Deploy Workspace ONE Boxer with the Workspace ONE UEM console.
Configuring the Workspace ONE Boxer application involves adding it as a public application and assigning it with set email configurations to end users.
Create single or multiple smart group based assignments and deploy different Workspace ONE Boxer email settings specific to a set of users in your organization. An assignment group is a representation of single or multiple smart groups that are assigned with same email configuration.
The deployment of Workspace ONE Boxer to iOS and Android devices is configured in two parts. You must perform both procedures.
For in-depth instructions on deploying public applications, see the Workspace ONE UEM Online Help topic Public Application Overview.
Note: When you deploy Workspace ONE Boxer as a public app in a PowerShell deployment, you must configure a device access rule on Exchange to allow Workspace ONE Boxer users to access emails. For more information about configuring the device access rule, see Workaround for Workspace ONE Boxer Flexible Deployment section of the Mobile Email Management (MEM) guide.
Add Workspace ONE Boxer as a public application to the UEM console.
Adding applications through an app store enables Workspace ONE UEM to manage applications by your settings in the console.
Navigate to Resources > Apps > Native > List View > Public.
Select Add Application.
Configure the text boxes that display and select Next.
| Option | Description |
|---|---|
| Managed By | View the organization group where the application is uploaded. |
| Platform | Choose the appropriate platform. Only iOS and Android devices are supported currently. |
| Source | Select to search for the application in the app store or play store. |
| Name | Enter “Workspace ONE Boxer”. |
Locate and select the Workspace ONE Boxer app in the Search results screen.
Review the information that automatically populates in the Details tab.
Assign Terms of Use, which displays when users first access the application from the App Catalog.
Select Save and Assign.
You can add an assignment now or you can come back and add assignments later.
Configure Workspace ONE Boxer using App Policies and Application Configuration (custom KVPs) provided in the Assignment page.
Upload Boxer as a public or an internal application to the Workspace ONE UEM console.
Note: With console 2004 or higher, most of the application configuration values that you previously added manually can now be configured using the settings available in the Email Settings and App Policies assignment pages. You can use the following steps to assign Boxer 5.17 or later using the Workspace ONE UEM console version 2004 or higher. If you are using a console version less than 2004 to assign older versions of Boxer, see Application Configurations for Workspace ONE Boxer.
Navigate to Resources > Apps > Native > List View > Public.
Select Assign under the Install Status column for Boxer. Alternatively, you can also select the edit icon and then select Save & Assign.
Select Add Assignment in the Assignment window.
a. In the Distribution tab, enter the following information:
| Settings | Description |
|---|---|
| Name | Enter the name of the assignment. |
| Description | Enter the description for the assignment. |
| Assignment Groups | Enter smart groups to receive the Workspace ONE Boxer flexible deployment assignment. As you enter the smart group name, options are displayed and you can select the appropriate smart group from the list. If necessary, you can add more assignment groups. |
| App Delivery Method | On Demand – Deploys Boxer to the deployment agent. The device user can decide if and when to install the application. Automatic – Deploys Boxer to a deployment Hub on a device when enrollment. After the device enrolls, the system prompts users to install Boxer on their devices. |
b. In the Restrictions tab, enter the following information:
| Settings | Description |
|---|---|
| EMM Managed Access | Enable adaptive management to set Workspace ONE UEM to manage the device so that the device can access the application. Only the devices that are enrolled in EMM can install the app and receive app policies when you enable this setting.. |
| Remove on Unenroll | When enabled, it removes the application from a device when the device unenrolls using Workspace ONE UEM. Workspace ONE UEM enables this setting by default. If you enable this setting, supervised devices are restricted from a silent app installation. This is because the device is locked and the provisioning profile installation is in the command queue which requires a device to be unlocked to complete the installation. If you deactivate this setting, provisioning profiles are not pushed with the installed application. That is, if the provisioning profile is updated, the new provisioning profile is not automatically deployed to devices. In such cases, a new version of the application with the new provisioning profile is required. |
| Prevent Removal | When enabled, the user is not allowed to uninstall the app. This requires for iOS 14 and later. |
| Prevent Application Backup | Enable this setting to prevent backing up the application data to iCloud. |
| Make App MDM Managed if User Installed | Assume management of applications previously installed by users on their devices, whether applications are supervised or unsupervised. Enable this feature so that users do not have to delete the application version installed on the device. Workspace ONE UEM manages the application without having to install the Workspace ONE Hub version on the device. This setting is not effective if the privacy settings of the console are set to prevent the collection of personal application data. |
c. In the Tunnel & Other Attributes tab, enter the following information:
| Settings | Description |
|---|---|
| Per App VPN Profile | Select the Per-App VPN Profile to configure a VPN at the application level. |
| Other Attributes | App attributes provide device-specific details for Boxer to use. |
| Upload XML | You can upload an XML file that contains the key value pairs supported by the application for the app configuration. |
d. In the Application Configuration tab, enter the following information:
| Settings | Description |
|---|---|
| Send Configuration | When enabled, it configures Boxer using the settings provided by the app developer. |
| UPLOAD XML | You can upload an XML file that contains the key value pairs supported by Boxer. |
| ADD | You can also manually add the configuration keys, value types, and the look up values. |
e. In the Email Settings, enter the following information:
Note: To set up Multiple Managed Accounts (MMA), Single Sign-On (SSO) must be configured in the SDK settings.
