Deploy Workspace ONE Boxer with the Workspace ONE UEM console.

Configuring the Workspace ONE Boxer application involves adding it as a public application and assigning it with set email configurations to end users.

Smart Group Based Assignments

Create single or multiple smart group based assignments and deploy different Workspace ONE Boxer email settings specific to a set of users in your organization. An assignment group is a representation of single or multiple smart groups that are assigned with same email configuration.

The deployment of Workspace ONE Boxer to iOS and Android devices is configured in two parts. You must perform both procedures.

  1. Add Workspace ONE Boxer as a public application.
  2. Assign Workspace ONE Boxer to smart groups.

For in-depth instructions on deploying public applications, see the Workspace ONE UEM Online Help topic Public Application Overview.

Note: When you deploy Workspace ONE Boxer as a public app in a PowerShell deployment, you must configure a device access rule on Exchange to allow Workspace ONE Boxer users to access emails. For more information about configuring the device access rule, see Workaround for Workspace ONE Boxer Flexible Deployment section of the Mobile Email Management (MEM) guide.

Add Workspace ONE Boxer to Public Applications

Add Workspace ONE Boxer as a public application to the UEM console.

Adding applications through an app store enables Workspace ONE UEM to manage applications by your settings in the console.

  1. Navigate to Resources > Apps > Native > List View > Public.

  2. Select Add Application.

  3. Configure the text boxes that display and select Next.

    Option Description
    Managed By View the organization group where the application is uploaded.
    Platform Choose the appropriate platform. Only iOS and Android devices are supported currently.
    Source Select to search for the application in the app store or play store.
    Name Enter "Workspace ONE Boxer".
  4. Locate and select the Workspace ONE Boxer app in the Search results screen.

  5. Review the information that automatically populates in the Details tab.

  6. Assign Terms of Use, which displays when users first access the application from the App Catalog.

  7. Select Save and Assign.

You can add an assignment now or you can come back and add assignments later.

Assign and Configure Workspace ONE Boxer Using the App Assignment Page

Configure Workspace ONE Boxer using App Policies and Application Configuration (custom KVPs) provided in the Assignment page.

Upload Boxer as a public or an internal application to the Workspace ONE UEM console.

Note: With console 2004 or higher, most of the application configuration values that you previously added manually can now be configured using the settings available in the Email Settings and App Policies assignment pages. You can use the following steps to assign Boxer 5.17 or later using the Workspace ONE UEM console version 2004 or higher. If you are using a console version less than 2004 to assign older versions of Boxer, see Application Configurations for Workspace ONE Boxer.

  1. Navigate to Resources > Apps > Native > List View > Public.

  2. Select Assign under the Install Status column for Boxer. Alternatively, you can also select the edit icon and then select Save & Assign.

  3. Select Add Assignment in the Assignment window.

    a. In the Distribution tab, enter the following information:

    Settings Description
    Name Enter the name of the assignment.
    Description Enter the description for the assignment.
    Assignment Groups Enter smart groups to receive the Workspace ONE Boxer flexible deployment assignment.
    As you enter the smart group name, options are displayed and you can select the appropriate smart group from the list.
    If necessary, you can add more assignment groups.
    App Delivery Method
    On Demand – Deploys Boxer to the deployment agent. The device user can decide if and when to install the application.

    Automatic – Deploys Boxer to a deployment Hub on a device when enrollment. After the device enrolls, the system prompts users to install Boxer on their devices.

    b. In the Restrictions tab, enter the following information:

    Settings Description
    EMM Managed Access Enable adaptive management to set Workspace ONE UEM to manage the device so that the device can access the application. Only the devices that are enrolled in EMM can install the app and receive app policies when you enable this setting..
    Remove on Unenroll When enabled, it removes the application from a device when the device unenrolls using Workspace ONE UEM. Workspace ONE UEM enables this setting by default.
    If you enable this setting, supervised devices are restricted from a silent app installation. This is because the device is locked and the provisioning profile installation is in the command queue which requires a device to be unlocked to complete the installation.
    If you disable this setting, provisioning profiles are not pushed with the installed application. That is, if the provisioning profile is updated, the new provisioning profile is not automatically deployed to devices. In such cases, a new version of the application with the new provisioning profile is required.
    Prevent Removal When enabled, the user is not allowed to uninstall the app. This requires for iOS 14 and later.
    Prevent Application Backup Enable this setting to prevent backing up the application data to iCloud.
    Make App MDM Managed if User Installed Assume management of applications previously installed by users on their devices, whether applications are supervised or unsupervised.
    Enable this feature so that users do not have to delete the application version installed on the device. Workspace ONE UEM manages the application without having to install the AirWatch Catalog version on the device.
    This setting is not effective if the privacy settings of the console are set to prevent the collection of personal application data.

    c. In the Tunnel & Other Attributes tab, enter the following information:

    Settings Description
    Per App VPN Profile Select the Per-App VPN Profile to configure a VPN at the application level.
    Other Attributes App attributes provide device-specific details for Boxer to use.
    Upload XML You can upload an XML file that contains the key value pairs supported by the application for the app configuration.

    d. In the Application Configuration tab, enter the following information

    Settings Description
    Send Configuration When enabled, it configures Boxer using the settings provided by the app developer.
    UPLOAD XML You can upload an XML file that contains the key value pairs supported by Boxer.
    ADD You can also manually add the configuration keys, value types, and the look up values.

    e. In the Email Settings, enter the following information:

