Email policies enhance security by restricting access based on the device status and general mail client characteristics. These policies allow for granular control over the devices that are approved for accessing email.

  • Mail client compliance is not supported on Windows Phone.
  • The Sync Settings policy is not applicable for SEG V2 architecture.

General Email Policies

The general email policies used to restrict email access to devices are listed in the following table.

Email Policy Description
Sync Settings Prevents the device from syncing with specific EAS folders. Workspace ONE UEM prevents devices from syncing with the selected folders irrespective of other compliance policies.

For the policy to take effect, you must republish the EAS profile to the devices as this forces devices to re-sync with the email server.

Managed Device Restricts email access only to managed devices.
Mail Client Restricts email access to a set of mail clients.
User Restricts email access to a set of users based on the email user name.
EAS Device Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Managed Device Policies

The managed device policies that restricts email access to devices based on factors such as device status, model and operating system are listed in the following table.

Email Policy Description
Inactivity Prevents inactive and managed devices from accessing email. You can specify the number of days a device shows up as inactive before email access is deactivated. The minimum accepted value is 1 and maximum is 32767.
Device Compromised Prevents compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to VMware Workspace ONE UEM console.
Encryption Prevents email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to VMware Workspace ONE UEM console.
Model Restricts email access based on the platform and model of the device.
Operating System Restricts email access to a set of operating systems for specific platforms.
Require ActiveSync Profile Restricts email access to devices whose email is not managed through an Exchange ActiveSync profile.

Email Security Policies

The email security policies that take actions against devices accessing attachments and hyperlinks are listed in the following table.

Email Policy Description
Email Security Classification

Define actions for SEG to take against emails that are with or without security tags. You can either use predefined tags or create your own tags. You can activate restricted access to VMware Workspace ONE UEM Inbox and Workspace ONE Boxer based on these tags and define the default behavior for other email clients. You can either allow or block emails.

If you choose to block emails, you can replace the email contents with a helpful message using the available templates configured at Message Template settings. These configured templates can be selected from the Select Message Template drop-down menu. Also, lookup values are not supported for Block Email message template.

Attachments (managed devices)

Encrypt email attachments of selected file type with an encryption key unique to the device - user combination.

These attachments are secured on the device and are only available for viewing on the VMware AirWatch Content Locker. This is only possible on managed iOS, Android, and Windows Phone devices with the VMware AirWatch Content Locker application. For other managed devices, you can either allow encrypted attachments, block attachments, or allow unencrypted attachments.

Attachments (unmanaged devices) Allow encrypted attachments, block attachments, or allow unencrypted attachments for unmanaged devices. Attachments are encrypted for unmanaged devices to prevent data loss and maintain email integrity. The attachments of unmanaged devices cannot be opened in VMware AirWatch Content Locker.

Allow device users to open hyperlinks contained within an email directly with Airwatch Browser present on the device. The Secure Email Gateway dynamically modifies the hyperlink to open in Airwatch Browser.

The Modifications Types are All, Include, and Exclude.

  • All - Allows device users to open all the hyperlinks with Airwatch Browser.
  • Include - Allows device users to open only the hyperlinks through the Airwatch Browser. Mention the included domains in the Only modify hyperlinks for these domains field. You can bulk upload the domain names from a .csv file as well.
  • Exclude - Does not allow the device users to open the mentioned excluded domains through the Airwatch Browser. Mention the excluded domains in the Modify all hyperlinks except for these domains field. You can bulk upload the domain names from a .csv file as well.

Note: Activate the Test Mode option on the Email Dashboard to test the compliance capabilities of the email policies even before applying the polices on the devices.

Activate Email Compliance Policy

Email compliance policies help to restrict email access to unmanaged, non-compliant, unencrypted, or inactive devices.

  1. On the UEM console, navigate to Email > Compliance Policies. By default, the policies are deactivated and are denoted by red color under the Active column.

    Email compliance policies

  2. Select the gray button under the Active column to activate the compliance policy.

    Depending on the email policy that you want to activate, additional pages appear where you can specify your choices.

  3. Select Save.

    The policy is activated and is denoted by green color under the Active column.

Use the edit policy icon under the Actions column to allow or block a policy.

Email Dashboard

The Email Dashboard helps you to gain visibility into the email traffic and helps monitor the devices.

Email Dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from Email > Dashboard. From the Email Dashboard, you can access the List View page that helps you to:

  • Allowlist or denylist a device to allow or deny access to email respectively.
  • View the devices that are managed, unmanaged, compliant, non- compliant, blocked, or allowed.
  • View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address.