| Settings | Description |
|---|---|
| Account Name | Enter the Exchange account name. Note: If an end user has changed this setting in the Workspace ONE Boxer application, then this setting cannot be modified later by the administrator. |
| Exchange ActiveSync Host | Enter the EAS server URL. For SEG deployments, enter the SEG URL. |
| EWS URL | Enter the address of the EWS or SEG endpoint |
| Email Management | If you want to associate a Mobile Email Management with the Boxer configuration,you must enter at least one MEM configuration. |
| Domain, User, User Display Name, and Email Address | Enter the domain name, user name, user display name and email address. By default, the login information includes {EmailDomain}, {EmailUserName}, {FirstName}{LastName} and {EmailAddress} that are defined as lookup values in your directory service. To override these values, use custom lookup values. Note: If an end user has changed the User Display Name in the Workspace ONE Boxer application, then this setting cannot be modified later by the administrator. |
| Password | Enter the password. Note: Password field only supports lookup values, not the actual password value. |
| Email Signature | Enter the email signature. Note: If an end user has changed this setting in the Workspace ONE Boxer application, then this setting cannot be modified later by the administrator. |
| Authentication | |
| Modern Authentication | Modern Authentication is an OAuth based token authentication method for Office 365. When enabled, you are redirected to the login page for authentication. |
| Authentication Type | Select one of the following authentication types for end users to authenticate with Exchange Server using the credentials used to log in Workspace ONE. Basic – Authenticates using a user name and a password. Certificate – Authenticates using a certificate. Select the desired Certificate Authority and Certificate Template. Both – Authenticates using a certificate to authenticate with a network appliance and a password to authenticate with Exchange. Certificate-Based Authentication with Modern Authentication (CBA with Modern Authentication) - Workspace ONE Boxer supports certificate-based authentication with Modern Authentication. Boxer support SCEP. To view the supported certificates, see section Supported Certificate Authorities. Consider a scenario where you have set the certificate as an authentication type without enabling the SSO passcode, and the user delete and reinstall the Boxer application. At the time of reinstallation, user gets authenticate automatically as you have configured CBA as an authentication type. Such a scenario can create an attack vector for intruders who have a physical access to the device. Without an added authentication challenge, an intruder can gain access to email resources by deleting and reinstalling the Boxer application. To avoid such intruders, Boxer must authenticate users using the Workspace ONE credentials before allowing them to access emails. An alternative solution to requiring Workspace ONE credentials is to enable SSO workflows that restrict intruders to reset a standalone passcode. Specifies number of authentication retries - Specify the number of authentication retries upon failure. |
| Sync | Maximum Allowed Email Sync Period and Maximum Allowed Calendar Sync Period settings allow administrators to configure how far back (frequency of time) end users can select to sync their email messages and calendar events. Default Email Sync Period and Default Calendar Sync Period settings allow administrators to configure the default sync periods when Workspace ONE Boxer is deployed on the end user devices. Note: Regardless of the sync period the maximum number of emails which can be shown in the Inbox at a time is 1500. Maximum attachment size limits the file size end users can attach to outgoing emails. Note: If an end user has changed this setting in the Workspace ONE Boxer application, then this setting cannot be modified later by the administrator. |
| Notifications | Configure Email Notification Service (ENS) and its behaviour to provide real-time notification. Note: If an end user has changed this setting in the Workspace ONE Boxer application, then this setting cannot be modified later by the administrator. |
| Spam & Phishing Reporting | Configure the actions to be taken on email identified as spam or phishing attack. |
| Mobile Flows | Configure mobile flows server information with which Boxer can integrate. |
| S/MIME | Configure S/MIME status. |
| Email Classification | Activates or deactivates the email classification option. AIP Sensitivity Labels - If activated, users can interact with AIP labels. Email Classification - Activate or deactivate classification markings. |
| Custom Account Configuration | Add the key value pairs to apply any account level configurations |
f. In the App Policies, enter the following information:
| Settings | Description |
|---|---|
| App Passcode | You can set a passcode in the SDK passcode settings. For more information about configuring the SDK passcode, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs. Select the type of passcode for user authentication. Numeric - User is persented with a numeric keyboard. Alphanumeric - User is presented with an alphanumeric keyboard. None - Boxer applies the Exchange passcode policies if present. |
| Data Loss Prevention | |
| Copy Paste | If restricted: End users cannot copy and paste content from Workspace ONE Boxer to other applications. If personal accounts are enabled, end users can copy and paste between personal and work accounts. Therefore, consider deactivating personal accounts to restrict the copy and paste functionality completely. Share and define options are made unavailable in the application when selecting text. Note: In Workspace ONE Boxer for iOS, the Copy Paste setting can be applied only through the Workspace ONE SDK setting. For more information about this Data Loss Prevention (DLP) SDK setting, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs |
| Local Calendars | Set to true to enable local calendars in Workspace ONE Boxer. |
| Personal Contacts | If the option is restricted, end users can access contacts only from the email accounts in the app. If unrestricted, end users can access contacts from other apps on the device. |
| [iOS] Allows printing | Activates or deactivates printing of emails and attachments. |
| [iOS] Allow Custom Keyboards | Activates or deactivates the use of third-party keyboard. |
| [iOS] Restrict unsecured HTTP connections | Restricts loading content from unsecured (HTTP) connection. |
| Sharing | These settings determine whether users can open emails or their attachments in other application. Based on your requirements, you can specify the allowed application using the Allow List option or allow sharing in any application. NOTE: A similar Allow List option is also available as an SDK Admin setting in the Workspace ONE UEM console. If the option is selected in both Workspace ONE Boxer for iOS and SDK Admin settings and applications are entered in both the lists, then the lists are merged together. For more information about the Allow List feature, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs. |
