You can migrate your email to a Mobile Email Management (MEM) model using Workspace ONE UEM

By migrating to one of the following MEM models, you can enforce email access control policies ensuring email access is provided only to the approved users and devices:

  • Secure Email Gateway (SEG)
  • PowerShell
  • Gmail

Migrate to Secure Email Gateway

Email migration to Secure Email Gateway (SEG) enables users to access emails only through the SEG proxy.

Using SEG enforces email access control policies, giving access only to approved users and devices. Attachment encryption policies ensure data security.

  1. Configure SEG at your required organization group under Global in the Workspace ONE UEM console. .
  2. Download and install SEG..
  3. Test the SEG functionality using the email compliance policy.
    1. Deactivate all compliance policies temporarily.
    2. Ask all users to enroll their devices into Workspace ONE UEM.
    3. Provision a new email profile (with the SEG server URL as the hostname) to all the enrolled devices.
    4. Periodically, remind users with unmanaged devices to enroll into Workspace ONE UEM.
    5. To block EAS access to the mail server on a specific date, modify firewall (or Threat Management Gateway) rules. It ensures that mobile devices are blocked from accessing the mail server directly.
    6. Enable all compliance policies.
    Note: Existing Webmail, Outlook Web Access (OWA), and other email clients can continue to access the mail server.

Migrate to PowerShell

You can secure your devices and sync the devices with Exchange or Office 365 for emails by migrating to PowerShell.

PowerShell discovers managed and unmanaged devices and with the help of email access control policies gives access to only approved users and devices.

  1. Configure PowerShell integration at your required organization group under Global in the Workspace ONE UEM console.
  2. Configure the integration with user groups (either custom or pre-defined).
  3. Test the PowerShell functionality with a subset of users (for example, test users) to ensure the following features work:
    1. Syncing with the email server to discover devices.
    2. Access control in real time.
  4. Deactivate all compliance policies temporarily.
  5. Provision a new email profile for all devices that have enrolled into Workspace ONE UEM, with the email server hostname.
  6. Sync with the email server to discover all devices (managed and unmanaged) that are syncing for email.
  7. Periodically remind users with unmanaged devices to enroll into Workspace ONE UEM.
  8. Activate and enforce compliance rules to block email access from all non-compliant devices on a specific date including the unmanaged devices.
  9. Set up the email server to block all devices by default.
Note: The Email dashboard displays the list of unmanaged devices as blocked and managed devices that are allowed for email.

Integrate Gmail With Workspace ONE UEM

By migrating to Gmail, you can sync your devices with the Gmail server. You can integrate your Gmail with or without aSecure Email Gateway (SEG) or directly with the Directory APIs.

  1. Enable the Single Sign On (SSO) option on Gmail or create the Service Account certificate.
  2. Configure the Gmail integration from the Workspace ONE UEM console using the MEM configuration wizard.
  3. Provision EAS profiles to users with the new randomized password. Devices that do not receive this profile are automatically blocked from accessing Gmail.

Migrate Devices

You can migrate devices across organization groups and MEM deployments using Workspace ONE UEM.

  1. In the Workspace ONE UEM console, navigate to Email Dashboard.
  2. Filter the managed devices that are under your present MEM deployment.
  3. In the List View page, select all the devices and select Administration > Migrate Devices from the drop-down menu.
  4. On the Migrate Devices Confirmation page, enter the given key code to confirm the migration and select the configuration to which you want to deploy the devices.
  5. Click Continue.


After completing the above steps, Workspace ONE UEM automatically removes the earlier Exchange ActiveSync (EAS) profile and pushes the new EAS profile with the target deployment group. The device then connects to its new deployment group. The updated MEM configuration name for the device is displayed on the Email Dashboard.