General Email Policies
- Sync Settings: Syncing for specific EAS folders and devices is prohibited. Irrespective of other compliance policies, devices are prevented from syncing with the selected folders by Workspace ONE UEM. For the policy to take effect, devices are forced to re-sync with the email server after republishing the EAS profile to the devices.
- Managed Device: Email access is restricted only to a limited number of managed devices.
- Mail Client: Email access is restricted only to a set of specific mail clients.
- User: Depending on the email user name, Email access is restricted to a set of users.
- EAS Device Type: Depending on the EAS Device Type, Allow or block devices. As reported by the end-user device, the attribute is entered.
Managed Device Policies
In the following section, the managed device policies that restrict email access to devices depending on factors such as model, device status, and operating system are described.
- Inactivity: Inactive and managed devices are prohibited from accessing Email. The number of days is specified for a device that shows up as inactive, where the maximum accepted value is 32767, and the minimum accepted value is one before email access is disabled.
- Device Compromised: Compromised devices are prohibited from accessing Email. This policy allows email access for devices that have not reported compromised status to VMware AirWatch.
- Encryption: Email access for unencrypted devices is prohibited. Only those devices are eligible for this policy that have reported data protection status to VMware AirWatch.
- Model: Based on the platform and model of the device. Email access is controlled.
- Operating Systems: For specific platforms as specified by the admin, email access to a set of operating systems is restricted.
- Active Sync Profile Requirement: Devices are managed through an Exchange ActiveSync profile that has no email management, and email access is restricted.
Email Security Policies
For devices accessing attachments and hyperlinks, the email security policies that are configured against these devices are described in the following section:
- Email Security Classification: Act on Emails that are with or without security tags, either predefined tags or create own tags can be used by defining actions for SEG. Based on these tags, allow restricted access to VMware AirWatch Inbox and Workspace ONE Boxer, and the default behaviour for other email clients can be defined by either allowing or blocking mails. In cases of blocking the mail, use the available templates configured at Message Template settings to restore the email contents with a helpful message. Under the Select Message Template drop-down menu, these configured templates can be chosen. For the Block Email message template, lookup values are not supported.
- Attachments (managed devices): Use an encryption key unique to the device-user combination in reference to the selected file type to encrypt email attachments. On the VMware AirWatch Content Locker, secure these attachments on the device and are only available for viewing, and only possible on Windows Phone managed iOS and Android devices with the VMware AirWatch Content Locker application. Other managed devices configurations can either block attachments, allow encrypted attachments, or allow unencrypted attachments.
- Attachments (unmanaged devices): Under configurations for unmanaged devices, the admin can allow encrypted attachments, block attachments, or allow unencrypted attachments. For unmanaged devices, attachments are encrypted to prevent data loss and maintain email integrity. If the device supports VMware AirWatch Content Locker, the attachments of unmanaged devices cannot be accessed.
- Hyperlink: With Airwatch Browser present on the device, within an email, allow device users to open hyperlinks contained. To access in Airwatch Browser, the Secure Email Gateway dynamically modifies the hyperlink. The modification types are All, Include, and Exclude.
All: All the hyperlinks can be accessed with Airwatch Browser if authorized.
Include: Only the hyperlinks through the Airwatch Browse can be accessed and are authorized to users. Only modify hyperlinks for these domains fields, and mention the included domains. From a .csv file, the domain names can be bulk uploaded as well. Exclude: The mentioned excluded domains that prevent the device from opening through the Airwatch Browser do not allow the device users to open. In the Modify all hyperlinks, mention the excluded domains, except for these domains field. The domain names from a .csv file can be bulk uploaded as well.
Activate Email Compliance Policy
To manage email access to unmanaged, non-compliant, unencrypted, or inactive devices, Email compliance policies are used.
- Navigate to Email, and go to Compliance Policies on the UEM console. Under the Active column, by default, the policies are disabled and are represented by red colour.
- For activation of compliance policy, click on the grey button under the Active column. Additional pages pop up where the admin can enumerate their choices based on the email policy that they want to activate.
- Click on Save.
Under the Active column, the policy is activated and is represented by green colour.
Under the Actions column, the edit policy icon can be used to allow or block a policy.