Retrieving S/MIME certificates
You can use certificate retrieval profiles to allow
Android
and iOS
devices to search for and retrieve recipients' S/MIME certificates from LDAP certificate servers. If a required S/MIME certificate is not already in a device's certificate store, the device retrieves it from the server and imports it into the certificate store automatically.Android
and iOS
devices search each LDAP certificate server that you specify in the profile and retrieve the S/MIME certificate. If there is more than one S/MIME certificate and a device is unable to determine the preferred one, the device displays all the S/MIME certificates so that the user can choose which one to use.You can require that devices use either simple authentication or
Kerberos
authentication to authenticate with LDAP certificate servers. If you require that devices use simple authentication, you can include the required authentication credentials in certificate retrieval profiles so that devices can automatically authenticate with LDAP certificate servers. If you require that devices use Kerberos
authentication, you can include the required authentication credentials in certificate retrieval profiles so that Android
and iOS
devices can automatically authenticate with LDAP certificate servers. Otherwise, the device prompts the user for the required authentication credentials the first time that the device attempts to authenticate with an LDAP certificate server.If you implement
Kerberos
authentication for S/MIME certificate retrieval, you must assign a single sign-on profile to the applicable users or user groups. For more information about creating and assigning a single sign-on profile, see Setting up single sign-on authentication for devices.If you do not create a certificate retrieval profile and assign it to user accounts, user groups, or device groups, users must manually import S/MIME certificates from a work email attachment or a computer.