The features that Workspace ONE UEM supports and the suitable deployment sizes are listed in this section. Use the decision matrix to choose the deployment that best suits your need.

Attachment Encryption

With enforced attachment encryption on your mobile devices, Workspace ONE UEM can help keep your email attachments secure without hindering the end users' experience.

  Native AirWatch Inbox Touchdown Traveler VMware Boxer
Windows Phone*        

*If your deployment includes Windows Phone 8/8.1/RT devices, use attachment encryption.

SEG supports attachment encryption and hyperlink transformation on Boxer, only if these features are enabled for the Boxer app configuration on the UEM console.

SEG supports attachment encryption with Exchange 2010/2013/2016 and Office 365.

Email Management

The list gives you the greatest level of security with the easiest deployment and management.

  G mail PowerShell Secure Email Gateway (SEG)
Cloud Mail Infrastructure
Office 365   ** ^
On-premises Email Infrastructure
Exchange 2010   ^
Exchange 2013   ^
Exchange 2016   ^
Lotus Notes    
Novel GroupWise    

^Use the Secure Email Gateway (SEG) for all on-premises email infrastructures with deployments of more than 100,000 devices. For deployments of less than 100,000 devices, using PowerShell is another option for your email management. Refer to the Secure Email Gateway vs. PowerShell Decision Matrix.

**The threshold for PowerShell implementations is based on the most recent set of completed performance tests, and can change on a release by release basis. Deployments up to 50,000 devices can expect reasonably quick sync and run compliance time frames (less than three hours). As the deployment size expands closer to 100,000 devices, then administrators can expect the sync and run compliance processes to continue to increase in the 3–7 hour time frame.

Secure Email Gateway vs PowerShell Decision Matrix

The matrix informs you about the deployment features of SEG and PowerShell to help you choose which deployment suits your need.

  Pros Cons
  • Real-Time Compliance

  • Attachment encryption
  • Hyperlink transformation
  • Additional server (s) required

  • ADFS must be configured to prevent end users from connecting directly to Office 365 (around SEG) +
  • No additional on-premises server required for email management

  • Mail traffic is not routed to an on-premises server before being routed to Office 365, so ADFS is not required
  • No real-time compliance sync
  • Not for large deployments (more than 100000)
  • AirWatch Inbox must be used to containerize attachments and hyperlinks in VMware Content Locker and VMware Browser respectively
+ Microsoft suggests using Active Directory Federated Services (ADFS) for preventing direct access to Office 365 email accounts.

Connecting IBM Notes Traveler Server through AirWatch Inbox

If you are using a Workspace ONE UEM Exchange ActiveSync profile to connect to an IBM Notes Traveler server through the Android AirWatch Inbox, you might receive an 'HTTP 449' response. This response is seen when an Android device attempts to connect to the Traveler server. This 'HTTP 449' error occurs if the ActiveSync policy headers sent from the client (and enforced through Workspace ONE UEM console) do not match the policy headers supported by the Traveler server.

To resolve such issues, follow these steps:

  1. Add the following flag to the notes.ini file on the Traveler server.
                      NTS_AS_PROVISION_EXEMPT_USER_AGENT_REGEX =(AirWatch*) | (Apple*; AWInbox*) 
  1. Next, restart the Traveler server.

Adding this flag disables Traveler from enforcing any policies to the AirWatch Inbox. You must use Workspace ONE UEM for applying the required policies to the app.

Devices that use policies provisioned directly by Traveler (that is, not configured through Workspace ONE UEM), are not affected.


If you are using IBM Notes Traveler with SEG 7.3+, then the IBM Notes Traveler requires the Microsoft-Server-ActiveSync website support.