Manage your devices with the email compliance policies applicable for SEG Proxy configuration. These compliance policies help you prevent non-compliant, unmanaged, or blocked devices from accessing corporate emails.

Apart from compliance policies, you can also use the Email dashboard and the list view page to effectively manage your corporate devices. You can view the status of the devices using the Email Dashboard and the user-specific or device-specific information using the List View page.

Note:

Workspace ONE will not provision passwords for new users, but SEG will continue to proxy the requests for devices that were previously enrolled successfully to Google.

Compliance Policies

The compliance policies mentioned in this section can be activated from the Email > Compliance Policies page. For information on how to activate the policies, see Activate an Email Compliance Policy.

General Email Policies

  • Sync Settings – Prevent the device from syncing with specific EAS folders. Note that Workspace ONE prevents devices from syncing with the selected folders irrespective of other compliance policies. For the policy to take effect, you must republish the EAS profile to the devices (this forces devices to resync with the email server).
  • Managed Device – Restrict email access only to managed devices.
  • Mail Client – Restrict email access to a set of mail clients.
  • User – Restrict email access to a set of users.
  • EAS Device Type – Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Managed Device Policies

  • Inactivity – Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is, does not check in to Workspace ONE), before email access is cut off.
  • Device Compromised – Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to Workspace ONE.
  • Encryption – Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to Workspace ONE.
  • Model – Allows you to restrict email access based on the Platform and Model of the device.
  • Operating System – Allows you to restrict email access to a set of operating systems for specific platforms.
  • Require ActiveSync Profile - Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.

Email Security Policies

  • Email Security Classification – Define the action for the SEG to take on emails with and without security tags. You may either allow or block the emails on AirWatch Inbox or other email clients.
  • Attachments (managed devices) – Encrypt email attachments of the selected file types. These attachments are secured on the device and are only available for viewing on the VMware Content Locker. Currently, this feature is only available on managed iOS, Android, and Windows Phone devices with the VMware Content Locker application. For other managed devices, you can choose to either allow encrypted attachments, block attachments, or allow unencrypted attachments.
  • Attachments (unmanaged devices) – Allow encrypted attachments, block attachments, or allow unencrypted attachments for unmanaged devices.
  • Hyperlink – Allow device users to open hyperlinks contained within an email directly with VMware Browser present on the device. The Secure Email Gateway dynamically modifies the hyperlink to open in VMware Browser. You may choose one of the Modification Type:
    • All - Choose to open all the hyperlinks with VMware Browser.
    • Include - Choose if you want the device users to open only the hyperlinks through the VMware Browser. Mention the included domains in the Only modify hyperlinks for these domains field. You can bulk upload the domain names from a CSV file as well.
    • Exclude - Choose if you do not want the device users to open the mentioned domains through the VMware Browser. Mention the excluded domains in the Modify all hyperlinks except for these domains field. You can bulk upload the domain names from a CSV file as well.

Email Dashboard

Gain visibility into the email traffic and monitor the devices through the Workspace ONE Email Dashboard. This dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from Email > Dashboard . The email dashboard enables you to:

  • Whitelist or blacklist a device to allow or deny access of email
  • View the devices which are managed, unmanaged, compliant, non- compliant, blocked, or allowed
  • View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address

MEM_EmailDashboard

From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View screen.

List View

View all the real-time updates of your end user devices that you are managing with Workspace ONE MEM. You can access the List View from Email > List View. You can view the device or user-specific information by switching between the two tabs: Device and User. You can change the Layout to either view the summary or the detailed list of the information based on your requirement.

The List View screen provides detailed information that includes:

  • Last Request - In PowerShell integration, this column displays the last state change of the device either from Workspace ONE or from Exchange. In SEG integration, this column shows the last time a device synced mail.
  • User - The user account name.
  • Friendly Name - The friendly name of the device.
  • MEM Config - The configured MEM deployment that is managing the device.
  • Email Address - The email address of the user account.
  • Identifier - The unique alpha-numeric identification code associated with the device.
  • Mail Client - The email client syncing the emails on the device.
  • Last Command - The command triggers the last state change of the device and populates the Last Request column.
  • Last Gateway Server -The server to which the device connected.
  • Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy.
  • Reason - The reason code for allowing or blocking email on a device.
Note:

The reason code displays 'Global' when access state is defined by the default organization allow/block/quarantine policy. The reason code is 'Individual' when device ID is explicitly set for a given mailbox by Exchange admin or Workspace ONE. The reason code is 'Policy' when device is blocked by any EAS policy.

  • Platform, Model, OS, IMEI, EAS Device Type, IP Address - The device information displays in these fields.
  • Mailbox Identity - The location of the user mailbox in the Active Directory.

Filters for Quick Search

The Filter option is available on the List View page. Using this filter, you can narrow your device search based on:

  • Last Seen - All, less than 24 hours, 12 hours, 6 hours, 2 hours.
  • Managed - All, Managed, Unmanaged.
  • Allowed - All, Allowed, Blocked.
  • Policy Override: All, Blacklisted, Whitelisted, Default.
  • Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS.
  • MEM Config - Filter devices based on the configured MEM deployments.

Performing Actions

The Override, Actions and Administration drop-down menu provides a single location to perform multiple actions on the device.

Note:

Please note that these actions once performed cannot be undone.

Override

Select the check box corresponding to a device to perform actions on it.

  • Whitelist - Allows a device to receive emails.
  • Blacklist - Blocks a device from receiving emails.
  • Default - Allows or blocks a device based on whether the device is compliant or non-compliant.

Actions

  • Run Compliance - Triggers the compliance engine to run for the selected MEM configuration. For any device that has a state change (that is, compliant to non-compliant or conversely), Workspace ONE sends out an Allow/Block command accordingly.
  • Test Mode - Tests email policies without applying them on devices.

Administration

  • Dx Mode On - Runs the diagnostic for the selected user mailbox providing you the history of the device activity. After enabling this option, Workspace ONE starts recording the activity of the device. This feature is available for SEG only.
  • Dx Mode Off - Turns off the diagnostic for the selected user mailbox. This feature is available for SEG only.
  • Update Encryption Key - Resets the encryption and the resyncs the emails for the selected devices. This feature is available for SEG only.
  • Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that this record may reappear after the next sync.
  • Migrate Devices - Migrates selected device to other chosen MEM configurations by deleting the installed EAS profile and pushing the EAS profile of the chosen configuration on the device.