Workspace ONE UEM offers two types of deployment models to protect and manage your email infrastructure, the proxy model and the direct model.

You can use either of the following email deployment models along with the email policies that you define in the UEM console, to effectively manage your mobile devices.
  • In the proxy deployment model, a separate server called the Secure Email Gateway (SEG) proxy server is placed between the Workspace ONE server and the corporate email server. This proxy server filters all the requests from the devices to the email server and relays the traffic only from the approved devices. This way the corporate email server is protected as it does not directly communicate with the mobile devices.
  • In the direct deployment model, there is no proxy server involved and Workspace ONE UEM communicates directly with the email servers. The absence of proxy server simplifies the installation and configuration steps in this model.
Note: The proxy deployment model has two variants, the Classic and the SEG v2 platforms. The Classic SEG platform is no longer supported as the SEG V2 platform assures improved performance over the Classic platform. The SEG V2 platform can be installed on an existing SEG server with minimal downtime and during an upgrade, no profile changes or end-user interaction is required.
Deployment Model Configuration Mode Mail Infrastructure
Proxy deployment model

Microsoft Exchange 2010/2013/2016

Exchange Office 365

Microsoft Exchange 2010/2013/2016/2019

Exchange Office 365

HCL Domino w/ HCL


Direct deployment model - PowerShell

PowerShell Model

Microsoft Exchange 2010/2013/2016/2019

Microsoft Office 365

Direct deployment model - Gmail

Note: Workspace ONE UEM only supports the versions of third-party email servers currently supported by the email server provider. When the provider deprecates a server version, Workspace ONE UEM will no longer support integration with the deprecated version.

Secure Email Gateway Proxy Model

The Secure Email Gateway (SEG) proxy server is a separate server installed in-line with your existing email server to proxy all email traffic going to mobile devices. Based on the settings you define in the UEM console, the SEG Proxy server allows or block decisions for every mobile device it manages.

The SEG Proxy server filters all communication requests to the corporate email server and relays traffic only from approved devices. This relay protects the corporate email server by not allowing any devices to communicate with it.

Install the SEG server in your network so that it is in-line with the email traffic of the corporation. You can also install it in a Demilitarized Zone (DMZ) or behind a reverse proxy. You must host the SEG server in your data center, regardless of whether your Workspace ONE MDM server is in the cloud or on premises.

SEG cloud and on-premises architecture

Direct Deployment PowerShell Model

In the PowerShell model, Workspace ONE UEM adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the policies defined in the UEM console. PowerShell deployments do not require a separate email proxy server and the installation process is simpler.

PowerShell deployments are for organizations using Microsoft Exchange 2010, 2013, 2016, 2019, or Office 365.

PowerShell Office 365 deployment model  

There are two ways in which the PowerShell commands are issued depending on where the Workspace ONE UEM server and Exchange server are located:
  • Workspace ONE server is on the cloud and the Exchange server is on premise - Workspace ONE UEM server issues the PowerShell commands. The VMware Enterprise Systems Connector sets up the PowerShell session with the email server.
  • Workspace ONE UEM server and the email server are on premise - Workspace ONE UEM server sets up the PowerShell session directly with the email server. Here, there is no VMware Enterprise Systems Connector server required unless the Workspace ONE UEM server cannot communicate with the email server directly.

PowerShell Microsoft 2010 Exchange model deployed on cloud and on-premises

For assistance in choosing between the Secure Email Gateway and PowerShell deployment models, see the Workspace ONE UEM Recommendations section .

Direct Gmail Model

Integrate Workspace ONE UEM server with Google.

Organizations using the Gmail infrastructure might be familiar with the challenge of securing email endpoints for Gmail and preventing mail from circumventing the secure endpoint. Workspace ONE UEM addresses these challenges by providing a flexible and safe method to integrate your email infrastructure.

In the direct Gmail deployment model, the Workspace ONE UEM server communicates directly with Google. Depending on the security needs, Workspace ONE can manage a user's Google password and control access to the mailbox of the user.

Direct Google deployment model

API calls to Google Suite - You can customize the attributes used in API calls to Google Suite by specifying an alternate attribute instead of the user's email address. By default, the user's email address is used. For more information on how to configure the direct Gmail model, see Integrate Direct Model using Password Management.