    Settings Description
    Account Name Enter the Exchange account name.
    Exchange ActiveSync Host Enter the EAS server URL. For SEG deployments, enter the SEG URL.
    EWS URL Enter the address of the EWS or SEG endpoint
    Email Management If you want to associate a Mobile Email Management with the Boxer configuration,you must enter at least one MEM configuration.
    Domain, User, User Display Name, and Email Address Enter the domain name, user name, user display name and email address. By default, the login information includes {EmailDomain}, {EmailUserName}, {FirstName}{LastName} and {EmailAddress} that are defined as lookup values in your directory service. To override these values, use custom lookup values.
    Password Enter the password.
    Note: Password field only supports lookup values, not the actual password value.
    Email Signature Enter the email signature.
    Authentication
    Modern Authentication Modern Authentication is an OAuth based token authentication method for Office 365. When enabled, you are redirected to the login page for authentication.
    Authentication Type Select one of the following authentication types for end users to authenticate with Exchange Server using the credentials used to log in Workspace ONE.

    Basic – Authenticates using a user name and a password.

    Certificate – Authenticates using a certificate. Select the desired Certificate Authority and Certificate Template.

    Both – Authenticates using a certificate to authenticate with a network appliance and a password to authenticate with Exchange.

    Certificate-Based Authentication with Modern Authentication (CBA with Modern Authentication) - Workspace ONE Boxer supports certificate-based authentication with Modern Authentication. Boxer support SCEP. To view the supported certificates, see section Supported Certificate Authorities.

    Note:

    iOS does not support Certificate-based authentication using Modern Authentication unless using PIV-D. Only Android supports this authentication mode.

    Consider a scenario where you have set the certificate as an authentication type without enabling the SSO passcode, and the user delete and reinstall the Boxer application. At the time of reinstallation, user gets authenticate automatically as you have configured CBA as an authentication type. Such a scenario can create an attack vector for intruders who have a physical access to the device. Without an added authentication challenge, an intruder can gain access to email resources by deleting and reinstalling the Boxer application.
    To avoid such intruders, Boxer must authenticate users using the Workspace ONE credentials before allowing them to access emails. An alternative solution to requiring Workspace ONE credentials is to enable SSO workflows that restrict intruders to reset a standalone passcode.

    Specifies number of authentication retries - Specify the number of authentication retries upon failure.
    Sync Configure Boxer to determine how to sync email and calendar.
    Notifications Configure Email Notification Service (ENS) and its behaviour to provide real-time notification.
    Spam & Phishing Reporting Configure the actions to be taken on email identified as spam or phishing attack.
    Mobile Flows Configure mobile flows server information with which Boxer can integrate.
    S/MIME Configure S/MIME status.
    Email Classification Configure S/MIME status.
    Custom Account Configuration Add the key value pairs to apply any account level configurations

    f. In the App Policies, enable and configure Single Sign-On (SSO) to avail the Multiple Managed Account (MMA) feature in Boxer. After you enable SSO, you cannot disable it. Enter the following information:

    Settings Description
    App Passcode Select the type of passcode for user authentication.
    Numeric - User is persented with a numeric keyboard.
    Alphanumeric - User is presented with an alphanumeric keyboard.
    None - Boxer applies the Exchange passcode policies if present.
    Data Loss Prevention
    Copy Paste If restricted:

    End users cannot copy and paste content from Workspace ONE Boxer to other applications.

    If personal accounts are enabled, end users can copy and paste between personal and work accounts. Therefore, consider disabling personal accounts to restrict the copy and paste functionality completely.