| Control Open In | Activate or deactivate attaching of files from other apps using the open-in or share into Workspace ONE Boxer. |
| Control Attachments from external providers | Activates or deactivates attachments from external providers (Example- iCloud, Dropbox, Google Drive) using Workspace ONE Boxer. |
| Watermark Text | Defines the watermark text. |
| Watermark Opacity | Defines the opacity of the text. You can set any number from 0 through 100. |
| Watermark Color | Defines the color of the watermark text in hexadecimal format. The default color is blue. |
| Personal Accounts | If restricted, end users can no longer add any additional accounts to the application. If end users already have Workspace ONE Boxer on their device with personal accounts configured, then they are prompted whether they want to remove their existing personal accounts now or later. End users do not receive work email through Workspace ONE Boxer until they remove all personal accounts. |
| Internal Domains List | Define the domains that are internal or permitted. |
| External Recipient Warning | Enables the warning when the user enters recipients from external domains. If the domains are configured and the External Recipient Warning is enabled , the ‘Confirm before sending’ setting is unavailable to the users. When the warning is displayed, the user can either accept and return to the Compose email menu or ignore and continue sending the email to external recipients. |
| Browser | Hyperlinks When restricted, all hyperlinks are open only in Workspace ONE Web. |
| Browser Exceptions | If hyperlinks are restricted in the Console, you can add a list of exceptions for domain or sites to open always in the default browser. |
| Usability | |
| Skip in app tutorial | Enable this option to skip the in app tutorial appears on the first launch of the application. |
| Caller ID | Enable to provide Caller ID functionality for all Workspace ONE Boxer contacts. By enabling this feature, Workspace ONE Boxer exports names and phone numbers only to the native contacts app. |
| Default Caller ID | Enable the exporting of contacts, names, and phone numbers by default. This option requires the Caller ID option to be set as unrestricted. |
| Enable Avatars | Activate or deactivate Avatars. |
| Archive Action | Allows or block the ability to archive emails. |
| Conversation Grouping | Enables the conversation view to group emails by conversation. |
| Enterprise Content | Configure Enterprise Content in Boxer. |
| Show CallKit Option | An iOS setting that requires user interaction to enable CallKit caller ID. |
| Left Short Swipe default, Left Long Swipe default, Right Short Swipe Default, and Right Long Swipe Default | Define the default swipe actions. Users can customize swipe actions using the options provided in the Workspace ONE Boxer app. |
| Support | |
| Allows Logging | Allows users to send logs. |
| Support Email Address | Enter address to be specified when sending logs through the support menu. |
| Allow Crash Reporting | By default, Boxer is allowed to report crashes anonymously. |
| Advanced | |
| Forward/Add Attachments | Allows the users to add or forward attachments. |
| Attachment Download | Activates or deactivates downloading and forwarding of attachments. |
| Attach Photos | Activates or deactivates attaching of images and media files from the photo gallery and camera. |
| Plain Text Mode | Activates or deactivates the plain text mode of Boxer. If activated, Boxer retrieves only plain text from HTML mails when syncing. Workspace ONE Boxer sends only plain text regardless of the email message format. The formatting controls in the compose view is deactivated and only text can be copied and pasted from rich or HTML content. |
| Refetch Empty Links using Mime | For emails (fetched using HTML) that contain non-standard URL schemes, pointing to non-server domains, Exchange replaces the URL with two empty spaces. Activate or deactivate this option for Boxer to detect this occurrence and redownload the affected body using MIME, which is not subject to the URL replacement error. |
| Disable Key Escrow (Forgot Passcode) | Deactivate the escrowing key on to the server. If this feature is deactivated, the forgot password feature is also deactivated. |
| Anonymous Metrics | Activate this option to allow collection of anonymous usage data to improve user’s Workspace ONE Boxer experience. When activated, a Data Sharing notice is displayed to user when Workspace ONE Boxer is launched. The device user can activate or deactivate data sharing by navigating to Settings > Privacy > Data Sharing. |
| QuickJoin custom URLs | This activates the QuickJoin button found in calendar invites. |
| Application update source | Select the source to download Boxer. |
| Swift SDK Key Wrapping Only Mode | Enable this option to take full advantage of key wrapping security features. |
| FastSync Expiry | Set the expiration time in hours when Workspace ONE Boxer does not receive FastSync key. FastSync settings are applied when Email Notification Service is enabled and configured. |
| Enable FastSync | FastSync improves the background syncing and speed of subsequent syncs. FastSync settings are applied when Email Notification Service is enabled and configured. |
Select Create.
Assignment by flexible deployment enables mapping of your email settings to smart groups.
An assignment can contain single or multiple smart groups belonging to an Organization Group. Assignments with same email settings are grouped together. You can choose existing smart groups or create new smart groups from the Assigned Smart Groups field as per your requirement.
If you have multiple email settings that are assigned to different assignment groups, then the most recently created settings gets priority. If a device exists in multiple assignment groups that have been configured with different email settings, the device will receive the email settings from the assignment group with the highest priority.
Assign Workspace ONE Boxer to devices with the assignment feature known as flexible deployment. Configure the security and email management features within the assignment procedure so that they meet your organization’s needs.
Important: If the passcode is set to None, then the Workspace ONE Boxer app is not encrypted. If you do not enforce an app-level passcode, then consider enforcing a device-level passcode using a device profile, which encrypts the iOS device.
For information on optional application configurations, see [Application Configurations for Workspace ONE Boxer] (ApplicationConfigurations.md).
Navigate with one of the following paths.
Select Add Assignment in the Assignment window.
This navigation reflects adding an assignment immediately after adding the application to the public tab of the console.
Go to Resources > Apps > Native > List View > Public and select Assign link under the Install Status column for the Boxer application.
This navigation reflects adding an assignment later after adding the application to the public tab of the console.
