Email Integration Models in Workspace ONE


The proxy model and the direct model are the two types of deployment models to protect and manage enterprise email infrastructure offered by Workspace ONE UEM. To effectively manage employee mobile devices, use the email policies defined in the UEM console in addition to either of the following email deployment models.

  • Proxy Deployment Method: In between the Workspace ONE server and the corporate email server, a different server known as the Secure Email Gateway (SEG) proxy server is put in place. All the requests sent from the devices to the email server are filtered, and the traffic only from the approved devices is relayed by the Proxy server. As the corporate email server does not directly communicate with mobile devices, it stays protected.
  • Direct Deployment Method: Workspace ONE UEM communicates directly with the email servers, and there is no proxy server involved. The installation and customization steps in this model are simplified by the absence of a proxy server.

Note: The Classic and the SEG v2 platforms are the two variants of the proxy deployment model. As the SEG V2 platform guarantees improved performance over the Classic platform, the Classic SEG platform is no longer supported. On an existing SEG server, the SEG V2 platform can be installed, and during an update, no profile changes or end-user interaction is needed with minimal downtime.

Deployment Model: Proxy deployment model

  • Configuration Mode: Exchange Office 365
    • Microsoft Exchange 2010/2013/2016
  • Mail Infrastructure: Exchange Office 365
    • Gmail
    • Microsoft Exchange 2010/2013/2016/2019
    • HCL Domino w/ HCL

Deployment Model: Direct deployment model – PowerShell

  • Configuration Mode: PowerShell Model
  • Mail Infrastructure: Microsoft Office 365, Microsoft Exchange 2010/2013/2016/2019

Deployment Model: Direct deployment model – Gmail

  • Configuration Mode: Gmail

Note: The versions of third-party email servers currently supported by the email server provider are only supported by Workspace ONE UEM. Workspace ONE UEM will no longer aid Integration with the deprecated version if the provider deprecates a server version.

Secure Email Gateway Proxy Model

All email traffic going to mobile devices is proxied by a separate server installed in line with the existing email server called the Secure Email Gateway (SEG). The SEG Proxy server allows or blocks decisions Based on the settings the admin defines in the UEM console for every mobile device it manages. The traffic is relayed only from approved devices, and the SEG Proxy server filters all communication requests to the corporate email server as well. By prohibiting any devices to communicate with the corporate email server, this relay protects it.

Install the SEG server in line with the email traffic of the corporation within the network. Install behind a reverse proxy or in a Demilitarized Zone (DMZ). Nevertheless of whether your Workspace ONE MDM server is in the cloud or on-premises, host the SEG server in the data centre.

The deployment model, i.e. the Proxy model, has configuration mode Secure Email Gateway (Proxy) for mail infrastructures Novel GroupWise (with EAS)Google Apps for Work Microsoft Exchange 2010, 2013, 2016 IBM Domino with Lotus Notes. Additional configuration for the SEG proxy model is required for Office 365.


Transformation of hyperlink

Compliance in real-time

Attachment encryption


To prohibit end-users from directly connecting to Office 365 (around SEG), ADFS must be customized. Additional servers are required.

For all on-premises email infrastructures with deployments greater than 100,000 devices, AirWatch recommends using the Secure Email Gateway (SEG).


Direct Deployment PowerShell Model

To allow or deny email access based on the policies defined in the UEM console, commands are issued to the Exchange ActiveSync (EAS) infrastructure, and Workspace ONE UEM adopts a PowerShell administrator role in the PowerShell model. A separate email proxy server is not required by PowerShell deployments, and the installation process is much easier. For organizations using Office 365 or Microsoft Exchange, 2010, 2013, 2016, 2019 PowerShell deployments are used. Based on where the Workspace ONE UEM server and Exchange server are located, there are two ways in which the PowerShell commands are furnished:

  • The Exchange server is on-premise, and Workspace ONE server is on the cloud: Powershell receives commands issued by Workspace ONE UEM server. The PowerShell session with the email server is set up by the VMware Enterprise Systems Connector.
  • The Email server and Workspace ONE UEM server are on-premise: the PowerShell session is set up directly with the email server by Workspace ONE UEM server. In case the Workspace ONE UEM server cannot communicate with the email server directly, there is no VMware Enterprise Systems Connector server required.

The deployment model Direct model has configuration mode Google model for mail infrastructures Google Apps for Work. With cloud-based email servers, AirWatch recommends the Direct model of Integration.


Before being routed to Office 365, Mail traffic does not route to on-premises servers, so AFS is not required. For email management, no additional on-premises servers are required.


Real-time compliance sync is not required.

For larger deployments (greater than 100,000 devices), this deployment is not recommended.

To containerize attachments and hyperlinks, AirWatch Inbox must be used in AirWatch Content Locker and AirWatch Browser.

PowerShell is another option for email management for deployments of less than 100,000 devices or cloud-based Email. The PowerShell model will be utilized, and the AirWatch Inbox will be used for mail because this design includes Office 365-based Email. The best protection available to counter data leakage of corporate information is offered while this decision restricts employee choice of mail client and removes native email access in the mobile productivity service.

Direct Gmail Model

Google and Workspace ONE UEM server can be integrated. No organization using Gmail infrastructure is a stranger to the challenge of fortifying email endpoints for Gmail and prohibiting mail from circumventing the secure endpoint. By furnishing a flexible and safe method to integrate enterprise email infrastructure, Workspace ONE UEM addresses these challenges. The Workspace ONE UEM server connects directly with Google In the direct Gmail deployment model. Supervise a user’s Google password and control access to the mailbox of the use with Workspace One depending on the enterprise security needs.

API calls to Google Suite: By defining an alternate attribute instead of the user’s email address, configure the attributes used in API calls to Google Suite. The user’s email address is used by default.


  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.