You can manage emails for mobile devices connected to the Exchange server. Email management through PowerShell involves syncing of mailboxes and applying email policies for enrolled devices.

  1. To pull in all devices having an EAS partnership, sync all mailboxes (from the Workspace ONE UEM Email Dashboard) with Exchange.
  2. Allow devices to begin enrollments and continue to sync daily to check for devices that convert from Unmanaged to Managed status.
  3. At any point, choose to create and apply a Workspace ONE UEM Email Policy (refer Email Security Policies) to block unmanaged devices.
    Note: For migration from SEG deployments to PowerShell deployments, work with your Workspace ONE UEM contact to identify an optimum solution for your enterprise.

Email Security Policies for PowerShell Integration

Email policies enhance security by restricting email access to non-compliant, unencrypted, inactive, or unmanaged devices. These policies allow you to provide email access to only the required and approved devices. Email policies also restrict email access based on the device model and the operating systems.

These policies are available from Email > Compliance Policies in the UEM console. Activate or deactivate the policies using the colored buttons under the Active column. Use the edit policy icon under the Actions column to allow or block a policy.

To restrict access to unmanaged devices even when there are no compliance policies set, Workspace ONE UEM issues allow and block commands upon device enrollment and unenrollment.

General Email Policies

Email Policy Description
Managed Device Restrict email access only to managed devices.
Mail Client Restrict email access to a set of mail clients.
User Restrict email access to a set of users.
EAS Device Type Allow or block devices based on the EAS Device Type attribute reported by the end-user device.

Managed Device Policies

Managed Device Policy Description
Inactivity Allows you to prevent inactive, managed devices from accessing email. You can specify the number of days a device shows up as inactive (that is, does not check in to Workspace ONE UEM), before email access is cut off.
Device Compromised Allows you to prevent compromised devices from accessing email. Note, this policy does not block email access for devices that have not reported compromised status to Workspace ONE UEM.
Encryption Allows you to prevent email access for unencrypted devices. Note, this policy is applicable only to devices that have reported data protection status to Workspace ONE UEM.
Model Allows you to restrict email access based on the Platform and Model of the device.
Operating System Allows you to restrict email access to a set of operating systems for specific platforms.
Require ActiveSync Profile Allows you to restrict email access to devices whose email is managed through an Exchange ActiveSync profile.
Important: Mail Client, EAS Device Type, and Inactivity policies require a PowerShell sync before they can be used, as the data is obtained only from Exchange.

Testing Email Policies

Testing the email policies before deploying on the devices is a good practice. Test the capabilities of these policies before applying them on the devices.

Deactivate the Compliance option available on the Email Policies page during the testing phase. Use a separate organization group to test out policies against a subset user using the user group filter available in the configuration wizard.

Note the compliance option when deactivated prevents Workspace ONE UEM from running any automatic PowerShell Cmdlets based on the compliance status in Workspace ONE UEM. If the default access state for a mailbox is set to Blocked or Quarantined, then that status does not change for devices upon enrollment to Workspace ONE UEM if compliance is deactivated.

Device Discovery

Before you can begin managing the devices from the Email Dashboard, the configured MEM must discover the devices enrolled to the organization group. Based on whether an EAS profile is present on the devices or not, either a command or a broadcast message is sent to discover the devices.

The configured MEM discovers the devices enrolled to the organization group in two ways:

  • With the EAS profile – Workspace ONE UEM sends an allow command to the relevant EAS profile associated PowerShell environment when you perform Sync Mailboxes action from the List View page.
  • Without the EAS profile – Workspace ONE UEM sends an 'Allow' command to all the PowerShell integrated environments. For the environment that the command succeeds against, Workspace ONE UEM automatically associates the device to the corresponding memConfigID.

Email Dashboard

Gain visibility into the email traffic and monitor the devices through the Email Dashboard. Email Dashboard gives you a real-time summary of the status of the devices connected to the email traffic.

Email Dashboard

You can access the dashboard from Email > Dashboard. The email dashboard enables you to:

  • Allow or deny access to email by approving or blocking a device.
  • View the devices which are managed, unmanaged, compliant, non- compliant, blocked, or allowed.
  • View the device details such as OS, Model, Platform, Phone Number, IMEI, and IP address.
  • Use the available graphs to filter your search.

