Many organizations require signed and encrypted emails to protect sensitive data. On Android devices, Outlook Mobile can use S/MIME certificates for this purpose, but the certificate must be installed on the device first. Microsoft Intune can deploy the certificate automatically, but the installation process is not always obvious. This article explains how to trigger the certificate installation on an Android device managed by Intune so that Outlook Mobile can use S/MIME.
Key Takeaways: Installing S/MIME Certificate on Android via Intune
- Company Portal app > Devices > Check Access: Triggers Intune policy sync and certificate delivery to the device.
- Settings > Security > Encryption & credentials > Install from storage: Manual fallback method if Intune deployment fails.
- Outlook Mobile > Settings > S/MIME: Location where the installed certificate is selected for signing and encryption.
How Intune Delivers S/MIME Certificates to Android Devices
Microsoft Intune uses a certificate profile to push S/MIME certificates to enrolled Android devices. The profile is assigned to a user or device group in the Intune admin center. When the device checks in with Intune, it downloads the certificate and installs it into the device certificate store. This process requires that the device is enrolled in Intune management, usually through the Company Portal app. The certificate must be in PKCS12 format with a .pfx or .p12 extension and include the private key. Intune can also use a trusted certificate profile to install the root CA certificate if needed.
The certificate delivery depends on the device checking in with Intune. Android devices check in every 8 hours by default. You can force a check-in from the Company Portal app to speed up the process. After the certificate is installed, Outlook Mobile can access it from the device certificate store.
Steps to Install the S/MIME Certificate on Android via Intune
- Open the Company Portal app on your Android device
Tap the Company Portal icon on your home screen or app drawer. Sign in with your work or school account if prompted. - Tap the Devices tab at the bottom
This shows a list of devices enrolled in Intune. Select the device you are currently using. - Tap Check Access or Sync
The exact button text depends on the Company Portal version. Look for a button that says Check Access, Sync, or Sync device. Tapping it forces the device to check in with Intune immediately. - Wait for the sync to complete
You will see a status message. The sync usually takes 30 seconds to 2 minutes. Do not close the app during this time. - Open Outlook Mobile on your Android device
Launch the Outlook app. Go to Settings by tapping your profile picture or the gear icon in the top left corner. - Tap S/MIME under the Mail section
If you do not see S/MIME, your organization may not have enabled it. Contact your IT administrator. - Select the certificate under Signing Certificate or Encryption Certificate
Outlook displays a list of certificates available on the device. Tap the one that matches your email address. If no certificates appear, the Intune deployment may not have completed yet.
If the Certificate Does Not Appear in Outlook
If the certificate is not listed in Outlook after the sync, the Intune policy may not have assigned the certificate to your device. Open the Company Portal app again and check the device compliance status. If the device is noncompliant, resolve the compliance issues first. Then repeat the sync steps. You can also ask your IT administrator to verify that the certificate profile is assigned to your user or device group.
Manual Certificate Installation as a Fallback
- Obtain the certificate file from your IT administrator
The certificate must be in .pfx or .p12 format with the private key. Save the file to your device Downloads folder or cloud storage. - Open Settings on your Android device
Scroll to Security and then Encryption & credentials. - Tap Install from storage
Browse to the certificate file and tap it. You will be prompted to enter the certificate password. - Enter the certificate password and tap OK
The certificate is installed into the user certificate store. You can now select it in Outlook Mobile under S/MIME settings.
Common Issues After Certificate Installation
Outlook Mobile Shows S/MIME but No Certificates
This happens when the certificate is not in the Android user certificate store. The Intune deployment may have failed silently. Force a sync in Company Portal and check the device certificate store by going to Settings > Security > Encryption & credentials > User credentials. If the certificate is listed there, restart Outlook. If it is not listed, reinstall the certificate manually using the fallback method above.
Certificate Installed but Outlook Cannot Sign or Encrypt
The certificate may lack the extended key usage for secure email. Check the certificate details by tapping it in the user credentials list. Look for the field Enhanced Key Usage. It must include Secure Email. If it does not, request a new certificate from your IT administrator with the correct key usage.
Company Portal Sync Fails or Times Out
A poor network connection can prevent the sync from completing. Switch to a stable Wi-Fi network and try again. If the sync still fails, uninstall and reinstall the Company Portal app. After reinstalling, enroll the device again and repeat the sync steps.
Intune Certificate Profile vs Manual Installation: Key Differences
| Item | Intune Certificate Profile | Manual Installation |
|---|---|---|
| Deployment method | Pushed automatically by Intune policy | User installs the certificate file manually |
| User action required | Sync device in Company Portal | Download file and install through Settings |
| Certificate format | PKCS12 (.pfx or .p12) with private key | PKCS12 (.pfx or .p12) with private key |
| Root CA certificate handling | Can be deployed via trusted certificate profile | Must be installed separately if not already trusted |
| Best for | Large organizations with many devices | Small teams or troubleshooting scenarios |
After the certificate is installed and selected in Outlook Mobile, you can compose signed or encrypted messages. Tap the three dots in the compose window and select Sign or Encrypt. Outlook shows a lock icon or a signed ribbon icon to confirm the action. To verify that encryption works, send a test email to another S/MIME user in your organization and ask them to confirm they can decrypt it.