    Share and define options are made unavailable in the application when selecting text.
    Local Calendars Set to true to enable local calendars in Workspace ONE Boxer.
    Personal Contacts If the option is restricted, end users can access contacts only from the email accounts in the app. If unrestricted, end users can access contacts from other apps on the device.
    [iOS] Allows printing Enables or disables printing of emails and attachments.
    [iOS] Allow Custom Keyboards Enables or disables the use of third-party keyboard.
    [iOS] Restrict unsecured HTTP connections Restricts loading content from unsecured (HTTP) connection.
    Sharing These settings determine whether users can open emails or their attachments in other application. Based on your requirements, you can specify the allowed application using the Allowlist option or allow sharing in any application.
    Control Open In Enable or disables attaching of files from other apps using the open-in or share into Workspace ONE Boxer.
    Control Attachments from external providers Enables or disables attachments from external providers (Example- iCloud, Dropbox, Google Drive) using Workspace ONE Boxer.
    Watermark Text Defines the watermark text
    Watermark Opacity Defines the opacity of the text. You can set any number from 0 through 100.
    Watermark Color Defines the color of the watermark text in hexadecimal format. The default color is blue.
    Personal Accounts If restricted, end users can no longer add any additional accounts to the application.
    If end users already have Workspace ONE Boxer on their device with personal accounts configured, then they are prompted whether they want to remove their existing personal accounts now or later. End users do not receive work email through Workspace ONE Boxer until they remove all personal accounts.
    Internal Domains List Define the domains that are internal or permitted.
    External Recipient Warning Enables the warning when the user enters recipients from external domains. If the domains are configured and the External Recipient Warning is enabled , the 'Confirm before sending' setting is unavailable to the users. When the warning is displayed, the user can either accept and return to the Compose email menu or ignore and continue sending the email to external recipients.
    Browser Hyperlinks When restricted, all hyperlinks are open only in Workspace ONE Web.
    Browser Exceptions If hyperlinks are restricted in the Console, you can add a list of exceptions for domain or sites to open always in the default browser.
    Usability
    Skip in app tutorial Enable this option to skip the in app tutorial appears on the first launch of the application.
    Caller ID Enable to provide Caller ID functionality for all Workspace ONE Boxer contacts.
    By enabling this feature, Workspace ONE Boxer exports names and phone numbers only to the native contacts app.
    Default Caller ID Enable the exporting of contacts, names, and phone numbers by default. This option requires the Caller ID option to be set as unrestricted.
    Enable Avatars Enable or disable Avatars.
    Archive Action Allows or block the ability to archive emails.
    Conversation Grouping Enables the conversation view to group emails by conversation.
    Enterprise Content Configure Enterprise Content in Boxer.
    Show CallKit Option An iOS setting that requires user interaction to enable CallKit caller ID.
    Left Short Swipe default, Left Long Swipe default, Right Short Swipe Default, and Right Long Swipe Default Define the default swipe actions. Users can customize swipe actions using the options provided in the Workspace ONE Boxer app.
    Support
    Allows Logging Allows users to send logs.
    Support Email Address Enter address to be specified when sending logs through the support menu.
    Allow Crash Reporting By default, Boxer is allowed to report crashes anonymously.
    Advanced
    Forward/Add Attachments Allows the users to add or forward attachments.
    Attachment Download Enables or disables downloading and forwarding of attachments.
    Attach Photos Enables or disables attaching of images and media files from the photo gallery and camera.
    Plain Text Mode Enables or disables the plain text mode of Boxer. If enabled, Boxer retrieves only plain text from HTML mails when syncing. Workspace ONE Boxer sends only plain text regardless of the email message format. The formatting controls in the compose view is disabled and only text can be copied and pasted from rich or HTML content.
    Refetch Empty Links using Mime For emails (fetched using HTML) that contain non-standard URL schemes, pointing to non-server domains, Exchange replaces the URL with two empty spaces. Enable or disable this option for Boxer to detect this occurrence and redownload the affected body using MIME, which is not subject to the URL replacement error.
    Disable Key Escrow (Forgot Passcode) Disable the escrowing key on to the server. Disabling this disables the forgot password feature.
    Anonymous Metrics Enable this option to allow collection of anonymous usage data to improve user's Workspace ONE Boxer experience. When enabled, a Data Sharing notice is displayed to user when Workspace ONE Boxer is launched. The device user can enable or disable data sharing by navigating to Settings > Privacy > Data Sharing.
    QuickJoin custom URLs This enables the QuickJoin button found in calendar invites.
    Application update source Select the source to download Boxer.
    Swift SDK Key Wrapping Only Mode Enable this option to take full advantage of key wrapping security features.
    FastSync Expiry Set the expiration time in hours when Workspace ONE Boxer does not receive FastSync key. FastSync settings are applied when Email Notification Service is enabled and configured.
    Enable FastSync FastSync improves the background syncing and speed of subsequent syncs. FastSync settings are applied when Email Notification Service is enabled and configured.
  4. Select Create.

Flexible Deployment Assignments and Workspace ONE Boxer

Assignment by flexible deployment enables mapping of your email settings to smart groups.

An assignment can contain single or multiple smart groups belonging to an Organization Group. Assignments with same email settings are grouped together. You can choose existing smart groups or create new smart groups from the Assigned Smart Groups field as per your requirement.

If you have multiple email settings that are assigned to different assignment groups, then the most recently created settings gets priority. If a device exists in multiple assignment groups that have been configured with different email settings, the device will receive the email settings from the assignment group with the highest priority.

Assign Workspace ONE Boxer with Email Settings

Assign Workspace ONE Boxer to devices with the assignment feature known as flexible deployment. Configure the security and email management features within the assignment procedure so that they meet your organization's needs.

Important:  If the passcode is set to None, then the Workspace ONE Boxer app is not encrypted. If you do not enforce an app-level passcode, then consider enforcing a device-level passcode using a device profile, which encrypts the iOS device.

  • All attachment security, Data Loss Prevention (DLP), and encryption are handled from within the Workspace ONE Boxer app itself.
  • Enabling DLP > Caller ID settings cause an error if end users have deleted their local address book. See Workaround for Third-Party Address Book – iOS in the Device Management topic for more information.
  • For information on optional application configurations, see [Application Configurations for Workspace ONE Boxer] (ApplicationConfigurations.md).

  • Navigate with one of the following paths.

    • Select Add Assignment in the Assignment window.

      This navigation reflects adding an assignment immediately after adding the application to the public tab of the console.

    • Go to Resources > Apps > Native > List View > Public and select Assign link under the Install Status column for the Boxer application.

      This navigation reflects adding an assignment later after adding the application to the public tab of the console.

  • Complete the settings on the Email Settings page.

    Settings Description
    Assigned Smart Groups Enter smart groups to receive the Workspace ONE Boxer flexible deployment assignment.
    Is App Restricted to Silent Install (Android) Enable to assign the application to those devices that support the silent install or the silent uninstall capability only.
    Account Name Enter a description of the mail account.
    Exchange ActiveSync Host Enter your EAS server URL. For SEG deployments, enter the SEG URL instead.
    Domain, User, Email Address Enter the login information, including Domain name, user name, and Email Address.
    By default, the login information includes {EmailDomain}, {EmailUserName} and {EmailAddress} that are defined as lookup values in your directory service. If you need to override these values, you can use custom lookup values.
    Password (Android Only) Enter the password to the email account or input the lookup value for pulling the password from the user account.
    Email Sync Period Set the number of past days of emails for Workspace ONE Boxer to sync.
    Calendar Sync Period Set the number of past days of calendar events for Workspace ONE Boxer to sync.
    Email Signature Specify an email signature to be used in emails that are sent using Workspace ONE Boxer.
    Authentication Type Choose one of the following authentication types for end users to authenticate with Exchange using the AirWatch credentials:

    Basic – Authenticates using a user name and a password.

