After the Gmail integration setup is complete, you can manage the connected device email traffic, set email policies, and take appropriate actions on the devices from the UEM console.

Device Discovery

Before you can begin managing the device from the Email Dashboard, the configured MEM should discover the devices enrolled to the organization group. On getting integrated with a MEM deployment, devices are discovered either through one of the following:
  • With EAS profile - Ensure all the managed devices receive the EAS profile.
  • Without EAS profile - Profiles are a must for this type of deployment except while integrating with Directory APIs. Unless the devices are provisioned with the profiles, the configured Gmail deployment cannot identify and subsequently manage the device.
Note: The features available here depends on the type of deployment that you choose.

Device Management with Direct Password Management Integration

The Direct Integration using Password Management deployment does not involve SEG integration, thus, the Email and Attachment Policies are not applicable.

If using the password retention approach, you can use the compliance policies and the Email Dashboard to manage the devices and view the device status. If you choose not to retain the password, then the email policies are not applicable and the device status is not displayed on the Email Dashboard.

With Password Retention

  • Managed Device Polices

    Activate the following policies from Email > Compliance Policies page. .

    • Inactivity – Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is, does not check in to Workspace ONE), before email access is cut off.
    • Device Compromised – Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to Workspace ONE.
    • Encryption – Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to Workspace ONE.
    • Model – Allows you to restrict email access based on the Platform and Model of the device.
    • Operating System – Allows you to restrict email access to a set of operating systems for specific platforms.
    • Require ActiveSync Profile - Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.
  • Email Dashboard

    Access the Email Dashboard page from Email > Dashboard. The Actions drop-down menu provides a single location to perform multiple actions on the device. Select the check box corresponding to a device to perform actions on it.

    • Allowed - Allows a device to receive emails
    • Blocked - Blocks a device from receiving emails
    • Default - Allows or blocks a device based on whether the device is compliant or non-compliant

Without Password Retention

  • Device Compliance Policies

    In this type of deployment, email compliance policies are not applicable. You can only assign the device compliance policies that are available at Devices > Compliance Policies > List View. You can set these policies as 'Remove EAS Profile' to ensure removal of email connectivity once the device is found to be non compliant.

  • Device Dashboard

    In this type of deployment, Email Dashboard does not display the devices. You can view and manage devices of this deployment through the Device Dashboard available at Devices > Dashboard.

Device Management with Directory APIs Integration

Manage your devices using the email compliance policies that are applicable for Directory APIs configuration. Along with the compliance policies, the Email Dashboard and the List View page also lets you effectively manage your corporate devices.

While the Email Dashboard displays the device status, the List View page displays user and device-specific information either in a summarized or detailed manner.

General Policies

  • Managed device – Allow/block unenrolled devices from accessing email.

Managed Device Polices

Note: Workspace ONE does not set access against Google for any devices that enroll while compliance is deactivated, nor change the access state for any previously enrolled devices that change compliance status.

The policies mentioned here can be activated from Email > Compliance Policies page.

  • Inactivity – Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is, does not check-in to Workspace ONE), before email access is cut off.
  • Device Compromised – Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to Workspace ONE.
Note: Unenrolled devices are blocked by default.
  • Encryption – Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to Workspace ONE.
  • Model – Allows you to restrict email access based on the Platform and Model of the device.
  • Operating System – Allows you to restrict email access to a set of operating systems for specific platforms.

  • Require ActiveSync Profile – Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.

Email Dashboard

Gain visibility into the email traffic and monitor the devices through the Workspace ONE Email Dashboard. This dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the Dashboard from Email > Dashboard. The email dashboard enables you to perform the following actions:

  • Allowlist or denylist a device to allow or deny access of email
  • View the devices which are managed, unmanaged, compliant, non- compliant, blocked, or allowed
  • View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address

View email traffic and monitor the devices through the Email Dashboard

From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View screen.

List View

View all the real-time updates of your end user devices that you are managing with Workspace ONE MEM. You can access the List View from Email > List View. You can view the device or user-specific information by switching between the two tabs: Device and User. You can change the Layout to either view the summary or the detailed list of the information based on your requirement.

The List View screen provides detailed information that includes:

  • Last Request – The last state change of the device. In SEG integration, this column shows the last time a device synced mail.
  • User – The user account name.
  • Friendly Name – The friendly name of the device.
  • MEM Config – The configured MEM deployment that is managing the device.
  • Email Address – The email address of the user account.
  • Identifier – The unique alpha-numeric identification code associated with the device.
  • Mail Client – The email client syncing the emails on the device.
  • Last Command – The command triggers the last state change of the device and populates the Last Request column.
  • Last Gateway Server – The gateway server to which the device connected.
  • Status – The real time status of the device and whether email is blocked or allowed on it as per the defined policy.
  • Reason – The reason code for allowing or blocking email on a device.
Note: The reason code displays 'Global' when access state is defined by the default organization allow/block/quarantine policy. The reason code is 'Individual' when device ID is explicitly set for a given mailbox by Exchange admin or Workspace ONE. The reason code is 'Policy' when device is blocked by any EAS policy.
  • Platform, Model, OS, IMEI, EAS Device Type, IP Address – The device information displays in these fields.
  • Mailbox Identity – The location of the user mailbox in the Active Directory.

