App restrictions descriptions for Email+ (Android Enterprise)

The app restriction described in the following table are available for Email+ for Android Enterprise.

When there are multiple values available within a Restriction, the different features should be specified as a list of Comma Separated Strings, with or without a space. A semicolon between them will not work.

Table 6.  App restriction description for Email+ (Android Enterprise)

Restriction

Value: Enter/Select one

Description

Email address

Substitution variable for email address

Required. Defines the email address for the email account.

Ivanti EPMM

Typically, enter $EMAIL$.

You can also enter combinations of these variables, depending on your ActiveSync server requirements:

$USERID$,

$USER_CUSTOM1$,

$USER_CUSTOM2$,

$USER_CUSTOM3$,

$USER_CUSTOM4$

Ivanti Neurons for MDM

Typically, enter ${userEmailAddress}.

Exchange host

FQDN of the ActiveSync server or Standalone Sentry

Required. The fully qualified domain name (FQDN) of the ActiveSync server or Standalone Sentry.

Example: mySentry.mycompany.com

Exchange username

Substitution variable for username

Required. Defines the username for the email account.

Ivanti EPMM

Typically, use $USERID$. If your ActiveSync server requires a domain, use
<domain name>\$USERID$.
Example: mydomain\$USERID$.

Depending on your ActiveSync server requirements, you can also use combinations of these variables:

$EMAIL$,

$USER_CUSTOM1$,

$USER_CUSTOM2$,

$USER_CUSTOM3$,

$USER_CUSTOM4$.

Ivanti Neurons for MDM

Typically, use ${userEmailAddressLocalPart}. If your ActiveSync server requires a domain, use
<domain name>\${userEmailAddressLocalPart}.
Example: mydomain\${userEmailAddressLocalPart}.

Depending on your ActiveSync server requirements, you can use:

${userEmailAddress}

Email password

The user’s password for the ActiveSync server

If you provide a password, Email+ does not prompt the device user for the password.

Ivanti, Inc recommends leaving this field blank.

Ivanti EPMM only

You can use the variable $PASSWORD$ if you have checked Save User Password in Settings > Preferences. Ivanti EPMM then passes the user’s password as the value to the device. If you plan to use the $PASSWORD$ variable, be sure to set Save User Password to Yes before any device users register. If a device user was registered before you set Save User Password, Email+ prompts the user to enter the password manually.

Default if restriction is not configured: User is prompted for ActiveSync password.

Device ID

(Ivanti EPMM only)

$DEVICE_UUID_NO_DASHES$

Required.

SSL required

Check box

Select if you want secure communication using https: to the server that you specified for Exchange host.

Default: Selected.

Trust all certificates

Check box

Select to allow the app to automatically accepts untrusted certificates. Typically, you select this option only when working in a test environment.

Default: Not selected.

Prompt email password

Check box

Select to prompt the user for the email account password when the user attempts to launch Email+.

Default: Not selected.

If the restriction is not selected, Email+ provides the password to the ActiveSync server when Email+ connects with the server. The ActiveSync server counts the initial connection initiated by Email+ as a password attempt.
Therefore, Ivanti, Inc recommends selecting this restriction if the email server allows only a small number of password attempts.

Email login certificate

Ivanti EPMM

$CERT_ALIAS:certificate enrollment setting name$

Ivanti Neurons for MDM

Certificate setting from the dropdown list

Configure for certificate-based authentication to the ActiveSync server or to Standalone Sentry.

Ivanti EPMM

The certificate enrollment setting name is the name you gave to the certificate enrollment setting, which is configured in Configurations > Add New > Certificates or Certificate Enrollment.

Ivanti Neurons for MDM

The certificate setting is configured in Configurations > Add > Certificate or Identity Certificate.

For certificate-based authentication, the Authorization Mode restriction must also be set to Certificate-based Authentication.

Email signing certificate

Ivanti EPMM

$CERT_ALIAS:certificate enrollment setting name$

Ivanti Neurons for MDM

Certificate setting from the dropdown list

Specifies the certificate to use for signing S/MIME emails.

Ivanti EPMM

The certificate enrollment setting name is the name you gave to the certificate enrollment setting, which is configured in Configurations > Add New > Certificates or Certificate Enrollment.