    Certificate – Authenticates using a certificate. Select the desired Certificate Authority and Certificate Template.

    Both – Authenticates using a certificate to authenticate with network appliance and a password to authenticate with Exchange.

    Modern Authentication - OAuth based token authentication method for Office 365. To setup, see the Modern Authentication section.

    Certificate-Based Authentication with Modern Authentication (CBA with Modern Auth) - Workspace ONE Boxer supports certificate-based authentication with Modern Authentication. Boxer support SCEP. To view the supported certificates, see Supported Certificate Authorities section in the On-Premises Certificate Authority admin guide.

    Note: iOS does not support Certificate-based authentication using Modern Authentication. Only Android supports this authentication mode.
    Passcode Setting an app-level passcode for Workspace ONE Boxer also encrypts the application. Device users set their passcode on the device at the application level when they first access the application.
    Type
    None – Does not require a passcode.

    Numeric – Prompts the user with a numeric keyboard to set a passcode.

    (iOS only) Biometric ID - Enable this option to use fingerprint to authenticate the application. The user is asked to enable Touch ID settings on device the first time when they are asked for their passcode and NOT when they create their passcode during first-time setup.

    Minimum Length - Set the minimum number of numeric characters a user's passcode must contain.

    Timeout Minutes - Set the time in minutes until the application locks when idle.

    Maximum Age - Set the maximum allowed days for the passcode, after which passcode expires and has to be reset. When the set number of days exceeds, the client asks the end user to create a passcode.

    History - Determine the history of passcodes used to prevent the user from reusing passcodes.

    Maximum Number of Failed Attempts - Determine the maximum number of failed passcode attempts before the email data in the app are erased.

    Alphanumeric – Prompts the user with alphanumeric keyboard to set a passcode. The list explains only those options that are different from the Numeric setting.

    Minimum Number of Complex Characters - Set the minimum number of character sets required for the passcode.
    Character sets include uppercase letters, lowercase letters, numbers, and symbols.
    For example, if you select 2, then a passcode must contain at least two of the character sets above. This can be a number and symbol: 3!$#!$, uppercase and lowercase: RtGfH, lowercase and symbol: p!$@!, and so on.
    Data Loss Prevention Determine how your end users can access emails, email attachments, and hyperlinks by configuring the following settings.
    Copy Paste If restricted:

    End users cannot copy and paste content from Workspace ONE Boxer to other applications.

    If personal accounts are enabled, end users can copy and paste between personal and work accounts. Therefore, consider disabling personal accounts to restrict copy and paste functionality completely.

    Share and define options are made unavailable in the application when selecting text.

    Workspace ONE apps shares the same clipboard if the SDK settings applied to these apps are similar irrespective of it being applied as a default profile for one app and custom profile for the other.
    Screenshots (Android Only) If restricted, Android end users cannot take screenshots of the Workspace ONE Boxer application.
    Allow Email Widget (Android Only) If enabled, Android end users can add the Workspace ONE Boxer Email widget to their home screens.
    Allow Calendar Widget (Android Only) If enabled, Android end users can add the Workspace ONE Boxer Calendar widget to their home screens.
    Hyperlinks If restricted, end users can only open hyperlinks in Workspace ONE Web.
    Sharing Choose one of the following restrictions based whether the end user can open emails and their attachments in other applications:

    Preview Only - Set this restriction for end users to preview emails and attachments within Workspace ONE Boxer application only. End users cannot open attachments into any other applications.

    Allowlist - Set this restriction and specify bundle IDs of the applications for emails and their attachments to open in those specified applications. The bundle IDs for Content Locker and Evernote are prepopulated.

    Unrestricted - Set this restriction for end users to open emails and attachments in any applications.
    Caller ID Enable to provide Caller ID functionality for all Workspace ONE Boxer contacts.
    By enabling this feature, Workspace ONE Boxer exports names and phone numbers only to the native contacts app.
    Personal and Work Separation You can allow end users to add multiple personal accounts and use local contacts by configuring the following settings on the UEM console.
    Personal Accounts If restricted, end users can no longer add any additional accounts to the application.
    If end users already have Workspace ONE Boxer on their device with personal accounts configured, then they are prompted whether they want to remove their existing personal accounts now or later. End users do not receive work email through Workspace ONE Boxer until they remove all personal accounts.
    Personal Contacts If restricted, end users can access contacts only from the email accounts in the app. If unrestricted, end users can access contacts from other apps on the device.
    Application Configuration You can configure settings for your Workspace ONE Boxer deployment using the Configuration Key and Configuration Value pairs provided by AirWatch.
    Application configurations are optional.
  • Select Save.

  • If you want to restrict copying and pasting of data from and to the Workspace ONE Boxer and other supported apps, configure these settings at Apps > Settings and Policies > Security Policies > Data Loss Prevention.