Email List View

You can view all the real-time updates of your end-user devices that you are managing with VMware MEM.

Access the List View from Email > List View. You can view the device or user-specific information by switching between the two tabs: Device and User. You can change the Layout to either view the summary or the detailed list of the information based on your requirement.

Device and User Details

The List View screen provides detailed information on device and device users.

List View Screen Fields Description
Last Request Displays the last state change of the device either from Workspace ONE UEM or from Exchange.
User The user account name.
Friendly Name The friendly name of the device.
MEM Config The configured MEM deployment that is managing the device.
Email Address The email address of the user account.
Identifier The unique alpha-numeric identification code associated with the device.
Mail Client The email client syncing the emails on the device.
Last Command The last command sent to email server to manage the device. It populates the Last Request column.
Status The real-time status of the device and whether email is blocked or allowed on it as per the defined policy.
Reason The reason code for allowing or blocking email on a device. The reason code displays 'Global' and 'Individual' only when an entity other than Workspace ONE UEM (for example, an external administrator) changes the access state of the email.
Platform, Model, OS, IMEI, EAS Device Type, IP Address The device information displays in these columns.
Mailbox Identity The location of the user mailbox in the Active Directory.

Filters for Quick Search

Using the Filter option, you can narrow-down your device search based on the following parameters.

Device Search Parameter Description
Last Seen All, less than 24 hours, 12 hours, 6 hours, 2 hours.
Managed All, Managed, Unmanaged.
Allowed All, Allowed, Blocked.
Policy Override All, Blocked, Approved, Default.
Policy Violation Compromised, Device Inactive, Not data Protected/Enrolled/MDM Compliant, Unapproved EAS Device Type/Email Account/Mail Client/Model/OS.
MEM Config Filter devices based on the configured MEM deployments.

Additional Actions

The Override, Actions, and Administration drop-down menu provides a single location to perform multiple actions on a device.

Table 1. Override Settings
Option Description
Allowlist Allows a device to receive emails.
Denylist Blocks a device from receiving emails.
Default Allows or blocks a device based on whether the device is compliant or non compliant.
Table 2. Actions
Option Description
Sync mailboxes
  • Syncs the mobile device records from the Exchange with the managed mail clients on enrolled devices.
  • The Sync Mailboxes Confirmation page allows you to sync quickly the devices from a set of mailboxes without having to edit your MEM configuration’s existing filter.
  • You can restrict the sync action at a user, organizational unit, group, or custom level by selecting the options; User, Organizational Unit, Group, or Custom.
  • If you have set a persistent filter in your MEM configuration, you can select the Use pre-configured settings check box.
  • Workspace ONE UEM offers the Email Sync option within the Self Service Portal so that end users can sync their devices with the mail server and also run preconfigured compliance policies for all their devices. This process is typically much faster than the bulk sync performed on all the devices.
Run Compliance Triggers the compliance engine to run for the selected MEM configuration.
Note: When the Direct PowerShell Model is configured, Workspace ONE UEM communicates directly to the CAS array through remote signed PowerShell sessions established from the console server or VMware AirWatch Cloud Connector (depending on the deployment architecture). Using remote signed sessions, commands are sent to blocked and approved device IDs on a given user's CAS mailbox in Exchange 2010, 2013, 2016, 2019, and Office 365. Blocking and approving are based on the device’s compliance status in Workspace ONE UEM.The ‘DefaultAccessLevel’ on the Exchange server does not change on running compliance. This setting applies only to known devices and overrides the access controls defined by ‘DefaultAccessLevel’. If ‘DefaultAccessLevel’ is set to allow, then new unmanaged devices can access email. Devices can be manually blocked through the UEM console. It is a best practice to test the expected PowerShell integration behavior without enforcing device blocking across the enterprise.
Table 3. Administration
Option Description
Enrollment Email Sends an email to the user with all the details required for enrollment.
Delete Unmanaged Devices Deletes the selected unmanaged device records from the dashboard. Note, this record might reappear after the next sync.
Remote Wipe Resets the device to factory settings.
Sync Selected Mailbox Syncs the selected device mailbox. Only one device mailbox at a time can be synced.
Note: These additional actions once performed cannot be undone.