Complete the settings on the Email Settings page.
| Settings | Description |
|---|---|
| Assigned Smart Groups | Enter smart groups to receive the Workspace ONE Boxer flexible deployment assignment. |
| Is App Restricted to Silent Install (Android) | Enable to assign the application to those devices that support the silent install or the silent uninstall capability only. |
| Account Name | Enter a description of the mail account. |
| Exchange ActiveSync Host | Enter your EAS server URL. For SEG deployments, enter the SEG URL instead. |
| Domain, User, Email Address | Enter the login information, including Domain name, user name, and Email Address. By default, the login information includes {EmailDomain}, {EmailUserName} and {EmailAddress} that are defined as lookup values in your directory service. If you need to override these values, you can use custom lookup values. |
| Password (Android Only) | Enter the password to the email account or input the lookup value for pulling the password from the user account. |
| Email Signature | Specify an email signature to be used in emails that are sent using Workspace ONE Boxer. |
| Authentication Type | Choose one of the following authentication types for end users to authenticate with Exchange: Basic – Authenticates using a user name and a password. Certificate – Authenticates using a certificate. Select the desired Certificate Authority and Certificate Template. Both – Authenticates using a certificate to authenticate with network appliance and a password to authenticate with Exchange. Modern Authentication - OAuth based token authentication method for Office 365. To setup, see the Modern Authentication section. Certificate-Based Authentication with Modern Authentication (CBA with Modern Auth) - Workspace ONE Boxer supports certificate-based authentication with Modern Authentication. Boxer support SCEP. To view the supported certificates, see Supported certificate Authorities section in the On-Premises Certificate Authority admin guide. |
| Sync | Maximum Allowed Email Sync Period and Maximum Allowed Calendar Sync Period settings allow administrators to configure how far back (frequency of time) end users can select to sync their email messages and calendar events. Default Email Sync Period and Default Calendar Sync Period settings allow administrators to configure the default sync periods when Workspace ONE Boxer is deployed on the end user devices. Note: Regardless of the sync period the maximum number of emails which can be shown in the Inbox at a time is 1500. Maximum attachment size limits the file size end users can attach to outgoing emails. |
| Data Loss Prevention | Determine how your end users can access emails, email attachments, and hyperlinks by configuring the following settings. |
| Copy Paste | If restricted: End users cannot copy and paste content from Workspace ONE Boxer to other applications. If personal accounts are enabled, end users can copy and paste between personal and work accounts. Therefore, consider deactivating personal accounts to restrict copy and paste functionality completely. Share and define options are made unavailable in the application when selecting text. Workspace ONE apps shares the same clipboard if the SDK settings applied to these apps are similar irrespective of it being applied as a default profile for one app and custom profile for the other. Note: In Workspace ONE Boxer for iOS, the Copy Paste setting can be applied only through the Workspace ONE SDK setting. For more information about this Data Loss Prevention (DLP) SDK setting, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs |
| Screenshots (Android Only) | If restricted, Android end users cannot take screenshots of the Workspace ONE Boxer application. |
| Screenshots (iOS only) | If taking screenshots is deactivated and the user captures a screenshot, a blocker screen is presented to the user. |
| Allow Email Widget (Android Only) | If enabled, Android end users can add the Workspace ONE Boxer Email widget to their home screens. |
| Allow Calendar Widget | If enabled, Workspace ONE Boxer end users can add the Workspace ONE Boxer Calendar widget to their home screens. |
| Hyperlinks | If restricted, end users can only open hyperlinks in Workspace ONE Web. |
| Sharing | Choose one of the following restrictions based whether the end user can open emails and their attachments in other applications: Preview Only - Set this restriction for end users to preview emails and attachments within Workspace ONE Boxer application only. End users cannot open attachments into any other applications. Allow List - Set this restriction and specify bundle IDs of the applications for emails and their attachments to open in those specified applications. The bundle IDs for Content Locker and Evernote are prepopulated. Unrestricted - Set this restriction for end users to open emails and attachments in any applications. NOTE: A similar Allow List option is also available as an SDK Admin setting in the Workspace ONE UEM console. If the option is selected in both Workspace ONE Boxer for iOS and SDK Admin settings and applications are entered in both the lists, then the lists are merged together. For more information about the Allow List feature, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs. |
| Caller ID | Enable to provide Caller ID functionality for all Workspace ONE Boxer contacts. By enabling this feature, Workspace ONE Boxer exports names and phone numbers only to the native contacts app. |
| Personal and Work Separation | You can allow end users to add multiple personal accounts and use local contacts by configuring the following settings on the UEM console. |
| Personal Accounts | If restricted, end users can no longer add any additional accounts to the application. If end users already have Workspace ONE Boxer on their device with personal accounts configured, then they are prompted whether they want to remove their existing personal accounts now or later. End users do not receive work email through Workspace ONE Boxer until they remove all personal accounts. |
| Personal Contacts | If restricted, end users can access contacts only from the email accounts in the app. If unrestricted, end users can access contacts from other apps on the device. |
| Application Configuration | You can configure settings for your Workspace ONE Boxer deployment using the Configuration Key and Configuration Value pairs. Application configurations are optional. |
Select Save.
If you want to restrict copying and pasting of data from and to the Workspace ONE Boxer and other supported apps, configure these settings at Apps > Settings and Policies > Security Policies > Data Loss Prevention.
Authentication Type and Single Sign-On must be enabled for these settings to be applied on the end user devices. These restrictions are applied across all supported VMware applications.
| Settings | Description |
|---|---|
| Enable Copy and Paste Out | (iOS only) When deactivated, end users cannot copy and paste content from Workspace ONE Boxer to other applications except Workspace ONE productivity apps. |
| Enable Copy and Paste Into | When deactivated, end users cannot copy and paste content from applications other than Workspace ONE productivity apps into Workspace ONE Boxer. |
End users can copy or paste content between the Workspace ONE applications which share the SDK settings. These SDK settings can be applied as a default profile for one application and custom profile for the other.
Note:
Add and configure Multiple Managed Accounts (MMA) to your Workspace ONE Boxer.
A user can have multiple email accounts in different domains based on their business requirements. For example, an employee might have an email account in a parent company and an email account in a subsidiary. These accounts might have different policies and restrictions that are compatible with their respective organizations. Workspace ONE Boxer provides you the ability to manage two additional email accounts with different settings in the same UEM console.
Requirements for Multiple Managed Accounts
Multiple Managed Accounts supports the following features in Workspace ONE Boxer.
