I have a 10.11 system natively joined to AD. I have a PIV card. AD has the mappings between PIV cards and AD users. I enabled smartcard authentication via the command line "sudo -s security authorizationdb smartcard enable". When I plug in my PIV card at the login screen, OS X knows immediately who I am and asks for my PIN.
For several releases of OS X I have been able to receive and read encrypted emails using my PIV card with Apple Mail, and I have been able to send digitally signed emails using my PIV card with Apple Mail. I have NEVER able to send encrypted emails to recipients who's encipher keys were NOT stored in my local keychain. Apple Mail would NOT locate encipher keys in the userCertificate field of AD user records. If I received a prior email from a user that was encrypted, their encipher key would get stored in my local keychain. Once I had their encipher key stored in my local keychain, I could send them encrypted email.
I and many others filed bug reports complaining about Apple Mail not being able to find encipher keys in AD. OS X 10.11 appears to have addressed this.
Shortly after 10.11 beta and iOS 9 beta were released, I received a notice from Apple to test iOS 9 beta to see if it addressed the bug. That didn't make sense to me since I had opened a case against OS X. It did make me curious since Apple seems to be keeping iOS and OS X applications in sync. So today I tested this in OS X 10.11 and it appears to finally work as expected.
A few users here have encipher keys published in the userCertificate attribute of their AD user records. To test this I removed ALL recipient encipher keys from my local Keychain and enabled "Search Directory Services" in Keychain Preferences. Apple Mail 10.11 found the recipient encipher keys in the AD records, and those recipients confirmed they received my encrypted emails by replying with encrypted emails. I am continuing to test with more sample users.
Can anyone else test this and confirm it?