Filters for Quick Search

The Filter option is available on the List View page. Using this filter, you can narrow your device search based on:

  • Last Seen – All, less than 24 hours, 12 hours, 6 hours, 2 hours.
  • Managed – All, Managed, Unmanaged.
  • Allowed – All, Allowed, Blocked.
  • Policy Override – All, blocked, allowed, Default.
  • Policy Violation – Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS.
  • MEM Config – Filter devices based on the configured MEM deployments.

Performing Actions

The Override, Actions, and Administration drop-down menu provides a single location to perform multiple actions on the device.

Note: Note that these actions once performed cannot be undone.
  • Override

    Select the check box corresponding to a device to perform actions on it.

    • Allowed – Allows a device to receive emails.
    • Blocked – Blocks a device from receiving emails.
    • Default – Allows or blocks a device based on whether the device is compliant or non-compliant.
  • Actions
    • Run Compliance – Triggers the compliance engine to run for the selected MEM configuration. For any device that has a state change (that is, compliant to non-compliant or conversely), Workspace ONE sends out an Allow/Block command accordingly.
  • Administration
    • Remote Wipe – Resets the device to factory settings.
    • Migrate Devices – Migrates selected device to other chosen MEM configurations by deleting the installed EAS profile and pushing the EAS profile of the chosen configuration on the device.

Testing the email policies before deploying on the devices is a good practice. Workspace ONE recommends using the following method to test the capabilities of these policies before applying them on the devices.

Deactivate the Compliance option available on the Email Policies page during the testing phase. Use separate organization groups to test out policies against a subset of enrollment users who also belong to the Gmail environment.

Device Management with SEG Proxy Integration

Manage your devices with the email compliance policies applicable for SEG Proxy configuration. These compliance policies help you prevent non-compliant, unmanaged, or blocked devices from accessing corporate emails.

Apart from compliance policies, you can also use the Email dashboard and the list view page to effectively manage your corporate devices. You can view the status of the devices using the Email Dashboard and the user-specific or device-specific information using the List View page.

Note: Workspace ONE UEM will not provision passwords for new users, but SEG will continue to proxy the requests for devices that were previously enrolled successfully to Google.

Compliance Policies

The compliance policies mentioned in this section can be activated from the Email > Compliance Policies page.

  • General Email Policies
    • Sync Settings – Prevent the device from syncing with specific EAS folders. Note that Workspace ONE UEM prevents devices from syncing with the selected folders irrespective of other compliance policies. For the policy to take effect, you must republish the EAS profile to the devices (this forces devices to resync with the email server).
    • Managed Device – Restrict email access only to managed devices.
    • Mail Client – Restrict email access to a set of mail clients.
    • User – Restrict email access to a set of users.
    • EAS Device Type – Allow or block devices based on the EAS Device Type attribute reported by the end-user device.
  • Managed Device Policies
    • Inactivity – Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is, does not check in to Workspace ONE UEM), before email access is cut off.
    • Device Compromised – Allows you to prevent compromised devices from accessing email. Note that this policy does not block email access for devices that have not reported compromised status to Workspace ONE UEM.
    • Encryption – Allows you to prevent email access for unencrypted devices. Note that this policy is applicable only to devices that have reported data protection status to Workspace ONE UEM.
    • Model – Allows you to restrict email access based on the Platform and Model of the device.
    • Operating System – Allows you to restrict email access to a set of operating systems for specific platforms.

    • Require ActiveSync Profile - Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.

  • Email Security Policies
    • Email Security Classification – You may either allow or block the emails on email clients.
    • Attachments (managed devices) – Encrypt email attachments of the selected file types. These attachments are secured on the device and are only available for viewing on the VMware Content Locker. Currently, this feature is only available on managed iOS, Android, and Windows Phone devices with the VMware Content Locker application. For other managed devices, you can choose to either allow encrypted attachments, block attachments, or allow unencrypted attachments.
    • Attachments (unmanaged devices) – Allow encrypted attachments, block attachments, or allow unencrypted attachments for unmanaged devices.
    • Hyperlink – Allow device users to open hyperlinks contained within an email directly with Workspace ONE Web present on the device. The Secure Email Gateway dynamically modifies the hyperlink to open in Workspace ONE Web. You may choose one of the following modification types:
      • All - Choose to open all the hyperlinks with Workspace ONE Web.
      • Include - Choose if you want the device users to open only the hyperlinks through the Workspace ONE Web. Mention the included domains in the Only modify hyperlinks for these domains field. You can bulk upload the domain names from a CSV file as well.
      • Exclude - Choose if you do not want the device users to open the mentioned domains through the Workspace ONE Web. Mention the excluded domains in the Modify all hyperlinks except for these domains field. You can bulk upload the domain names from a CSV file as well.