From the Email Dashboard, you can also use the available graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph to display the results from the List View screen.

Email dashboard

List View

The List View page on the UEM console helps you to view all the real-time updates of your end user devices that you are managing with VMware Mobile Email Management (MEM).

The List View page allows you to:

  • View the device or user specific information by switching between the Device and User tabs.
  • Search and narrow down a device using the Filter option.
  • Change the layout to either view the summary or the detailed list of the device or user information based on your requirement.
  • Perform multiple actions such as run compliance and sync mailboxes on the device.

Device and User Details

Switch between the Device and User tabs on the List View page to view the information about device and user. The Layout drop-down menu provides the option to display the information as a summary or as a detailed list.

  • Last Request - In SEG integration this column shows the last time a device synced mail.
  • User - The user account name.
  • Friendly Name - The friendly name of the device.
  • MEM Config - The configured MEM deployment that is managing the device.
  • Email Address - The email address of the user account.
  • Identifier - The unique alpha-numeric identification code associated with the device.
  • Mail Client - The email client syncing the emails on the device.
  • Last Command - The command triggers the last state change of the device and populates the Last Request column.
  • Last Gateway Server - The server to which the device connected.
  • Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy.
  • Reason - The reason code for allowing or blocking email on a device. Please note that the reason code displays Global and Individual only when the access state of the email is changed by an entity other than Workspace ONE UEM (for example, an external administrator).
  • Platform, Model, OS, IMEI, EAS Device Type, IP Address - The device information displays in these fields.
  • Mailbox Identity - The location of the user mailbox in the Active Directory.
Note: In the Email Dashboard, an iOS device shows mailbox record if at the time of enrollment a native email client is already configured on the device or when an EAS profile is pushed for other email clients. An Android device shows mailbox record when a device enrolls or when the email clients are installed on the enrolled device with the exception of AirWatch Inbox.

Filters for Quick Search

From here, using the Filter option, you can narrow your device search based on:

  • Last Seen - All, less than 24 hours, 12 hours, 6 hours, 2 hours.
  • Managed - All, Managed, Unmanaged.
  • Allowed - All, Allowed, Blocked.
  • Policy Override - All, Blocked, Approved, Default.
  • Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS.
  • MEM Config - Filter devices based on the configured MEM deployments.

Perform Actions

The Override, Actions, and the Administration drop-down menu provides a single location to perform multiple actions on the device. Note that these actions once performed cannot be undone.

  • Override

    Select the check box corresponding to a device to perform actions on it.

    • Allowlist - Allows a device to receive emails.
    • Denylist - Blocks a device from receiving emails.
    • Default - Allows or blocks a device based on whether the device is compliant or non compliant.
  • Actions
    • Run Compliance - Triggers the compliance engine to run for the selected MEM configuration.
    • Enable Test Mode - Test email policies without applying them on devices. Once activated, you can view a message displaying Test Mode Enabled on the List View screen. The activating or deactivating Test Mode does not require you to run compliance engine.
  • Administration
    • Dx Mode On - Runs the diagnostic for the selected user mailbox.
    • Dx Mode Off - Turns off the diagnostic for the selected user mailbox.
    • Update Encryption Key - Resets the encryption and the re-syncs the emails for the selected devices.
    • Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. This record may reappear after the next sync.

Configure and Deploy Email Profile

Exchange ActiveSync (EAS) is a communication protocol designed for email, calendar, and contacts synchronization between the email server and the mobile devices. Configure the EAS profile on the UEM console such that the devices fetches the mails through the SEG server instead of the EAS server.

  1. Navigate to the Resources > Profiles & Baselines > Profiles on the UEM console, and then select Add to create a new profile.

    Add profile screen

  2. Select a device platform.

    If you are leveraging the SEG for multiple device operating systems, you must create a similar profile for each platform.

  3. Enter the information about the profile on the General tab and assign the profile to the applicable organization groups and smart groups. Keep the assignment type as Auto or Optional.
  4. Select Exchange ActiveSync and select Configure. Configure the following parameters to access corporate mail through the SEG.
    1. Select the Mail Client that your organization intends for end users to utilize from the drop-down menu. For Android Hub 4.2 and above, the end users have to install the Lotus Notes manually.
    2. Ensure the Exchange ActiveSync Host is the host name of the SEG server and not the Exchange server.
    3. Leverage lookup values so each user can get their own distinct email.

      Leave the Password field blank. This prompts the end user to enter a password after the profile is installed on the device.

  5. Click Save and Publish to begin using secure mobile email.

Create additional profiles for each device platform for which you want to provision mobile email.