    Authentication Type and Single Sign-On must be enabled for these settings to be applied on the end user devices. These restrictions are applied across all supported VMware applications.

    Settings Description
    Enable Copy and Paste Out (iOS only) When disabled, end users cannot copy and paste content from Workspace ONE Boxer to other applications except Workspace ONE productivity apps.
    Enable Copy and Paste Into When disabled, end users cannot copy and paste content from applications other than Workspace ONE productivity apps into Workspace ONE Boxer.

    End users can copy or paste content between the Workspace ONE applications which share the SDK settings. These SDK settings can be applied as a default profile for one application and custom profile for the other.

Note:

  • On iOS, the default signature links to the page Workspace ONE® User Zone that provides more information on Workspace ONE Boxer.
  • Boxer does not support SDK's Integrated Authentication functionality.

Multiple Managed Accounts in Workspace ONE Boxer

Add and configure Multiple Managed Accounts (MMA) to your Workspace ONE Boxer.

A user can have multiple email accounts in different domains based on their business requirements. For example, an employee might have an email account in a parent company and an email account in a subsidiary. These accounts might have different policies and restrictions that are compatible with their respective organizations. Workspace ONE Boxer provides you the ability to manage two additional email accounts with different settings in the same UEM console.

Requirements for Multiple Managed Accounts

  • MMA is only available in Workspace ONE Boxer 5.21 or later versions.
  • To enable MMA in Boxer, you must use Workspace ONE UEM console 2008 or later versions.
  • You must enable and configure Single Sign-On (SSO) on your SDK profile and, in Boxer’s App Policies. After you enable SSO, you cannot disable it. To know how to set up SSO for the SDK profile, see Enforcing Application-Level Single Sign On Passcodes topic in the Android (Legacy) Platform guide.

Multiple Managed Accounts supports the following features in Workspace ONE Boxer.

  • All the functions of Mails, Calendar, and Contacts.
  • S/MIME, Azure Information Protection (AIP), Certificate-based authentication (CBA), Spam, and Phishing reporting.
  • When ENS2 is configured, MMA supports secondary and tertiary account notifications.
  • Email signature and synchronization period.
  • Health Check shows the combined status of all accounts on iOS, whereas on Android it only shows the status of the primary account .
  • S/MIME certificates to sign and encrypt emails when the source is Escrow Gateway.

General Information

  • In addition to your primary email account, you can add two additional managed accounts.
  • Derived Credentials supports only the primary account. Workspace ONE Boxer does not support derived credentials as a source of certificates for the secondary and tertiary accounts.
  • Ensure to add and configure the PolicyDerivedCredentials key to use PIV-D in Boxer versions older than 5.21.
  • If you have selected the Escrow Gateway for S/MIME certificates in UEM and also added the PolicyDerivedCredentialsSMIME key with a value of 1 or 2, the derived credentials appear after the migration of S/MIME certificate source.
  • VMware Workspace ONE mobile flows are not supported for your additional managed accounts.
  • Two CBA configured accounts belonging to the same domain cannot have the same or different templates that generate certificates with the same UPN (User Principal Name) details.
  • If you use the same S/MIME certificate for multiple accounts, those accounts must have the same revocation policy.
  • In iOS Boxer:
    • MMA support is not available for standalone enrollments.
    • If there are conflicts with account-specific keys, such as PolicySMIMETrustStore and PolicySMIMERevocationCheckUrl, Boxer uses the value of the primary email account.

Configure Multiple Managed Accounts in Workspace ONE Boxer Using Workspace ONE UEM

Configure Workspace ONE Boxer to support up to two additional managed accounts. With console 2004 or higher, the previously combined email and app settings have now been separated and placed into the Email Settings and App Policies pages, allowing you to easily configure settings specific to each account using the Email Settings page and settings specific to the entire app using the App Policies page.
Note: Before you begin configuring the managed accounts, you must upload Workspace ONE Boxer version 5.21 or later as a public application using Workspace ONE UEM console version 2008 or later.

  1. Navigate to Resources > Apps > Native > List View > Public.
  2. Select the Assign link under the Install Status column for the Boxer application. Alternatively, you can also select the edit icon and then select Save & Assign.
  3. On the Assignment screen, select Add Assignment and enter the required information.

    a. In the Distribution tab, enter the following information:

    Settings Description
    Name Enter the assignment name.
    Description Enter the description for the assignment.
    Assignment Groups Enter the smart group name to which you want to assign the application. As you enter the smart group name, options are displayed and you can select the appropriate smart group from the list.
    If necessary, you can add more assignment groups.
    App Delivery Method

    On Demand – Deploys application to the deployment agent. The device user can decide if and when to install the application.

    Auto – Deploys applications to a deployment Hub on a device upon enrollment. After the device enrolls, the system prompts users to install the Boxer application on their devices.

    b. In the Restrictions tab, enter the following information:

    Settings Description
    EMM Managed Access Enable this option to manage access. Only devices enrolled in EMM can install the app and receive policies set by the admin.

    c. In the Tunnel tab, enter the following information:

    Settings Description
    Android or iOS Legacy Select a VPN profile that you want to use for the application. Users access the application using a VPN, which helps ensure that application access and use is trusted and secure.

    d. In the Application Configuration tab, enter the following information:

    Settings Description
    ADD You can also manually add the configuration keys, value types, and the look up value.

    Note: These KVPs are app level settings and applies across the application. If you want to apply any configuration to a specific email account, then you must add keys to Custom Account Configuration in Emails Settings to avoid any disruption.

    e. To add more configurations to your application, select Add.