General Information
Configure Workspace ONE Boxer to support up to two additional managed accounts. With console 2004 or higher, the previously combined email and app settings have now been separated and placed into the Email Settings and App Policies pages, allowing you to easily configure settings specific to each account using the Email Settings page and settings specific to the entire app using the App Policies page.
Note: Before you begin configuring the managed accounts, you must upload Workspace ONE Boxer version 5.21 or later as a public application using Workspace ONE UEM console version 2008 or later.
On the Assignment screen, select Add Assignment and enter the required information.
a. In the Distribution tab, enter the following information:
| Settings | Description |
|---|---|
| Name | Enter the assignment name. |
| Description | Enter the description for the assignment. |
| Assignment Groups | Enter the smart group name to which you want to assign the application. As you enter the smart group name, options are displayed and you can select the appropriate smart group from the list. If necessary, you can add more assignment groups. |
| App Delivery Method | On Demand – Deploys application to the deployment agent. The device user can decide if and when to install the application. Auto – Deploys applications to a deployment Hub on a device upon enrollment. After the device enrolls, the system prompts users to install the Boxer application on their devices. |
b. In the Restrictions tab, enter the following information:
| Settings | Description |
|---|---|
| EMM Managed Access | Enable this option to manage access. Only devices enrolled in EMM can install the app and receive policies set by the admin. |
c. In the Tunnel tab, enter the following information:
| Settings | Description |
|---|---|
| Android or iOS Legacy | Select a VPN profile that you want to use for the application. Users access the application using a VPN, which helps ensure that application access and use is trusted and secure. |
d. In the Application Configuration tab, enter the following information:
| Settings | Description |
|---|---|
| ADD | You can also manually add the configuration keys, value types, and the look up value. |
Note: These KVPs are app level settings and applies across the application. If you want to apply any configuration to a specific email account, then you must add keys to Custom Account Configuration in Emails Settings to avoid any disruption.
e. To add more configurations to your application, select Add.
Note: Ensure that this KVP applies across the entire app. Any configurations that apply only to a specific email account must be moved to Custom Account Configuration in Emails Settings to avoid any disruption.
f. In the Email Settings, tap + Add, to add additional accounts. If you do not have the + Add option, make sure you are on the Workspace ONE UEM console 2008 or later versions.
Boxer supports custom attributes in an enrolled user’s advanced tab. It maps these custom attributes for their secondary account. You must configure in Active Directory to avoid manually inserting inputs by users.
Enter the following information per account level:
| Settings | Description |
|---|---|
| Account Name | Enter the Exchange account name. |
| Exchange ActiveSync Host | Enter your EAS server URL. For SEG deployments, enter the SEG URL. |
| EWS URL | Enter the address of the EWS or SEG endpoint. |
| Email Management | If you want to associate a Mobile Email Management with this Boxer configuration, enter at least one MEM configuration. |
| Domain, User, and Email Address | Enter the domain name, user name, and email address. By default, the login information includes {EmailDomain}, {EmailUserName} and {EmailAddress} that are defined as lookup values in your directory service. To override these values, use custom lookup values. |
| Password | Enter the password. Note: Password field only supports lookup values, not the actual password value. |
| Email Signature | Enter the email signature. |
| Authentication | Select one of the following authentication types for end users to authenticate with Exchange using the Workspace ONE credentials: Basic – Authenticates using a user name and a password. Certificate – Authenticates using a certificate. Select the desired Certificate Authority and Certificate Template. Both – Authenticates using a certificate with a network appliance and a password to authenticate with Exchange. Modern Authentication - OAuth based token authentication method for Office 365. To set up, see the Modern Authentication section. Certificate-Based Authentication with Modern Authentication (CBA with Modern Authentication) - Workspace ONE Boxer supports certificate-based authentication with Modern Authentication. Boxer support SCEP. To view the supported certificates, see section Supported Certificate Authorities. Note: Consider a scenario where you have set the certificate as an authentication type without enabling the SSO passcode, and the user delete and reinstall the Boxer application. At the time of reinstallation, user gets authenticate automatically as you have configured CBA as an authentication type. Such a scenario can create an attack vector for intruders who have a physical access to the device. Without an added authentication challenge, an intruder can gain access to email resources by deleting and reinstalling the Boxer application. To avoid such intruders, Boxer must authenticate users using the Workspace ONE credentials before allowing them to access emails. An alternative solution to requiring Workspace ONE credentials is to enable SSO workflows that restrict intruders to rest a standalone passcode. Specifies number of authentication retries - specify the number of authentication retries upon failure. |
| Sync | Maximum Allowed Email Sync Period and Maximum Allowed Calendar Sync Period settings allow administrators to configure how far back (frequency of time) end users can select to sync their email messages and calendar events. Default Email Sync Period and Default Calendar Sync Period settings allow administrators to configure the default sync periods when Workspace ONE Boxer is deployed on the end user devices. Note: Regardless of the sync period the maximum number of emails which can be shown in the Inbox at a time is 1500. Maximum attachment size limits the file size end users can attach to outgoing emails. |
| Notifications | Enable and configure the Email Notification Service (ENS) to provide a real-time notification. ENS2 - Activate or deactivate ENS2. Notification Content - Configure what information is disclosed in each incoming email notification alert. |
| Spam & Phishing Reporting | Activates or deactivates the actions to be taken on email identified as spam or phishing attack. |
| Mobile flows | Activates or deactivates the mobile flows server information that Boxer can integrate with. Note: Workspace ONE mobile flows does not support multiple managed accounts in Boxer. |
| S/MIME | Activates or deactivates the S/MIME status. |
| Email Classification | Activates or deactivates the email classification option. AIP Sensitivity Labels - If activated, users can interact with AIP labels. Email Classification - Activate or deactivate classification markings. |
g. To apply any account level configurations, add the key value pairs in Custom Account Configuration.
