Lesson 10 - Configuring and Securing email on your devices


  • AirWatch Email solutions
  • Configuring your devices for email
  • Enable the Secure Email Gateway
  • Enable PowerShell Integration


AirWatch Email solutions

Enforced Security Settings

Take advantage of the latest modern email security features using AirWatch's advanced email tools:

  • Use digital signatures through S/MIME capability
  • Protect sensitive data through forced encryption
  • Enforce SSL Security
  • Require Passcode for device access


Automatic Configuration

AirWatch's over-the-air provisioning capabilities allow the IT administrator to configure any necessary settings or authentication on behalf of the end-user so that employees have instant and secure access to corporate email:

  • Certificate Management - Install, remove and manage certificates using the certificate dashboard
  • Profile Deployment - Immediate and automatic security profile deployment
  • Set Authentication Type - Choose basic username and password authentication or certificate authentication


Access Control

Robust email compliance capabilities provide an advanced level of access control that is crucial to corporate email security. It can integrate with the existing compliance engine, allowing administrators to create tailored email access policies to  account for non-compliant email actions and make any necessary exceptions to the established policies.

  • General access configurations
  • Block unmanaged, non-compliant or compromised devices
  • Create Whitelist and Blacklist policies to only allow approved devices or to only block specific devices.
  • Establish system requirements
  • Block outdated or problematic Operating System versions that stress the email server
  • Device-level compliance policies and exceptions, such as those highlighted in the examples below:
  • An employee leaves your company and his or her personal device should no longer be permitted to connect to the corporate email server.
  • An authorized device is lost or stolen; In addition to performing a remote-wipe of the device, the device should be blocked from the corporate email server.
  • A company executive has a device that would normally be prevented from accessing the email server, and the IT administrator must ensure that the executive's device can connect to mobile email.

Administrative Visibility and Management

Administrators can regain insight and visibility over mobile email activity through the interactive Email Dashboard List View. The dashboard presents both real-time and historic data, which allows administrators and company executives to instantly react to real-time data and to perform long-term data analysis on corporate mobile activity.The detailed list of real-time server requests allows administrators to quickly pinpoint actions that need to be allowed or blocked, and add them to the policy override list.


Attachment Management

Administrators can define policies to block, allow, or encrypt email attachments based on file type.  Attachments can be opened in the Secure Content Locker and users prevented from copy/pasting content into 3rd party applications.


Configuring your devices for email  

 Watch the Video!

In this section, we will walk through setting up a mail configuration on a device. We will create a mail profile to remotely configure devices to check into our onsite mail server. Keep in mind, the profile we create is platform specific. So if you need to configure another type of device you will simply create another profile.

To configure an Exchange profile:

  1.  Select the Exchange ActiveSync payload from the left column.

  2. Click the Configure button.
  3. Fill in the Account Name field with a short description of the mail account and fill in the Exchange ActiveSync Host with the external URL of your company's ActiveSync Server.
    • Note that this ActiveSync server can be any mail server that implements the ActiveSync protocol - such as Lotus Notes Traveler, Novell Data Synchronizer, and Microsoft Exchange.
  4. You can fill in the Username and Email Address with your specific account information. However, if you would like to create a generic profile to apply to multiple users in your organization, we recommend using Look-Up Values.
    • Lookup Values pull directly from the User Account record (shown below). To use the {EmailUserName} and {EmailDomain} Lookup Values, ensure that your AirWatch User Account has an email domain and an email username defined.

  5. We will leave the Password field empty, as this profile will prompt the user for his/her password when it is published to the device (the table below is a summary some of the other options for the Exchange ActiveSync profile).
  6. After creating a Profile, click Save and Publish to immediately push to available devices.
  7. Enter the password for your mail account once prompted on your enrolled device.
Payload Certificate Allows you to define a certificate for cert-based authentication after the certificate is added to the Credentials payload
Past Days of Mail to Sync Downloads the defined amount of mail. Please note longer time periods will result in larger data consumption while the device downloads this mail
Prevent Moving Messages Disallows moving mail from Exchange mailbox to another mailbox on the device
Prevent Use in 3rd Party Apps Disallows other apps from using the Exchange mailbox to send messages
Prevent Recent Address Syncing
Disable suggestions for contacts when sending mail in Exchange
Enable the Secure Email Gateway  

 Watch the Video!

AirWatch’s Secure Email Gateway (SEG) allows control of both known devices under management by the AirWatch MDM console, as well as unmanaged devices. For devices under MDM in the AirWatch console, the data collected from the SEG can be correlated to the device’s existing record to show you how managed devices are interacting with your email server. For devices not under MDM, the data can be viewed via a dashboard for tracking rogue devices or for simply giving you a more complete picture of your mobile email deployment.


By enabling the SEG, administrators can enforce email security by defining policies such as blocking compromised devices, encrypting or stripping email attachments, and blocking unmanaged devices. The diagram below shows how devices access their email using the SEG.


Note: Device traffic can also be routed through a reverse proxy before reaching the SEG server for policy enforcement.




To download and install the SEG:

    1. Navigate to Email / Settings / Configure
    2. Select the Email Server Type from the drop-down. If prompted, set the Deployment Type to "With SEG Proxy" and then click Next.
    3. Enter a Friendly Name for the mail configuration and add the appropriate information in the fields under SEG Proxy Settings and click Next.
    4. If a mail profile has already been created, associate it to the SEG mail configuration using the Add button
  • Click Next, the Summary tab provides an overview of basic configuration required for typical installation. Click Save when done.
  • After clicking Save you will be able download the SEG Installer by clicking the blue hyperlink. Run this installer on the SEG server and complete the configuration.

Refer to the SEG Administration Guide for more details.

Enable PowerShell Integration  

 Watch the Video!


In this model, AirWatch adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the settings defined in the AirWatch Admin Console. PowerShell deployments do not require a separate email proxy server, and the installation process is simple. Once installed, AirWatch sends commands to PowerShell in accordance with the established email policies, and PowerShell executes the actions.


Note: The PowerShell model is for organizations using Microsoft Exchange 2010/2013 or Office 365 environments.



To begin configuring PowerShell Integration, navigate to Email / Settings / Configure

Have more questions? Submit a request


Article is closed for comments.