You can manage emails for mobile devices connected to the Exchange server. Email management through PowerShell involves syncing of mailboxes and applying email policies for enrolled devices.
- To pull in all devices having an EAS partnership, sync all mailboxes (from the Workspace ONE UEM Email Dashboard) with Exchange.
- Allow devices to begin enrollments and continue to sync daily to check for devices that convert from Unmanaged to Managed status.
- At any point, choose to create and apply a Workspace ONE UEM Email Policy (refer Email Security Policies) to block unmanaged devices.
Note: For migration from SEG deployments to PowerShell deployments, work with your Workspace ONE UEM contact to identify an optimum solution for your enterprise.
Email Security Policies for PowerShell Integration
Email policies enhance security by restricting email access to non-compliant, unencrypted, inactive, or unmanaged devices. These policies allow you to provide email access to only the required and approved devices. Email policies also restrict email access based on the device model and the operating systems.
These policies are available from Email > Compliance Policies in the UEM console. Activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy.
To restrict access to unmanaged devices even when there are no compliance policies set, Workspace ONE UEM issues allow and block commands upon device enrollment and unenrollment.
General Email Policies
|Managed Device||Restrict email access only to managed devices.|
|Mail Client||Restrict email access to a set of mail clients.|
|User||Restrict email access to a set of users.|
|EAS Device Type||Allow or block devices based on the EAS Device Type attribute reported by the end-user device.|
Managed Device Policies
|Managed Device Policy||Description|
|Inactivity||Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is. does not check in to AirWatch), before email access is cut off.|
|Device Compromised||Allows you to prevent compromised devices from accessing email. Note, this policy does not block email access for devices that have not reported compromised status to AirWatch.|
|Encryption||Allows you to prevent email access for unencrypted devices. Note, this policy is applicable only to devices that have reported data protection status to AirWatch.|
|Model||Allows you to restrict email access based on the Platform and Model of the device.|
|Operating System||Allows you to restrict email access to a set of operating systems for specific platforms.|
|Require ActiveSync Profile||Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.|
Testing Email Policies
Testing the email policies before deploying on the devices is a good practice. Test the capabilities of these policies before applying them on the devices.
Deactivate the Compliance option available on the Email Policies page during the testing phase. Use a separate organization group to test out policies against a subset user using the user group filter available in the configuration wizard.
Note the compliance option when deactivated prevents Workspace ONE UEM from running any automatic PowerShell Cmdlets based on the compliance status in AirWatch. If the default access state for a mailbox is set to Blocked or Quarantined, then that status does not change for devices upon enrollment to Workspace ONE UEM if compliance is deactivated.
Before you can begin managing the devices from the Email Dashboard, the configured MEM must discover the devices enrolled to the organization group. Based on whether an EAS profile is present on the devices or not, either a command or a broadcast message is sent to discover the devices.
The configured MEM discovers the devices enrolled to the organization group in two ways:
- With the EAS profile – Workspace ONE UEM sends an allow command to the relevant EAS profile associated PowerShell environment when you perform Sync Mailboxes action from the List View page.
- Without the EAS profile – Workspace ONE UEM sends an 'Allow' command to all the PowerShell integrated environments. For the environment that the command succeeds against, Workspace ONE UEM automatically associates the device to the corresponding memConfigID.
Gain visibility into the email traffic and monitor the devices through the AirWatch Email Dashboard. Email Dashboard gives you a real-time summary of the status of the devices connected to the email traffic.
You can access the dashboard from. The email dashboard enables you to:
- Allow or deny access to email by approving or blocking a device.
- View the devices which are managed, unmanaged, compliant, non- compliant, blocked, or allowed.
- View the device details such as OS, Model, Platform, Phone Number, IMEI, and IP address.
- Use the available graphs to filter your search.
Email List View
You can view all the real-time updates of your end-user devices that you are managing with VMware AirWatch MEM.
Access the List View from . You can view the device or user-specific information by switching between the two tabs: Device and User. You can change the Layout to either view the summary or the detailed list of the information based on your requirement.
Device and User Details
The List View screen provides detailed information on device and device users.
|List View Screen Fields||Description|
|Last Request||Displays the last state change of the device either from Workspace ONE UEM or from Exchange.|
|User||The user account name.|
|Friendly Name||The friendly name of the device.|
|MEM Config||The configured MEM deployment that is managing the device.|
|Email Address||The email address of the user account.|
|Identifier||The unique alpha-numeric identification code associated with the device.|
|Mail Client||The email client syncing the emails on the device.|
|Last Command||The last command sent to email server to manage the device. It populates the Last Request column.|
|Status||The real-time status of the device and whether email is blocked or allowed on it as per the defined policy.|
|Reason||The reason code for allowing or blocking email on a device. The reason code displays 'Global' and 'Individual' only when an entity other than AirWatch (for example, an external administrator) changes the access state of the email.|
|Platform, Model, OS, IMEI, EAS Device Type, IP Address||The device information displays in these columns.|
|Mailbox Identity||The location of the user mailbox in the Active Directory.|
Filters for Quick Search
Using the Filter option, you can narrow-down your device search based on the following parameters.
|Device Search Parameter||Description|
|Last Seen||All, less than 24 hours, 12 hours, 6 hours, 2 hours.|
|Managed||All, Managed, Unmanaged.|
|Allowed||All, Allowed, Blocked.|
|Policy Override||All, Blocked, Approved, Default.|
|Policy Violation||Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS.|
|MEM Config||Filter devices based on the configured MEM deployments.|
The Override, Actions, and Administration drop-down menu provides a single location to perform multiple actions on a device.
|Allowlist||Allows a device to receive emails.|
|Denylist||Blocks a device from receiving emails.|
|Default||Allows or blocks a device based on whether the device is compliant or non compliant.|
|Run Compliance||Triggers the compliance engine to run for the selected MEM configuration.|
|Enrollment Email||Sends an email to the user with all the details required for enrollment.|
|Delete Unmanaged Devices||Deletes the selected unmanaged device records from the dashboard. Note, this record might reappear after the next sync.|
|Remote Wipe||Resets the device to factory settings.|
|Sync Selected Mailbox||Syncs the selected device mailbox. Only one device mailbox at a time can be synced.|