How Secure Email Gateway (SEG) Handles Image Encryption Using Attachment Security

This article provides insight on how AirWatch’s Secure Email Gateway (SEG) handles the images of an email using  the ‘Attachment Security Policy’ available on the AirWatch Admin Console.


  • Attachment Security Policy: Enforces compliance policy on email attachments.
  • Inline Images: Images that are embedded within the body of the email. For example, image in an email signature.
  • Attached Images:  Images that are added as an attachment to the email and are not part of the email body.

Problem Description

It has been noticed that in some cases, the SEG server is unable to correctly differentiate between an inline image and an attached image when emails are synced on mobile devices through the SEG server. This results in the SEG server taking actions such as encryption or block against an inline image. Due to the inherent implementation variations, the behavior on different devices is also inconsistent, for example, an Android device might receive the image as encrypted but an iOS device might receive it as an inline.

Background Information

Due to the nature of the Exchange ActiveSync protocol and the variations in its implementation, the method by which mail clients sync with the email server can vary across mail clients, devices and versions. This is the reason why in some mail clients, inline images are downloaded as attached images (thereby requiring users to download these images) whereas in others, inline images are displayed natively on the mail client.

One possible reason for converting inline images as attachments might be to conserve data usage – this requires the user to choose when to download these images (attachments). Thus the device conserves the amount of data that would otherwise be used up in retrieving inline images with the email during regular email sync. The variation in behavior is especially seen in the Android platform due to fragmentation of the operating system and the open-source nature of the native email client (Stock Android version).

In AirWatch 6.3, 6.4 and 6.5 versions, the SEG differentiated between inline images and attached images. The SEG took specific actions only against the attached images to avoid images in signatures being blocked or encrypted.


From AirWatch version 7.0, the SEG no longer differentiates between inline and attached images. The default configuration is set to ‘Allow without encryption’ for handling images in the attachment email security policy. The SEG now takes the same action against all images in an email. This provides consistent solution regardless of the device type, mail client type, or the version.

Note: Existing customers who have previously changed their recommended settings are not affected. The signature images will be affected based on the email policy for any new emails that are received post the version 7.0 upgrade.

Have more questions? Submit a request


Article is closed for comments.