Workspace ONE UEM offers two types of deployment models to protect and manage your email infrastructure, the proxy model and the direct model.
- In the proxy deployment model, a separate server called the Secure Email Gateway (SEG) proxy server is placed between the Workspace ONE server and the corporate email server. This proxy server filters all the requests from the devices to the email server and relays the traffic only from the approved devices. This way the corporate email server is protected as it does not directly communicate with the mobile devices.
- In the direct deployment model, there is no proxy server involved and Workspace ONE UEM communicates directly with the email servers. The absence of proxy server simplifies the installation and configuration steps in this model.
| Deployment Model | Configuration Mode | Mail Infrastructure |
|---|---|---|
| Proxy deployment model | Microsoft Exchange 2010/2013/2016 Exchange Office 365 |
Microsoft Exchange 2010/2013/2016/2019 Exchange Office 365 HCL Domino w/ HCL Gmail |
| Direct deployment model - PowerShell |
PowerShell Model |
Microsoft Exchange 2010/2013/2016/2019 Microsoft Office 365 |
| Direct deployment model - Gmail |
Gmail |
Secure Email Gateway Proxy Model
The Secure Email Gateway (SEG) proxy server is a separate server installed in-line with your existing email server to proxy all email traffic going to mobile devices. Based on the settings you define in the UEM console, the SEG Proxy server allows or block decisions for every mobile device it manages.
The SEG Proxy server filters all communication requests to the corporate email server and relays traffic only from approved devices. This relay protects the corporate email server by not allowing any devices to communicate with it.
Install the SEG server in your network so that it is in-line with the email traffic of the corporation. You can also install it in a Demilitarized Zone (DMZ) or behind a reverse proxy. You must host the SEG server in your data center, regardless of whether your Workspace ONE MDM server is in the cloud or on premises.
Direct Deployment PowerShell Model
In the PowerShell model, Workspace ONE UEM adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the policies defined in the UEM console. PowerShell deployments do not require a separate email proxy server and the installation process is simpler.
PowerShell deployments are for organizations using Microsoft Exchange 2010, 2013, 2016, 2019, or Office 365.
- Workspace ONE server is on the cloud and the Exchange server is on premise - Workspace ONE UEM server issues the PowerShell commands. The VMware Enterprise Systems Connector sets up the PowerShell session with the email server.
- Workspace ONE UEM server and the email server are on premise - Workspace ONE UEM server sets up the PowerShell session directly with the email server. Here, there is no VMware Enterprise Systems Connector server required unless the Workspace ONE UEM server cannot communicate with the email server directly.
For assistance in choosing between the Secure Email Gateway and PowerShell deployment models, see the Workspace ONE UEM Recommendations section .
Direct Gmail Model
Integrate Workspace ONE UEM server with Google.
Organizations using the Gmail infrastructure might be familiar with the challenge of securing email endpoints for Gmail and preventing mail from circumventing the secure endpoint. Workspace ONE UEM addresses these challenges by providing a flexible and safe method to integrate your email infrastructure.
In the direct Gmail deployment model, the Workspace ONE UEM server communicates directly with Google. Depending on the security needs, Workspace ONE can manage a user's Google password and control access to the mailbox of the user.
API calls to Google Suite - You can customize the attributes used in API calls to Google Suite by specifying an alternate attribute instead of the user's email address. By default, the user's email address is used. For more information on how to configure the direct Gmail model, see Integrate Direct Model using Password Management.
MEM Deployment Model Matrix
Use the feature matrix below to compare the features available in the different MEM deployment models.
Office 365 requires more configuration for the SEG Proxy model. Workspace ONE UEM recommends the Direct model of integration for Cloud-based email servers. See the Workspace ONE UEM Recommendations section for details.
