profiles so that devices can automatically authenticate with LDAP certificate servers. If you require that devices use

Kerberos

authentication, you can include the required authentication credentials in certificate retrieval profiles so that

Android

and

iOS

devices can automatically authenticate with LDAP certificate servers. Otherwise, the device prompts the user for the required authentication credentials the first time that the device attempts to authenticate with an LDAP certificate server.

If you implement

Kerberos

authentication for S/MIME certificate retrieval, you must assign a single sign-on profile to the applicable users or user groups. For more information about creating and assigning a single sign-on profile, see Setting up single sign-on authentication for devices.

If you do not create a certificate retrieval profile and assign it to user accounts, user groups, or device groups, users must manually import S/MIME certificates from a work email attachment or a computer.