h. Activate or deactivate the following App policies:
| Settings | Description |
|---|---|
| Data Loss Prevention | |
| Copy Paste | If restricted: End users cannot copy and paste content from Workspace ONE Boxer to other applications. If personal accounts are enabled, end users can copy and paste between personal and work accounts. Therefore, consider deactivating personal accounts to restrict the copy and paste functionality completely. Share and define options are made unavailable in the application when selecting text. Note: In Workspace ONE Boxer for iOS, the Copy Paste setting can be applied only through the Workspace ONE SDK setting. For more information about this Data Loss Prevention (DLP) SDK setting, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs |
| Screenshots | (Android only) Prevent users from taking screenshots from the app. |
| Personal Contacts | If the option is restricted, end users can access contacts only from the email accounts in the app. If unrestricted, end users can access contacts from other apps on the device. |
| Allow calendar and email widget | Control whether users can add a Boxer calendar or email widget to their home screen. |
| Sharing | These settings determine whether users can open emails or their attachments in other application. Based on your requirements, you can specify the allowed application using the Allow List option or allow sharing in any application. NOTE: A similar Allow List option is also available as an SDK Admin setting in the Workspace ONE UEM console. If the option is selected in both Workspace ONE Boxer for iOS and SDK Admin settings and applications are entered in both the lists, then the lists are merged together. For more information about the Allow List feature, see the Security Policies Profiles for the SDK section in the SDK and Managing Applications documentation at VMware Docs. |
| Control Open In | Activates or deactivates attaching of files from other apps using open-in or share into Workspace ONE Boxer. |
| Control Attachments from external providers | Activates or deactivates attachments from external providers. |
| Watermark Text, Opacity, color | Defines the watermark text. |
| Internal Domains List | Defines the domain that is internal and permitted |
| External Recipient Warning | Notifies the user while sending a message to an external user. |
| Attachment Download | Activates or deactivates users to download attachments. |
| Personal Accounts | If restricted, end users can no longer add any additional accounts to the application. If end users already have Workspace ONE Boxer on their device with personal accounts configured, then they are prompted whether they want to remove their existing personal accounts now or later. End users do not receive work email through Workspace ONE Boxer until they remove all personal accounts. |
| Browser | |
| Hyperlinks | When restricted, all hyperlinks open in Workspace ONE Web. |
| Usability | |
| Skip in app tutorial | Enable this option to skip the in app tutorial appears on the first launch of the application. |
| Caller ID | Enable to provide Caller ID functionality for all Workspace ONE Boxer contacts. By enabling this feature, Workspace ONE Boxer exports names and phone numbers only to the native contacts app. |
| Default Caller ID | Enable the exporting of contacts, names, and phone numbers by default. This option requires the Caller ID option to be set unrestricted. |
| Avatars | Activate or deactivate avatars for the Exchange contacts. |
| Allow Archiving Emails | This allow or block the ability to archive emails. |
| Conversation Threading | Activate or deactivate the conversation threading. |
| Enterprise Content | Activate or deactivate Enterprise Content |
| Allow End-user to Report Spam | Allow users to enable the spam option. |
| Support | |
| Logging | Allows users to send logs. |
| Support Email Address | Enter address to be specified when sending logs through the support menu. |
| Crash Reporting | Activate or deactivate reporting of crashes. By default, Boxer can report. |
| Advanced | |
| Forward/Add Attachments | Allows the users to add or forward attachments. |
| Attachment Download | Activate or deactivate downloading and forwarding of attachments. |
| Attach Photos | Activate or deactivate attaching of images and media files from the photo gallery and camera. |
| Plain Text Mode | Activate or deactivate Workspace ONE Boxer plain text mode. When set, Workspace ONE Boxer retrieves only plain text from HTML mails when syncing. Workspace ONE Boxer sends only plain text regardless of the email message format. The formatting controls in the compose view is deactivate and only text can be copied and pasted from rich or HTML content. |
| Refetch Empty Links using Mime | For emails (fetched using HTML) that contain non-standard URL schemes, pointing to non-server domains, Exchange replaces the URL with two empty spaces. Activate or deactivate this policy to detect the occurrence and redownload the affected body using MIME, which is not subject to the URL replacement error. |
| Disable Key Escrow (Forgot Passcode) | Deactivate the escrowing key on to the server. If this feature is deactivated, the forgot password feature is also deactivated. |
| Anonymous Metrics | Enable this option to allow collection of anonymous usage data to improve user’s Workspace ONE Boxer experience. When enabled, a Data Sharing notice is displayed to user when Workspace ONE Boxer is launched. The device user can activate or deactivate data sharing by navigating to Settings > Privacy > Data Sharing. |
| QuickJoin custom URLs | Activates or deactivates QuickJoin buttons found in calendar invites that have online meeting invites. |
| Application update source | Select the source to download Boxer. |
| Swift SDK Key Wrapping Only Mode | Enable this option to take full advantage of key wrapping security features. |
| FastSync Expiry | Set the expiration time in hours when Workspace ONE Boxer does not receive FastSync key. FastSync settings are applied when Email Notification Service is enabled and configured. |
| Enable FastSync | FastSync improves the background syncing and speed of subsequent syncs. FastSync settings are applied when Email Notification Service is enabled and configured. |
Select Create.
Workspace ONE Boxer for Android and iOS supports fingerprint authentication. Configure the authentication method as part of your normal deploy and assign process.
Workspace ONE UEM console v9.0.5+
Navigate to Groups & Settings > All Settings > Apps > Settings & Policies > Security Policies.
Select Override to override any inherited settings.
Set the Authentication Type to Passcode or user name and Password.
Passcode and Biometrics must be enabled for using the Fingerprint functionality with Workspace ONE Boxer.
Expand the Authentication Type settings.
Enter a value greater than 0 for Authentication timeout.
Set Biometric Mode to Enabled.
Select Save at the bottom of the screen.
