Email policies enhance security by restricting email access to non-compliant, unencrypted, inactive, or unmanaged devices. These policies allow you to provide email access to only the required and approved devices. Email policies also restrict email access based on the device model and the operating systems.

These policies are available from Email > Compliance Policies in the AirWatch Console. Activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy.

Even when there are no compliance policies set to restrict access to unmanaged devices, AirWatch still issues allow and block commands upon device enrollment and unenrollment. If you want to prevent AirWatch from issuing these automatic commands, you can select Disable Compliance on the Email > Compliance Policies page of the AirWatch Console.

General Email Policies

Email Policy Description
Managed Device Restrict email access only to managed devices.
Mail Client Restrict email access to a set of mail clients.
User Restrict email access to a set of users.
EAS Device Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Managed Device Policies

Managed Device Policy Description

Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (i.e. does not check-in to AirWatch), before email access is cut off.

Device Compromised Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to AirWatch.
Encryption Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to AirWatch.
Model Allows you to restrict email access based on the Platform and Model of the device.
Operating System Allows you to restrict email access to a set of operating systems for specific platforms.
Require ActiveSync Profile Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.

Mail Client, EAS Device Type, and Inactivity policies require a PowerShell sync before they can be leveraged, as the data is obtained only from Exchange. With the exception of populating the EAS Device type of AirWatch Inbox on iOS and Android, and the native client of iOS devices, all other device-client combination require a sync.

Testing Email Policies

Testing the email policies before deploying on the devices is a good practice. AirWatch recommends using the following method to test the capabilities of these policies before applying them on the devices.

  • Disable the Compliance option available on the Email Policies page during the testing phase. Use separate organization group to test out policies against a subset users using the user group filter available in the configuration wizard.

Please note that the compliance option when disabled will prevent AirWatch from running any automatic PowerShell Cmdlets based on the compliance status in AirWatch. If the default access state for a mailbox is set to Blocked or Quarantined, then that status will not change for devices upon enrollment to AirWatch if compliance is disabled.