Email Dashboard

Gain visibility into the email traffic and monitor the devices through the Workspace ONE UEM Email Dashboard. This dashboard gives you a real-time summary of the status of the devices connected to the email traffic. You can access the dashboard from Email > Dashboard. The email dashboard enables you to:

  • Allowlist or denylist a device to allow or deny access of email
  • View the devices which are managed, unmanaged, compliant, non- compliant, blocked, or allowed
  • View the device details such as OS, Model, Platform, Phone Number, IMEI, IP address

View email traffic and monitor the devices through the Email Dashboard

From the Dashboard, you can also use the available Graphs to filter your search. For example, if you want to view all the managed devices of that organization group, select the Managed Devices graph. This displays the results in the List View screen.

List View

View all the real-time updates of your end user devices that you are managing with Workspace ONE UEM. You can access the List View from Email > List View. You can view the device or user-specific information by switching between the two tabs: Device and User. You can change the Layout to either view the summary or the detailed list of the information based on your requirement.

The List View screen provides detailed information that includes:

  • Last Request - In PowerShell integration, this column displays the last state change of the device either from Workspace ONE UEM or from Exchange. In SEG integration, this column shows the last time a device synced mail.
  • User - The user account name.
  • Friendly Name - The friendly name of the device.
  • MEM Config - The configured MEM deployment that is managing the device.
  • Email Address - The email address of the user account.
  • Identifier - The unique alpha-numeric identification code associated with the device.
  • Mail Client - The email client syncing the emails on the device.
  • Last Command - The command triggers the last state change of the device and populates the Last Request column.
  • Last Gateway Server -The server to which the device connected.
  • Status - The real time status of the device and whether email is blocked or allowed on it as per the defined policy.
  • Reason - The reason code for allowing or blocking email on a device.
Note: The reason code displays 'Global' when access state is defined by the default organization allow/block/quarantine policy. The reason code is 'Individual' when device ID is explicitly set for a given mailbox by Exchange admin or Workspace ONE UEM. The reason code is 'Policy' when device is blocked by any EAS policy.
  • Platform, Model, OS, IMEI, EAS Device Type, IP Address - The device information displays in these fields.
  • Mailbox Identity - The location of the user mailbox in the Active Directory.

Filters for Quick Search

The Filter option is available on the List View page. Using this filter, you can narrow your device search based on:

  • Last Seen - All, less than 24 hours, 12 hours, 6 hours, 2 hours.
  • Managed - All, Managed, Unmanaged.
  • Allowed - All, Allowed, Blocked.
  • Policy Override: All, Blocked, Allowed, Default.
  • Policy Violation - Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS.
  • MEM Config - Filter devices based on the configured MEM deployments.

Performing Actions

The Override, Actions and Administration drop-down menu provides a single location to perform multiple actions on the device.

Note: Please note that these actions once performed cannot be undone.
  • Override

    Select the check box corresponding to a device to perform actions on it.

    • Allowed - Allows a device to receive emails.
    • Blocked - Blocks a device from receiving emails.
    • Default - Allows or blocks a device based on whether the device is compliant or non-compliant.
  • Actions
    • Run Compliance - Triggers the compliance engine to run for the selected MEM configuration. For any device that has a state change (that is, compliant to non-compliant or conversely), Workspace ONE sends out an Allow/Block command accordingly.
    • Test Mode - Tests email policies without applying them on devices.
  • Administration
    • Dx Mode On - Runs the diagnostic for the selected user mailbox providing you the history of the device activity. After enabling this option, Workspace ONE starts recording the activity of the device. This feature is available for SEG only.
    • Dx Mode Off - Turns off the diagnostic for the selected user mailbox. This feature is available for SEG only.
    • Update Encryption Key - Resets the encryption and the resyncs the emails for the selected devices. This feature is available for SEG only.
    • Delete Unmanaged Devices - Deletes the selected unmanaged device record from the dashboard. Please note that this record may reappear after the next sync.
    • Migrate Devices - Migrates selected device to other chosen MEM configurations by deleting the installed EAS profile and pushing the EAS profile of the chosen configuration on the device.