    Note: Ensure that this KVP applies across the entire app. Any configurations that apply only to a specific email account must be moved to Custom Account Configuration in Emails Settings to avoid any disruption.

    f. In the Email Settings, tap + Add, to add additional accounts. If you do not have the + Add option, make sure you are on the Workspace ONE UEM console 2008 or later versions.
    Boxer supports custom attributes in an enrolled user’s advanced tab. It maps these custom attributes for their secondary account. You must configure in Active Directory to avoid manually inserting inputs by users.

    Enter the following information per account level:

    Settings Description
    Account Name Enter the Exchange account name.
    Exchange ActiveSync Host Enter your EAS server URL. For SEG deployments, enter the SEG URL.
    EWS URL Enter the address of the EWS or SEG endpoint.
    Email Management If you want to associate a Mobile Email Management with this Boxer configuration, enter at least one MEM configuration.
    Domain, User, and Email Address Enter the domain name, user name, and email address. By default, the login information includes {EmailDomain}, {EmailUserName} and {EmailAddress} that are defined as lookup values in your directory service. To override these values, use custom lookup values.
    Password Enter the password. Note: Password field only supports lookup values, not the actual password value.
    Email Signature Enter the email signature.
    Authentication Select one of the following authentication types for end users to authenticate with Exchange using the Workspace ONE credentials:

    Basic – Authenticates using a user name and a password.

    Certificate – Authenticates using a certificate. Select the desired Certificate Authority and Certificate Template.

    Both – Authenticates using a certificate with a network appliance and a password to authenticate with Exchange.

    Modern Authentication - OAuth based token authentication method for Office 365. To set up, see the Modern Authentication section.

    Certificate-Based Authentication with Modern Authentication (CBA with Modern Authentication) - Workspace ONE Boxer supports certificate-based authentication with Modern Authentication. Boxer support SCEP. To view the supported certificates, see section Supported Certificate Authorities.

    Note: Consider a scenario where you have set the certificate as an authentication type without enabling the SSO passcode, and the user delete and reinstall the Boxer application. At the time of reinstallation, user gets authenticate automatically as you have configured CBA as an authentication type. Such a scenario can create an attack vector for intruders who have a physical access to the device. Without an added authentication challenge, an intruder can gain access to email resources by deleting and reinstalling the Boxer application.
    To avoid such intruders, Boxer must authenticate users using the Workspace ONE credentials before allowing them to access emails. An alternative solution to requiring Workspace ONE credentials is to enable SSO workflows that restrict intruders to rest a standalone passcode.

    Specifies number of authentication retries - specify the number of authentication retries upon failure.
    Sync Configure how to configure how to sync email and calendar.
    Notifications Enable and configure the Email Notification Service (ENS) to provide a real-time notification.

    ENS2 - Enable or disable ENS2.

    Notification Content - Configure what information is disclosed in each incoming email notification alert.
    Spam & Phishing Reporting Enables or disables the actions to be taken on email identified as spam or phishing attack.
    Mobile flows Enables or disables the mobile flows server information that Boxer can integrate with.
    Note: Workspace ONE mobile flows does not support multiple managed accounts in Boxer.
    S/MIME Enables or disables the S/MIME status.
    Email Classification Enables or disables the email classification option.

    AIP Sensitivity Labels - If enabled, users can interact with AIP labels.

    Email Classification - Enable or disable classification markings.

    g. To apply any account level configurations, add the key value pairs in Custom Account Configuration.

    h. In the App Policies, you must enable and configure Single Sign-On (SSO) to avail the MMA feature in Boxer. After you enable SSO, you cannot disable it.

    i. Enable or disable the following App policies:

    Settings Description
    Data Loss Prevention  
    Copy Paste If restricted:

    End users cannot copy and paste content from Workspace ONE Boxer to other applications.

    If personal accounts are enabled, end users can copy and paste between personal and work accounts. Therefore, consider disabling personal accounts to restrict the copy and paste functionality completely.

