You can configure ENS2 for an on-premises deployment. This topic explains how to configure various versions of ENS2 in an on-premises environment.

Configuring ENS requires the installation of ENS2, followed by the configuration of Workspace ONE Boxer. If your ENS version is older than 21.04, you must first configure CNS and download the ENS configuration files before installing ENS2 and setting Workspace ONE Boxer for on-premises.


Before installing any version of ENS for your on-premises deployment, ensure that the following prerequisites are met:
  • Assign the db_owner role and public role to the SQL server user that is used for running the application. ENS supports any version of the SQL server. The database option must be selected for the external database and you must set the collation to SQL_Latin1_General_CP1_Cl_AS. For more information on creating the Workspace ONE UEM database, see the Create the Workspace ONE UEM Database topic in the Installing Workspace ONE UEM guide.
  • Set up the SQL Server AlwaysOn for active/active or active/passive setup for the high availability configuration. If you are using AlwaysOn, point to the availability group when selecting the database server during the ENS2 installation. See the Overview of Always On Availability Groups (SQL Server) topic for more information.
  • Ensure that the ENS server certificate is available on the user's Exchange server. For more information, see ENS2 Requirements and Prerequisites.
Note: If your ENS version is 21.04 and later, you can skip the following section and see the Install and Upgrade Email Notification Service 2 section. You must also ensure to allow the CNS server IP addresses. For more information, see the CNS Server IP Allowlist section in the ENS2 Requirements and Prerequisites topic.

Configure CNS and Download Email Notification Service Configuration Files

For ENS versions prior to 21.04, before you install ENS in an on-premise deployment, you must configure the Cloud Notification Service (CNS) and download the configuration .xml file using the Workspace ONE UEM console.


  • Download the CNS public certificate from the CNS Public Certificate.
  • Navigate to the System > Advanced > Secure Channel Certificate and select Download CNS Secure Channel Certificate Installer if the UEM console is on-premises. Open a support ticket with the VMware Support and provide the secure channel certificate file through the support ticket.
Note: To proceed with the ENS2, your console version must be 9.3 or later. If the Download Installer is displayed when your are configuring and downloading the configuration files, then your console version is less than 9.3 and this installer is for the earlier version of ENS. See the VMware Email Notification Service Installation guide for instructions and detailed information.
  1. Select the required Organization Group and navigate to Groups & Settings>All Settings.

  2. From the System column, select Advanced, and then select Site URLs.

  3. Optional: (On-premise UEM console only) From the site URLs values page, select Cloud Notification Service URL and add the
  4. Optional: (On-premise UEM console only) - If the Workspace ONE UEM console is deployed on-premise, then you must upload the CNS certificate.
    1. From the left navigation, select System > Security > SSL Pinning.
    2. Select ADD HOST. In the Add Pinned Host, enter the host as
    3. Select Upload and upload the CNS certificate you downloaded earlier.
  5. From the Settings page, select Email and then select Email Notification.
  6. To enable Email Notification, select Yes and then click Save.

    After the settings are saved, the Download Configuration option is displayed.

  7. Select Download Configuration.
  8. Enter a password in Certificate Password. to download the configuration.
    Note: The password is required to download the configuration and must be provided again during the ENS installation.
  9. Select Confirm Password, reenter the password, and click Download.
  10. Save the archived .xml file to be accessible for the upload during the ENS installation.

Install and Upgrade Email Notification Service 2

To use the Email Notification Service 2 (ENS2), you must install the ENS on an IIS server.


  • Install IIS 7 or later on the Web Server
  • Update ASP.Net to v 4.6.2.
    Note: If your ENS version is older than 21.04, you must download the config.xml file from the Workspace ONE UEM console. See the Configure CNS and Download Email Notification Service Configuration Files section.
  • Ensure that an SSL certificate with a valid hostname is set up on the IIS server. This server should be externally accessible via https (SSL cert) and with a Fully Qualified Domain Name (FQDN).
  • Create a new database and name it appropriately. If you are using SQL Server AlwaysOn, you can create availability group and listeners.
  • The database account user must have privileges to access and modify the database.

To install ENS2:

  1. Download the latest version of ENS2 installer from the Software section of the My Workspace ONE portal.

    My Workspace ONE portal

  2. Run the installer. The InstallShield Wizard opens and displays the License Agreement.
  3. Select the I accept the terms in the license agreement check box and then click Next.

    ENS2 install shield wizard

  4. Click Next to install the components at the default location. If you want to install the components at a custom location, click Change and browse and select your location.

