Email policies enhance security by restricting email access to non-compliant, unencrypted, inactive, or unmanaged devices. These policies allow you to provide email access to only the required and approved devices. Email policies also restrict email access based on the device model and the operating systems.

These policies are available from Email > Compliance Policies in the UEM console. Activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy.

To restrict access to unmanaged devices even when there are no compliance policies set, Workspace ONE UEM issues allow and block commands upon device enrollment and unenrollment. If you want to prevent Workspace ONE UEM from issuing these automatic commands, you can select Disable Compliance on the Email > Compliance Policies page of the UEM console.

General Email Policies

Email Policy Description
Managed Device Restrict email access only to managed devices.
Mail Client Restrict email access to a set of mail clients.
User Restrict email access to a set of users.
EAS Device Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Managed Device Policies

Managed Device Policy Description
Inactivity Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is. does not check in to AirWatch), before email access is cut off.
Device Compromised Allows you to prevent compromised devices from accessing email. Note, this policy does not block email access for devices that have not reported compromised status to AirWatch.
Encryption Allows you to prevent email access for unencrypted devices. Note, this policy is applicable only to devices that have reported data protection status to AirWatch.
Model Allows you to restrict email access based on the Platform and Model of the device.
Operating System Allows you to restrict email access to a set of operating systems for specific platforms.
Require ActiveSync Profile Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.
Important: Mail Client, EAS Device Type, and Inactivity policies require a PowerShell sync before they can be used, as the data is obtained only from Exchange.

Testing Email Policies

Testing the email policies before deploying on the devices is a good practice. Test the capabilities of these policies before applying them on the devices.

Disable the Compliance option available on the Email Policies page during the testing phase. Use a separate organization group to test out policies against a subset user using the user group filter available in the configuration wizard.

Note the compliance option when disabled prevents Workspace ONE UEM from running any automatic PowerShell Cmdlets based on the compliance status in AirWatch. If the default access state for a mailbox is set to Blocked or Quarantined, then that status does not change for devices upon enrollment to Workspace ONE UEM if compliance is disabled.