Configure the custom SDK profiles every time customers deploy their own Certificate Authority (CA) and use the Workspace ONE Boxer with Certificate-Based Authentication.
Configure the custom SDK Profiles.
a. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.
b. Select SDK Profile.
c. Select the platform.
d. Configure the General Settings.
e. Configure the Credentials.
f. Select a Certificate Authority.
g. Save the profile.
Assign Workspace ONE Boxer with Certificate Based Authentication.
a. Navigate to Apps & Books > Public.
b. On the List View page, select iOS Workspace ONE Boxer from the list of public apps.
c. Select Edit.
d. Navigate to the SDK tab.
e. Select the custom SDK profile.
f. Select Save and Assign.
Create and configure an SDK profile with Derived Credential and assign the profile to Boxer. The SDK profile enables Boxer to fetch the Derived Credential certificates from the VMware PIV-D Manager application so that the device can use the certificates to access resources securely.
A Derived Credential is a client certificate that is generated (or issued) on a mobile device after end users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.
When you set the Credential Source as Derived Credential on the Credential payload, Boxer imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server or to fetch the SMIME certificates for signing and encryption of emails. PIV-D allows certificate authentication even when modern authentication is configured.
Configure the SDK Profile.
a. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.
b. Select SDK Profile.
c. Select the desired Platform.
d. Configure the profile’s General Settings.
e. Select the Credentials payload and select Configure.
f. Set the Credential Source to Derived Credentials.
g. Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption.
To add additional certificates, use the plus sign at the bottom of the profile window.
h. Select Save and Publish.
Assign the SDK Profile to Boxer.
a. Navigate to Apps & Books > Native > Public > Add Application and add Boxer.
If the Boxer application has already been added, you can skip the preceding step.
b. Select Edit.
c. Navigate to the SDK tab and set the SDK profile to the one configured with the derived credential source and key usage.
d. Select Save and Assign.
e. Create a smart group if you do not have one and modify your assignment.
f. Under More Email Settings, set the authentication type to Certificate or Both.
If you are configuring iOS Boxer with modern authentication using the AccountUseOauth key, then you must ensure that the authentication type is set to Basic instead of Certificate or Both. You must also configure a device profile with a Credential payload where the Credential Source is set to Derived Credential and Key Usage type to Authentication. If you have not configured modern authentication on iOS, then you can skip to the next step.
g. Add a dummy Certificate Authorities.
h. Under the Application Configuration, add the AppForceActivateSSO and the PolicyDerivedCredentials keys.
NOTE: AppForceActivateSSO is supported in Workspace ONE Boxer for Android only.
For more information about these configuration keys, see Application Configurations for Workspace ONE Boxer.
i. Select Add.
To add support for Azure Conditional Access Policies in Workspace ONE Boxer, Microsoft Azure and Workspace ONE UEM console must be integrated. This integration allows Workspace ONE UEM and Workspace ONE Boxer to read and set the status of the device based on the policies (such as mark the device as compliant or not) and provide end user access to resources such as Office 365 Online Exchange Server.
Configure Microsoft Azure
Microsoft Azure must be configured to allow Workspace ONE UEM console to communicate with the Azure Active Directory services to read and write the end user’s device compliance status. Azure is also configured with the Conditional Access Policies which are applied to Workspace ONE Boxer.
Pre-requisites
Ensure that you have created an Azure tenant with the necessary licenses and applied these licenses to the relevant users of your organization.
Procedure
In the Microsoft Endpoint Manager admin center, navigate to Tenant Administration>Connectors and tokens>Partner compliance management.
Click Add Compliance Partner.
On the Create Compliance Partner page, select VMware Workspace ONE mobile compliance as the compliance partner in the drop-down list.
Note: If you have the requirement of both Android and iOS platforms, you must create a compliance partner connection for each of the platforms.
Depending on your requirement, select the platform as Android or iOS.
Click Next.
On the Assignments tab, assign the required users to the VMware Workspace ONE mobile compliance partner.
Complete the next set of steps as per the screen prompts.
Navigate to Azure Active Directory>Mobility (MDM and MAM).
Click Add Application.
Select Airwatch by VMware.
Review the Required Permissions for Microsoft Graph and Windows Azure Active Directory.
To accept the permissions for the Airwatch by VMware application, click Add.
This step ensures that the “Airwatch by VMware” application is added as a mobility MDM application to the Azure tenant.
On the Azure home page, locate the Azure AD Conditional Access service and navigate to the Conditional Access page.
Click Policies.
Click New Policy.
Enter the following on this page:
a. Enter the name of the policy.
b. Apply the policy to the required users or group.
c. Select the Office 365 Exchange Online Server application and apply the policy to this application.
d. Set up the following conditions:
i) Depending on your requirement, select the device platform as Android or iOS.
ii) For Client apps > Modern authentication clients, depending on the platform selected in the previous steps, select the following:
| Platform | Modern authentication clients |
|---|---|
| Android | Mobile apps and desktop clients |
| iOS | Browser |
e. In Access controls, as per your requirement, select the desired Grant access.
Configure Workspace ONE UEM Console
To activate the Azure Conditional Access policies support in Workspace ONE Boxer, some specific settings are required on the Workspace ONE UEM console when performing the standard configurations. This procedure focuses only on those specific options necessary for this support.
Pre-requisites
If you want to activate any newly added application (to the Workspace ONE UEM console) in the Work Profile play store and activate the automatic installation (of the application) on the end user device after the device has successfully enrolled with Workspace ONE Hub, you must resgister Workspace ONE UEM as your Enterprise Mobility Management (EMM) provider with Google.
To register, navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.
Ensure that you have added the Workspace ONE Boxer application as a public application to Workspace ONE UEM console.
Procedure
To configure the Azure AD connection on the UEM console, navigate to Groups and Settings>All Settings>System>Enterprise Integration>Directory services.
a. Enable Azure AD Integration.
b. Enable Use Azure AD for Identity Services.
c. In the Azure Active Directory section, follow the instructions as displayed on the UEM console and configure the fields wherever required.
