AES-256-GCM encryption for email attachments

You can configure Docs@Work to use 256-bit encryption. If you already have Docs@Work (original) enabled and are now enabling Docs@Work, the system continues to use 128-bit encryption for email attachments. To use 256-bit encryption with Docs@Work, you must first disable Docs@Work (Original) and then regenerate the attachment encryption key. A 256-bit key is only generated if Docs@Work (Original) is disabled and all Standalone Sentrys are at least at version 6.1.0.

Docs@Work (Original)


Sentry Version

Encryption key generated







Some Standalone Sentrys are at least at version 6.1.0.




All Sentrys are at least at version 6.1.0.


  • Key regeneration causes a restart for all Standalone Sentrys that use encryption for attachment control. A restart can cause a brief interruption in email service to device users.
  • After regenerating the encryption key, iOS device users who use the iOS native email client cannot read previously received attachments. If device users need to read previously received attachments, re-push the Exchange setting to the devices. Ivanti advises caution when re-pushing the Exchange setting. Re-pushing the Exchange setting increases the load on the Exchange server.

After you upgrade Standalone Sentry, in the Ivanti EPMM Admin Portal, go to Services > Overview, and click Verify for the Standalone Sentry. This action immediately updates the Standalone Sentry version in Ivanti EPMM. Otherwise, the Standalone Sentry version in Ivanti EPMM is updated at the next sync. All Standalone Sentry versions in Ivanti EPMM must be at least at Sentry 6.1.0 release to generate a 256-bit key.

Configuring 256-bit encryption

You will need to enable 256-bit encryption, if you previously had Docs@Work (Original) enabled.


  1. Ensure that all Sentrys configured on Ivanti EPMM are at least at Sentry 6.1.0.
  2. In the Admin Portal, go to Settings > System Settings.
  3. Scroll down to the Additional Products section.
  4. Click on Licensed Products.
  5. De-select Enable Docs@Work (Original).
  6. Ensure that Enable Docs@Work is enabled.
  7. Click on Save.
  8. Go to Settings > Sentry, and click Preferences.
  9. In the Standalone Sentry section, click Regenerate Key.

For information about regenerating the encryption key, see “Regenerating the encryption key” in the Ivanti Standalone Sentry Guide for EPMM

Configuring certificate pinning

To use Certificate Pinning, in Docs@Work configuration enable Client TLS option and select the configured Client TLS configuration listed to provide more security between Docs@Work and enterprise server communication. For more information to configure Client TLS see, Creating a Client TLS configuration section in the Ivanti AppConnect Guide for EPMM and Ivanti Tunnel for iOS Guide.