    Share and define options are made unavailable in the application when selecting text.
    Screenshots (Android only) Prevent users from taking screenshots from the app.
    Local Calendars Set to true to enable local calendars in Workspace ONE Boxer.
    Personal Contacts If the option is restricted, end users can access contacts only from the email accounts in the app. If unrestricted, end users can access contacts from other apps on the device.
    Allow calendar and email widget Control whether users can add a Boxer calendar or email widget to their home screen.
    Sharing These settings determine whether users can open emails or their attachments in other application. Based on your requirements, you can specify the allowed application using the Allowlist option or allow sharing in any application.
    Control Open In Enables or disables attaching of files from other apps using open-in or share into Workspace ONE Boxer.
    Control Attachments from external providers Enables or disables attachments from external providers.
    Watermark Text, Opacity, color Defines the watermark text.
    Internal Domains List Defines the domain that is internal and permitted
    External Recipient Warning Notifies the user while sending a message to an external user.
    Attachment Download Enables or disables users to download attachments.
    Personal Accounts If restricted, end users can no longer add any additional accounts to the application.
    If end users already have Workspace ONE Boxer on their device with personal accounts configured, then they are prompted whether they want to remove their existing personal accounts now or later. End users do not receive work email through Workspace ONE Boxer until they remove all personal accounts.
    Browser  
    Hyperlinks When restricted, all hyperlinks open in Workspace ONE Web.
    Usability  
    Skip in app tutorial Enable this option to skip the in app tutorial appears on the first launch of the application.
    Caller ID Enable to provide Caller ID functionality for all Workspace ONE Boxer contacts.
    By enabling this feature, Workspace ONE Boxer exports names and phone numbers only to the native contacts app.
    Default Caller ID Enable the exporting of contacts, names, and phone numbers by default. This option requires the Caller ID option to be set unrestricted.
    Avatars Enable or disable avatars for the Exchange contacts.
    Allow Archiving Emails This allow or block the ability to archive emails.
    Conversation Threading Enable or disable the conversation threading.
    Enterprise Content Enable or disable Enterprise Content
    Allow End-user to Report Spam Allow users to enable the spam option.
    Support  
    Logging Allows users to send logs.
    Support Email Address Enter address to be specified when sending logs through the support menu.
    Crash Reporting Enables or disables reporting of crashes. By default, Boxer can report.
    Advanced  
    Forward/Add Attachments Allows the users to add or forward attachments.
    Attachment Download Enables or disables downloading and forwarding of attachments.
    Attach Photos Enables or disables attaching of images and media files from the photo gallery and camera.
    Plain Text Mode Enables or disables Workspace ONE Boxer plain text mode. When set, Workspace ONE Boxer retrieves only plain text from HTML mails when syncing. Workspace ONE Boxer sends only plain text regardless of the email message format. The formatting controls in the compose view is disabled and only text can be copied and pasted from rich or HTML content.
    Refetch Empty Links using Mime For emails (fetched using HTML) that contain non-standard URL schemes, pointing to non-server domains, Exchange replaces the URL with two empty spaces. Enable or disable this policy to detect the occurrence and redownload the affected body using MIME, which is not subject to the URL replacement error.
    Disable Key Escrow (Forgot Passcode) Disable the escrowing key on to the server. Disabling this disables the forgot password feature.
    Anonymous Metrics Enable this option to allow collection of anonymous usage data to improve user's Workspace ONE Boxer experience. When enabled, a Data Sharing notice is displayed to user when Workspace ONE Boxer is launched. The device user can enable or disable data sharing by navigating to Settings > Privacy > Data Sharing.
    QuickJoin custom URLs Enables or disables QuickJoin buttons found in calendar invites that have online meeting invites.
    Application update source Select the source to download Boxer.
    Swift SDK Key Wrapping Only Mode Enable this option to take full advantage of key wrapping security features.
    FastSync Expiry Set the expiration time in hours when Workspace ONE Boxer does not receive FastSync key. FastSync settings are applied when Email Notification Service is enabled and configured.
    Enable FastSync FastSync improves the background syncing and speed of subsequent syncs. FastSync settings are applied when Email Notification Service is enabled and configured.
    1. Select Create.

Configure Fingerprint Authentication

Workspace ONE Boxer for Android and iOS supports fingerprint authentication. Configure the authentication method as part of your normal deploy and assign process.

  • Workspace ONE Boxer v4.5 for Android and Workspace ONE Boxer 4.2 for iOS
  • Workspace ONE UEM console v9.0.5+

  • Navigate to Groups & Settings > All Settings > Apps > Settings & Policies > Security Policies.

  • Select Override to override any inherited settings.

  • Set the Authentication Type to Passcode or user name and Password.

    Passcode and Biometrics must be enabled for using the Fingerprint functionality with Workspace ONE Boxer.

  • Expand the Authentication Type settings.

  • Enter a value greater than 0 for Authentication timeout.

  • Set Biometric Mode to Fingerprint.

  • Select Save at the bottom of the screen.

  • Configure the Workspace ONE Boxer app to use the AirWatch SDK. Use AirWatch SDK to customize your deployment with maximum security and stability.

    • If you have not added Workspace ONE Boxer as a public app to your UEM console, navigate to Apps & Books > List View > Public > Add Application. Follow the steps to add the app. Enable Application uses AirWatch SDK. You can use the default profile.

      For more information, see Add VMware Boxer to Public Applications.

    • If you have already added Workspace ONE Boxer to your UEM console, navigate to Apps & books > List View > Public and select the app. Select Edit. Select the Deployment tab and enable Application uses AirWatch SDK. You can use the default profile.

  • Navigate to Apps & Books > Public Application. Select the Workspace ONE Boxer app and select Assign. Select Add Assignment. Configure the Email Settings.

    For more information, see Assign VMware Boxer with Email Settings.

  • Configure the following settings for fingerprint authentication for both Android and iOS devices.

    Setting Description
    Configuration Key Enter the configuration key for the setting.
    For fingerprint authentication, enter AppForceActivateSSO.
    Value Type Select the type of value associated with the configuration key.
    For fingerprint authentication, select Boolean.
    Configuration Value Enter the configuration value.
    For fingerprint authentication, enter true.
  • Select Save.

  • Select View Device Assignment and select Save & Publish.

After the assigned devices receive the new settings, end users may enable fingerprint authentication in the device settings. Configuring fingerprint authentication includes adding a fingerprint on the device. If enabled, end users must enter a backup passcode or user name and password.

Configure Custom SDK Profiles

Configure the custom SDK profiles every time customers deploy their own Certificate Authority (CA) and use the Workspace ONE Boxer with Certificate-Based Authentication.

  1. Configure the custom SDK Profiles.

    a. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.

    b. Select SDK Profile.

    c. Select the platform.

    d. Configure the General Settings.

    e. Configure the Credentials.

    f. Select a Certificate Authority.

    g. Save the profile.