Make note of the following:
Ensure that you paste the MDM discovery URL and MDM Terms of Use URL in the Azure portal (navigate to Azure Active Directory services -> Mobility (MDM and MAM)). You can find instructions on the Workspace ONE UEM console to perform this configuration.
Enable Use compliance data in Azure conditional access policies.
Enable Use compliance data in Azure conditional access policies for iOS, Android, and macOS.
For more information about Azure Active Directory configuration options, see the Directory Services Integration documentation at VMware Docs.
For Android, when creating the assignment for Workspace ONE Boxer application, add ConditionalAccessEnabled KVP in the Email Settings.
This KVP is a an account-level KVP.
a. To enable the KVP, set the KVP value to true.
By default, the value of this KVP is false.
b. Complete the rest of the assignment based on your requirements.
For more information about the KVP, see the Conditional Access Policies section Application Configurations for Workspace ONE Boxer
For more information about assigning and configuring Workspace ONE Boxer using the App Assignment Page and Assign Workspace ONE Boxer with Email Settings, see Boxer Deployment section in the Workspace ONE Boxer Admin Guide.
For Android, add the Microsoft Authenticator as a public application to the Workspace ONE UEM console.
For more information about adding an application to the Workspace ONE UEM console, see Deploy Public Applications on your Devices section in the Application Lifecycle Management documentation.
If you want the conditional access policies supported on the iOS platform, you must create an SSO extension.
a. Navigate to Devices>Profiles and Resources>Profiles.
b. Click Add>Add Profile
c. Select Apple iOS>Device Profile
d. Configure Profile General settings.
e. Select SSO Extension payload.
f. Configure the profile settings.
| Platform | Modern authentication clients | Recommended Settings |
|---|---|---|
| Extension Type | Select the type of SSO extension for the application. If Generic is selected, provide the Bundle ID of the application extension that performs SSO for the specified URLs in the Extension Identifier field. If Kerberos is selected, provide the Active Directory Realm and Domains. |
Generic SSO extension type settings. |
| Extension Identifier | Enter the Team Identifier of the application extension that performs SSO for the specified URLs. | As a best practice, you can enter com.microsoft.azureauthenticator.ssoextension. |
| Type | Select either Credential or Redirect as extension type. Credentials extension is used for the challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML authentication. |
It is a best practice to select Redirect as the extension type. |
| URLs | Enter one or more URL prefixes of identity providers where the application extension performs SSO. | As a best practice, you can enter the following: https://login.microsoftonline.com https://login.windows.net https://sts.windows.net https://login.microsoft.com |
| Additional Settings | Enter one or more URL prefixes of identity providers where the application extension performs SSO. | As a best practice, you can enter the following :
|
NOTE: SGGM6D27TK is the identifier for Office apps.
g. Select Save and Publish.
h. In the Microsoft Authenticator application, ensure that the sharedDeviceMode configuration key value is false.
i) Navigate to APPS & BOOKS>Applications>Native>Public or Purchased and select the iOS Microsoft Authenticator application.
ii) Navigate to the Application Configuration page of the application.
iii) If the sharedDeviceMode configuration key value is true, set the value to false.
After configuring Microsoft Azure and Workspace ONE UEM console, Conditional Access Policies are now supported for Workspace ONE Boxer. For this feature to get activated for end users using Android, the users must authenticate with their Microsoft credentials in the Authenticator application.
Use the configuration keys in the UEM console to perform additional privacy disclosure and data collection practices. When Workspace ONE Boxer is launched, a privacy notice is displayed to the end users who are upgrading to or using the latest Workspace ONE Boxer version.
The privacy dialog screen lets the user know the following information:
Configure Privacy Settings Using SDK Default Settings
Use the SDK default settings to configure privacy settings.
Navigate to Group & Settings>All Settings.
From All Settings, navigate to Apps>Settings & Policies>Settings.
Select Enable Custom Settings and paste the configuration keys as per your requirement.
For example, to enable Crash reporting, {“PolicyAllowCrashReporting”: true}.
Select Save.
Configure Privacy Settings Using a Custom SDK Profile
Use custom SDK profile to configure privacy settings.
Navigate to Group & Settings > All Settings.
If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.
If you want to add a custom profile, navigate to Apps > Settings & Policies > Profiles > Add Profile > SDK Profile > iOS or Android > Custom Settings.
From Custom Settings, select Configure and paste the following configuration keys as per your requirement.
| Configuration Key | Value Type | Supported Values | Description |
|---|---|---|---|
| { “DisplayPrivacyDialog” } | Integer | 0 = deactivated 1 = activated (default) |
When set to ‘1’ (activated), Workspace ONE Boxer displays a privacy notice to the users about the data that is collected and the permissions that are required on the device for the optimal functioning of the app. |
| { “PolicyAllowFeatureAnalytics” } | Integer | 0 = deactivated 1 = activated (default) |
When set to ‘1’ (activated), Workspace ONE Boxer displays a notice to the users about the option to opt-in to anonymous feature usage analytics that help VMware improve product functionality and invent new product capabilities. When set to ‘0’, the data sharing notice is not displayed and no data is collected from the device to optimize the app experience. The device user can activate or deactivate data sharing by navigating to Settings > Privacy > Data Sharing. |
| { “PolicyAllowCrashReporting” } | Boolean | True = activated False = deactivated |
When set to True, app crashes are reported to VMware. |
| { “PrivacyPolicyLink” } | String | https://www.acme.com | Provide the Policy URL that you want your users to visit when Your company’s privacy policy is selected from the Privacy notice. |
| Sample SDK configuration: {“PolicyAllowFeatureAnalytics”:1, “PrivacyPolicyLink”:https://www.acme.com/privacypolicy, “PolicyAllowCrashReporting”:true} |
Select Save.
