The features that AirWatch supports and the recommended deployment sizes are listed in this section. Use the decision matrix to choose the deployment that best suits your need.

Attachment Encryption

With enforced attachment encryption on your mobile devices, AirWatch can help keep your email attachments secure without hindering the end users' experience.

  Native AirWatch Inbox Touchdown Traveler VMware Boxer
Windows Phone*        

*If your deployment includes Windows Phone 8/8.1/RT devices, AirWatch recommends using attachment encryption.

SEG supports attachment encryption and hyperlink transformation on Boxer, only if these features are enabled for the Boxer app configuration on the AirWatch Console.

SEG supports attachment encryption with Exchange 2010/2013/2016 and Office 365.

Email Management

Follow the configuration recommendations in the table below to get maximum security.

  Gmail PowerShell Secure Email Gateway (SEG)
Cloud Mail Infrastructure
Office 365   **
On-premises Email Infrastructure
Exchange 2010   ^
Exchange 2013   ^
Exchange 2016   ^
Lotus Notes    
Novel GroupWise    

^AirWatch recommends using the Secure Email Gateway (SEG) for all on-premises email infrastructures with deployments of more than 100,000 devices. For deployments of less than 100,000 devices, using PowerShell is another option for your email management. Please refer to the Secure Email Gateway vs. PowerShell Decision Matrix.

**The recommended threshold for PowerShell implementations is based on the most recent set of completed performance tests, and may change on a release by release basis. Deployments up to 50,000 devices can expect reasonably quick sync and run compliance time frames (less than three hours). As the deployment size expands closer to 100,000 devices, then administrators can expect the sync and run compliance processes to continue to increase in the 3 – 7 hour time frame.

Secure Email Gateway vs PowerShell Decision Matrix

Use the following matrix to understand the deployment features of SEG and PowerShell, and choose a deployment that best suits your need.

  Pros Cons
  • Real Time Compliance

  • Attachment encryption
  • Hyperlink transformation
  • Additional server (s) required

  • ADFS must be configured to prevent end users from connecting directly to Office 365 (around SEG) +
  • No additional on-premises servers required for email management

  • Mail traffic is not routed to an on-premises server before being routed to Office 365, so ADFS is not required
  • No real time compliance sync
  • Not recommended for large deployments (more than 100000)
  • VMware Boxer must be used to containerize attachments and hyperlinks in VMware Content Locker and VMware Browser respectively
+ Microsoft recommends using Active Directory Federated Services (ADFS) for preventing direct access to Office 365 email accounts.

Connecting IBM Notes Traveler Server through AirWatch Inbox

If you are using an AirWatch Exchange ActiveSync profile to connect to an IBM Notes Traveler server through the Android AirWatch Inbox, you may receive 'HTTP 449' response when an Android device attempts to connect to the Traveler server. This 'HTTP 449' error occurs if the ActiveSync policy headers sent from the client (and enforced through AirWatch) do not match the policy headers supported by the Traveler server.

AirWatch recommends the following steps to resolve such issues:

  1. Add the following flag to the notes.ini file on the Traveler server.
                      NTS_AS_PROVISION_EXEMPT_USER_AGENT_REGEX =(AirWatch*) | (Apple*; AWInbox*) 

Adding this flag disables Traveler from enforcing any policies to the AirWatch Inbox. You should then use AirWatch to apply the required policies to the AirWatch Inbox.

Devices that use policies provisioned directly by Traveler (that is, not configured through AirWatch), are not affected.

  1. Restart the Traveler server.


If you are using IBM Notes Traveler with SEG 7.3+, then the IBM Notes Traveler requires the Microsoft-Server-Activesync website support.