    ENS2 install shield wizard

  5. If you are using ENS version prior to 21.04, perform these steps.
    1. Click Browse and locate the config.xml file and then click Next.
    2. Click Certificate Password text box and enter the certificate password you provided when you downloaded the configuration file from the Workspace ONE UEM console, and then click Next

      ENS2 install shield wizard

  6. (Optional) On the AirWatch CNS Email Proxy Configuration window, provide the following information:
    1. Check Enable CNS Proxy to configure the CNS proxy. Enter the Hostname/IP address and the Proxy Port of the the server.
    2. Select the authentication type:
      • Anonymous - For Anonymous authentication type user name and password is not required.
      • Basic/Windows - Enter User name and Password.
      Airwatch CNS email proxy configuration
  7. Click Next.
  8. (Optional) On the AirWatch Signing Service Proxy Configuration window, provide the AirWatch Signing Service proxy details for configuring the email server.
    1. Select Enable Proxy to configure the AirWatch Signing Service proxy. Enter the Hostname/IP address and the Proxy Port of the the server.
    Airwatch Signing service proxy configuration
  9. Click Next.
  10. Select the target site on the Airwatch IIS configuration window.

    Airwatch IIS configuration

  11. On the Database Server window, enter the following information:
    1. Browse to select the database server where the database is located. Enter the IP address or host name of the server if the server is not listed.
    2. Select Windows authentication or server authentication based on your authentication configuration. If you select server authentication, enter the login ID and password.
    3. Enter the name of the database in the Name of the database catalog text box and click Next.
      • If the database has already been created, browse and select the existing database.
      • If there is no existing database, enter a name for the new database, and the installer will create and publish the database.
      • You can configure using a single database configuration or with SQL AlwaysOn. The following figure shows the single database configuration.
      Single database configuration

      The below diagram shows the configuration using SQL Server AlwaysOn.

      Note: If you are using SQL Server AlwaysOn, you can configure the availability group Listener URL here.
      Database server configuration
  12. Enter the installation token key, on the Authentication Token Information window.
    Note: The following steps do not apply when you are installing ENS version prior to 21.04.

    Authentication token information window

    To generate a token, log in to MyWorkspaceONE and proceed with the following steps:

    1. Navigate to myWorkspaceONE > My Company.
    2. Select Certificate Signing Portal.
    3. Select Authorize Install.
    4. Select Generate a Token.
    5. Copy the token displayed on this page. You can also regenerate the token if required.
    6. Return to the installer and paste the copied token into the Installation Token text box.
  13. Click OK to confirm and then click Install to start the installation.Installation Token window
  14. Click Finish to complete the installation. After the installation is complete, an API token is displayed in a text file.
  15. Copy the API token.
    Note: This API token is required when configuring the Boxer application UEM console. Use this value for the ENSAPIToken field.

Upgrade ENS2

You can upgrade from an older version of ENS2 to the latest version.

You must have the latest version of the installer on your system. Download the latest version of ENS2 installer from the Software section of the My Workspace ONE portal.

The instructions to upgrade to the latest version of ENS2 are the same as the ENS2 installation instructions. See Install and Upgrade Email Notification Service 2 section in the Configure your Email Notification Service for On-Premises Deployment topic.

Configure Workspace ONE Boxer for On-Premises

After you have installed the ENS2, you must configure the ENS2 related settings for Workspace ONE Boxer on the Workspace ONE UEM console.


The API token and ENS2 server URL are required to activate the ENS service using Workspace ONE UEM console.

  1. Select the required organization group.
  2. Select Resources > Apps and then select the Public tab.

    Public applications

  3. Select VMware Boxer.
  4. Select Edit on the upper right corner of the page and then select the Assignment tab.
  5. In the Application Configuration (Optional) section, add the required keys. The details of the required keys to be added are listed in the Configure ENS2 with Application Configuration Values for Boxer topic.
  6. Select Save & Publish and then select Publish on the next page. To verify the settings, see the Verify VMware Boxer Settings section in the Configure your Email Notification Service for Cloud Deployment topic.

Migrate from ENS On-Premises Server to Cloud Server

This section describes the information required to migrate from the ENS on-premises server to the cloud server.

Before your begin, ensure that the cloud ENS can access the Exchange server. For more information, see the Email Notification Service for Cloud section in the Configure your Email Notification Service for Cloud Deployment topic. When you migrate from the on-premise server to the cloud server, you must update the following Boxer profile configuration:

  • Update the ENSLinkAddress to the appropriate cloud URL.

  • Update the ENSAPIToken to the one provided for cloud.

When all the users migrate to the cloud server, ENS on-premise servers can be shut down. During migration, the users can unregister from the on-premise ENS server and migrate to the cloud ENS server.