MEM Deployment Model Matrix

Use the feature matrix below to compare the features available in the different MEM deployment models.

Office 365 requires more configuration for the SEG Proxy model. Workspace ONE UEM recommends the Direct model of integration for Cloud-based email servers. See the Workspace ONE UEM Recommendations section for details.

Supported Not supported by Workspace ONE UEM
X Feature not available N/A Not Applicable
Table 1. Deployment Matrix
  SEG Proxy Model Direct Model

Exchange 2010/2013/2016/2019 Office 365

HCL Notes Traveler


Office 365(PowerShell)

Exchange 2010/2013/2016/2019



Email Security Tools
Enforced Security Settings

Use digital signatures through S/MIME capability


Protect sensitive data through forced encryption

Enforce SSL Security

Email Attachment & Hyperlinks Security

Enforce attachments and hyperlinks to open in VMware AirWatch Content Locker or only Workspace ONE Web

x x x

Automatic Email Configuration

Configure the email over-the-air on device

Email Access Control

Block unmanaged devices from accessing email

Discover existing unmanaged devices


Email access with customizable compliance policies

Require device encryption for email access

Prevent compromised devices from email access

Allow / block email - Mail client

Email Access Control

Allow / block email - User


Allow / block email - Device model

Allow / block email - Device OS

Allow / block email - EAS Device type

Management Visibility

Email traffic statistics

x x x

Email clients statistics

x x x
Certificate Management

CA Integration / revocation



Inline gateway (Proxy)


Exchange PowerShell


Password management for Gmail

Directory API Integration for Gmail N/A N/A N/A N/A N/A


Workspace ONE Boxer for iOS and Android [^]

iOS Native Email Client

Android Native Email Client (Gmail)

Android HCL Notes Client*


*Email Attachments & Hyperlinks security is not supported on the Android HCL Notes client.

+ Exchange 2003 is not supported

^ Exchange 2003, Require ActiveSync Profile, and Multi MEM are not supported for Workspace ONE Boxer.

Workspace ONE UEM Recommendations

The features supported by Workspace ONE UEM and the suitable deployment sizes are listed in this section. Use the decision matrix to choose the deployment that best suits your need.

Attachment Encryption

With enforced attachment encryption on your mobile devices, Workspace ONE UEM can help keep your email attachments secure without hindering the end users' experience.

  Native Traveler Workspace ONE Boxer
SEG supports attachment encryption and hyperlink transformation on Workspace ONE Boxer, only if these features are enabled for the Boxer app configuration on the UEM console.

SEG supports attachment encryption with Exchange 2010/2013/2016/2019 and Office 365.


SEG does not encrypt attachments for Workspace ONE Boxer, but DLP can be enforced at the application level.

Email Management

The list gives you the greatest level of security with the easiest deployment and management.

Email Infrastructure  Gmail PowerShell Secure Email Gateway (SEG)
Cloud Mail Infrastructure
Office 365  
On-premises Email Infrastructure
Exchange 2010  
Exchange 2013  
Exchange 2016  
Exchange 2019  
HCL Notes    

^Use the Secure Email GatewaySecure Email Gateway (SEG) for all on-premises email infrastructures with deployments of more than 100,000 devices. For deployments of less than 100,000 devices, using PowerShell is another option for your email management. Refer to the Secure Email Gateway vs. PowerShell Decision Matrix.

**The threshold for PowerShell implementations is based on the most recent set of completed performance tests, and can change on a release by release basis. Deployments up to 50,000 devices can expect reasonably quick sync and run compliance time frames (less than three hours). As the deployment size expands closer to 100,000 devices, then administrators can expect the sync and run compliance processes to continue to increase in the 3–7 hour time frame.

Secure Email Gateway vs PowerShell Decision Matrix

The matrix informs you about the deployment features of SEG and PowerShell to help you choose which deployment suits your need.

  Pros Cons
  • Real-Time Compliance
  • Attachment encryption
  • Hyperlink transformation
  • Additional server (s) required
  • No additional on-premises server required for email management
  • Mail traffic is not routed to an on-premises server before being routed to Office 365, so ADFS is not required
  • No real-time compliance sync
  • Not for large deployments (more than 100000)
Microsoft suggests using Active Directory Federated Services (ADFS) for preventing direct access to Office 365 email accounts.