Email policies enhance security by restricting access based on the device status and general mail client characteristics. These policies allow for granular control over the devices that are approved for accessing email.

  • Mail client compliance is not supported on Windows Phone.
  • The Sync Settings policy is not applicable for SEG V2 architecture.

General Email Policies

The general email policies used to restrict email access to devices are listed in the following table.

Email Policy Description
Sync Settings Prevents the device from syncing with specific EAS folders. Workspace ONE UEM prevents devices from syncing with the selected folders irrespective of other compliance policies.

For the policy to take effect, you must republish the EAS profile to the devices as this forces devices to re-sync with the email server.

Managed Device Restricts email access only to managed devices.
Mail Client Restricts email access to a set of mail clients.
User Restricts email access to a set of users based on the email user name.
EAS Device Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Managed Device Policies

The managed device policies that restricts email access to devices based on factors such as device status, model and operating system are listed in the following table.

Email Policy Description
Inactivity Prevents inactive and managed devices from accessing email. You can specify the number of days a device shows up as inactive before email access is disabled. The minimum accepted value is 1 and maximum is 32767.
Device Compromised Prevents compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to VMware AirWatch.
Encryption Prevents email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to VMware AirWatch.
Model Restricts email access based on the platform and model of the device.
Operating System Restricts email access to a set of operating systems for specific platforms.
Require ActiveSync Profile Restricts email access to devices whose email is not managed through an Exchange ActiveSync profile.

Email Security Policies

The email security policies that take actions against devices accessing attachments and hyperlinks are listed in the following table.

Email Policy Description
Email Security Classification

Define actions for SEG to take against emails that are with or without security tags. You can either use predefined tags or create your own tags. You can enable restricted access to VMware AirWatch Inbox and Workspace ONE Boxer based on these tags and define the default behavior for other email clients. You can either allow or block emails.

If you choose to block emails, you can replace the email contents with a helpful message using the available templates configured at Message Template settings. These configured templates can be selected from the Select Message Template drop-down menu. Also, lookup values are not supported for Block Email message template.

Attachments (managed devices)

Encrypt email attachments of selected file type with an encryption key unique to the device - user combination.

These attachments are secured on the device and are only available for viewing on the VMware AirWatch Content Locker. This is only possible on managed iOS, Android, and Windows Phone devices with the VMware AirWatch Content Locker application. For other managed devices, you can either allow encrypted attachments, block attachments, or allow unencrypted attachments.

Attachments (unmanaged devices) Allow encrypted attachments, block attachments, or allow unencrypted attachments for unmanaged devices. Attachments are encrypted for unmanaged devices to prevent data loss and maintain email integrity. The attachments of unmanaged devices cannot be opened in VMware AirWatch Content Locker.

Allow device users to open hyperlinks contained within an email directly with Airwatch Browser present on the device. The Secure Email Gateway dynamically modifies the hyperlink to open in Airwatch Browser.

The Modifications Types are All, Include, and Exclude.

  • All - Allows device users to open all the hyperlinks with Airwatch Browser.
  • Include - Allows device users to open only the hyperlinks through the Airwatch Browser. Mention the included domains in the Only modify hyperlinks for these domains field. You can bulk upload the domain names from a .csv file as well.
  • Exclude - Does not allow the device users to open the mentioned excluded domains through the Airwatch Browser. Mention the excluded domains in the Modify all hyperlinks except for these domains field. You can bulk upload the domain names from a .csv file as well.

Note: Enable the Test Mode option on the Email Dashboard to test the compliance capabilities of the email policies even before applying the polices on the devices.