  2. Assign Workspace ONE Boxer with Certificate Based Authentication.

    a. Navigate to Apps & Books > Public.

    b. On the List View page, select iOS Workspace ONE Boxer from the list of public apps.

    c. Select Edit.

    d. Navigate to the SDK tab.

    e. Select the custom SDK profile.

    f. Select Save and Assign.

Configure Workspace ONE Boxer with Derived Credentials (PIV-D)

Create and configure an SDK profile with Derived Credential and assign the profile to Boxer. The SDK profile enables Boxer to fetch the Derived Credential certificates from the VMware PIV-D Manager application so that the device can use the certificates to access resources securely.

A Derived Credential is a client certificate that is generated (or issued) on a mobile device after end users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.

When you set the Credential Source as Derived Credential on the Credential payload, Boxer imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server or to fetch the SMIME certificates for signing and encryption of emails. PIV-D allows certificate authentication even when modern authentication is configured.

  1. Configure the SDK Profile.

    a. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.

    b. Select SDK Profile.

    c. Select the desired Platform.

    d. Configure the profile's General Settings.

    e. Select the Credentials payload and select Configure.

    f. Set the Credential Source to Derived Credentials.

    g. Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption.
    To add additional certificates, use the plus sign at the bottom of the profile window.

    h. Select Save and Publish.

  2. Assign the SDK Profile to Boxer.

    a. Navigate to Apps & Books > Native > Public > Add Application and add Boxer.
    If the Boxer application has already been added, you can skip the preceding step.

    b. Select Edit.

    c. Navigate to the SDK tab and set the SDK profile to the one configured with the derived credential source and key usage.

    d. Select Save and Assign.

    e. Create a smart group if you do not have one and modify your assignment.

    f. Under More Email Settings, set the authentication type to Certificate or Both.
    If you are configuring iOS Boxer with modern authentication using the AccountUseOauth key, then you must ensure that the authentication type is set to Basic instead of Certificate or Both. You must also configure a device profile with a Credential payload where the Credential Source is set to Derived Credential and Key Usage type to Authentication. If you have not configured modern authentication on iOS, then you can skip to the next step.

    g. Add a dummy Certificate Authorities.

    h. Under the Application Configuration, add the AppForceActivateSSO and the PolicyDerivedCredentials keys. For more information about these configuration keys, see Application Configurations for Workspace ONE Boxer.

    i. Select Add.

Configuring Privacy Settings for Workspace ONE Boxer

Use the configuration keys in the UEM console to perform additional privacy disclosure and data collection practices. When Workspace ONE Boxer is launched, a privacy notice is displayed to the end users who are upgrading to or using the latest Workspace ONE Boxer version.

The privacy dialog screen lets the user know the following information:

  • Data collected by the app – Provides a summary of data that is collected and processed by the application. Some of this data is visible to the administrators of the Workspace ONE UEM administration console.
  • Device Permissions – Provides a summary of device permissions requested for the app to enable product features and functionality, such as push notifications to the device.
  • Company's privacy policy – By default, a message is displayed to the user to contact the employer for more information. You can configure the privacy policy URL in the UEM console. Once configured, the user can access the employer’s privacy policy from Workspace ONE Boxer.

Configure Privacy Settings Using SDK Default Settings

Use the SDK default settings to configure privacy settings.

  1. Navigate to Group & Settings>All Settings.

  2. From All Settings, navigate to Apps>Settings & Policies>Settings.

  3. Select Enable Custom Settings and paste the configuration keys as per your requirement.

    For example, to enable Crash reporting, {"PolicyAllowCrashReporting": true}.

  4. Select Save.

Configure Privacy Settings Using a Custom SDK Profile

Use custom SDK profile to configure privacy settings.

  1. Navigate to Group & Settings > All Settings.

  2. If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.

  3. If you want to add a custom profile, navigate to Apps > Settings & Policies > Profiles > Add Profile > SDK Profile > iOS or Android > Custom Settings.

  4. From Custom Settings, select Configure and paste the following configuration keys as per your requirement.

    Configuration Key Value Type Supported Values Description
    { "DisplayPrivacyDialog" } Integer 0 = disabled
    1 = enabled (default)
    When set to '1' (enabled), Workspace ONE Boxer displays a privacy notice to the users about the data that is collected and the permissions that are required on the device for the optimal functioning of the app.
    { "PolicyAllowFeatureAnalytics" } Integer 0 = disabled
    1 = enabled (default)
    When set to '1' (enabled), Workspace ONE Boxer displays a notice to the users about the option to opt-in to anonymous feature usage analytics that help VMware improve product functionality and invent new product capabilities. When set to '0', the data sharing notice is not displayed and no data is collected from the device to optimize the app experience. The device user can enable or disable data sharing by navigating to Settings > Privacy > Data Sharing.
    { "PolicyAllowCrashReporting" } Boolean True = enabled
    False = disabled
    When set to True, app crashes are reported to VMware.
    { "PrivacyPolicyLink" } String https://www.acme.com Provide the Policy URL that you want your users to visit when Your company's privacy policy is selected from the Privacy notice.
    Sample SDK configuration: {"PolicyAllowFeatureAnalytics":1, "PrivacyPolicyLink":https://www.acme.com/privacypolicy, "PolicyAllowCrashReporting":true}
  5. Select Save.

check-circle-line exclamation-circle-line close-line
Scroll to top icon