| ✓ | Supported | □ | Not supported by Workspace ONE UEM |
| X | Feature not available | N/A | Not Applicable |
| SEG Proxy Model | Direct Model | |||||
|---|---|---|---|---|---|---|
| Exchange 2010/2013/2016/2019 Office 365 |
HCL Notes Traveler |
Office 365(PowerShell) |
Exchange 2010/2013/2016/2019 (PowerShell) |
Gmail |
||
| Email Security Tools | ||||||
| Enforced Security Settings | ||||||
| Use digital signatures through S/MIME capability |
✓ | □ | □ | ✓ | ✓ | N/A |
| Protect sensitive data through forced encryption |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Enforce SSL Security |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Email Attachment & Hyperlinks Security |
||||||
| Enforce attachments and hyperlinks to open in VMware AirWatch Content Locker or only Workspace ONE Web |
✓ | ✓ | ✓ | x | x | x |
| Automatic Email Configuration |
||||||
| Configure the email over-the-air on device |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Email Access Control |
||||||
| Block unmanaged devices from accessing email |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Discover existing unmanaged devices |
✓ | ✓ | ✓ | ✓ | ✓ | N/A |
| Email access with customizable compliance policies |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Require device encryption for email access |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Prevent compromised devices from email access |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Allow / block email - Mail client |
✓ | ✓ | ✓ | ✓ | ✓ | x |
| Email Access Control | ||||||
| Allow / block email - User |
✓ | ✓ | ✓ | ✓ | ✓ | x |
| Allow / block email - Device model |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Allow / block email - Device OS |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Allow / block email - EAS Device type |
✓ | ✓ | ✓ | ✓ | ✓ | x |
| Management Visibility | ||||||
| Email traffic statistics |
✓ | ✓ | ✓ | x | x | x |
| Email clients statistics |
✓ | ✓ | ✓ | x | x | x |
| Certificate Management | ||||||
| CA Integration / revocation |
✓ | □ | □ | ✓ | ✓ | N/A |
| Architecture |
||||||
| Inline gateway (Proxy) |
✓ | ✓ | ✓ | N/A | N/A | ✓ |
| Exchange PowerShell |
N/A | N/A | N/A | ✓ | ✓ | N/A |
| Password management for Gmail |
N/A | N/A | ✓ | N/A | N/A | ✓ |
| Directory API Integration for Gmail | N/A | N/A | N/A | N/A | N/A | ✓ |
| Supported |
||||||
| Workspace ONE Boxer for iOS and Android [^] | ✓ | ✓ | ✓ | ✓ | ✓ |
✓ |
| iOS Native Email Client |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Android Native Email Client (Gmail) |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Android HCL Notes Client* |
N/A | ✓ | N/A | N/A | N/A | N/A |
*Email Attachments & Hyperlinks security is not supported on the Android HCL Notes client.
+ Exchange 2003 is not supported
^ Exchange 2003, Require ActiveSync Profile, and Multi MEM are not supported for Workspace ONE Boxer.
Workspace ONE UEM Recommendations
The features supported by Workspace ONE UEM and the suitable deployment sizes are listed in this section. Use the decision matrix to choose the deployment that best suits your need.
Attachment Encryption
With enforced attachment encryption on your mobile devices, Workspace ONE UEM can help keep your email attachments secure without hindering the end users' experience.
| Native | Traveler | Workspace ONE Boxer | |
|---|---|---|---|
| iOS | ✓ | ||
| Android | ✓ | ||
| SEG supports attachment encryption and hyperlink transformation on Workspace ONE Boxer, only if these features are enabled for the Boxer app configuration on the UEM console. SEG supports attachment encryption with Exchange 2010/2013/2016/2019 and Office 365. |
SEG does not encrypt attachments for Workspace ONE Boxer, but DLP can be enforced at the application level.
Email Management
The list gives you the greatest level of security with the easiest deployment and management.
| Email Infrastructure | Gmail | PowerShell | Secure Email Gateway (SEG) |
|---|---|---|---|
| Cloud Mail Infrastructure | |||
| Office 365 | ✓ | ✓ | |
| Gmail | ✓ | ✓ | |
| On-premises Email Infrastructure | |||
| Exchange 2010 | ✓ | ✓ | |
| Exchange 2013 | ✓ | ✓ | |
| Exchange 2016 | ✓ | ✓ | |
| Exchange 2019 | ✓ | ✓ | |
| HCL Notes | ✓ |
^Use the Secure Email GatewaySecure Email Gateway (SEG) for all on-premises email infrastructures with deployments of more than 100,000 devices. For deployments of less than 100,000 devices, using PowerShell is another option for your email management. Refer to the Secure Email Gateway vs. PowerShell Decision Matrix.
**The threshold for PowerShell implementations is based on the most recent set of completed performance tests, and can change on a release by release basis. Deployments up to 50,000 devices can expect reasonably quick sync and run compliance time frames (less than three hours). As the deployment size expands closer to 100,000 devices, then administrators can expect the sync and run compliance processes to continue to increase in the 3–7 hour time frame.
Secure Email Gateway vs PowerShell Decision Matrix
The matrix informs you about the deployment features of SEG and PowerShell to help you choose which deployment suits your need.
| Pros | Cons | |
|---|---|---|
| SEG |
|
|
| PowerShell |
|
|
| Microsoft suggests using Active Directory Federated Services (ADFS) for preventing direct access to Office 365 email accounts. |