Ivanti Neurons for MDM

The certificate setting is configured in Configurations > Add > Certificate or Identity Certificate.

Email encryption certificate

Ivanti EPMM

$CERT_ALIAS:certificate enrollment setting name$

Ivanti Neurons for MDM

Certificate setting from the dropdown list

Specifies the certificate to use for encrypting S/MIME emails.

Ivanti EPMM

The certificate enrollment setting name is the name you gave to the certificate enrollment setting, which is configured in Configurations > Add New > Certificates or Certificate Enrollment.

Ivanti Neurons for MDM

The certificate setting is configured in Configurations > Add > Certificate or Identity Certificate.

Signing digest algorithm

  • SHA-1
  • SHA-256
  • SHA-384
  • SHA-512

Configures signature algorithm.

The restriction is empty by default. If there is no value or invalid value set, then SHA-1 is used.

Email safe domains

Comma-separated list of safe domains

Specifies the safe domains.

Example: mycompany.com,mycompany.net,internal.mycompany.com

Ensure that there are no empty spaces before and after the comma.

Email addresses not in the safe domain list are displayed in red color in Email+. You may want to use this key-value pair if your company has multiple domains and you want to identify the company domains as opposed to domains that are not company domains.

To disable this feature, you can set the value to "*"

Default if the restriction is not configured: Only the domain of the user's email address is considered safe. All other domains will be highlighted in red.

Allow logging

Check box

Select to allow Email+ to log data in the Android logging system.

If selected, the Send Logs and Download Logs options are available in Email+ in General Settings in the Mail app. Device users can send log files via Email+ by the tapping Send Logs option or download logs by tapping the Download Logs option. The download option is useful if emails cannot be sent due to sync issues.

Log data is useful for problem diagnosis. Typically, you select this option in a test environment.

Default: Not selected.

Allow export contacts to email

Check box

Select to give device users the option to export contacts as an attachment in an email.

Default: Check box is selected.

Allow detailed notifications

Checkbox

Select to allow device users see detailed notifications. The details can include sensitive information such as email subject and body previews, or event titles and times.

Default: Check box is not selected. Device users see normal notifications.

Show picture by default

Checkbox

Select to allow device users to automatically see images in an email. The setting turns on the Show Pictures option on the device.

Device users can override the configuration in the UEM by turning the Show Pictures option on or off on the device.

If you change the value, Email+ does not change the Show Pictures option until Email+ does a full synchronization. A full synchronization occurs only when you change certain fundamental values like Email address, or when the device user uninstalls and reinstalls Email+.

Default: Check box is not selected. The Show Pictures option is turned off.

Default signature

Ivanti EPMM: $DEFAULT$

Ivanti Neurons for MDM: The default email signature

The value entered is the default email signature for all emails. However, the device user can override the default email signature at any time. After the device user defines the default email signature, Email+ does not use the value entered in this field, even if the value is updated.

For Ivanti EPMM, with $DEFAULT$, the system default is used. If $DEFAULT$ is not configured, a signature is not provided.

Default if the restriction is not configured (system default): Sent by Email+.

GAL search minimum characters

A number

The minimum number of characters for Email+ to use for automatic Global Address List (GAL) lookup in Mail and Contacts.

When entering a name, after the specified number of characters, Email+ starts searching the GAL and presents the matches that it finds.

On your Exchange server, set the minimum number of characters for GAL search to the same value you set for this key. If you do not, GAL search will not work properly in Email+.

Default: 4.

Max attachment size (MB)

A number

Specifies the maximum size in megabytes of an email that Email+ will send without a warning to the device user. The maximum size includes the body of the email plus its attachments.

Allowed values are integers starting with 1.

If the Exchange server has an email size limit that is less than the maximum size entered, the Exchange server does not deliver the email.

Default: 10 MB.

Max mail body size

A number

Specifies the maximum limit for email message body size that can be received by the Email+ app.

Default: 4 MB

Default sync period

  • 1
  • 2
  • 3
  • 4
  • 5

Specifies the default period for which emails are downloaded:

1: emails received over the last one day.

2: emails received over the last three days.

3: emails received over the last seven days.

4: emails received over the last two weeks.

5: emails received over the last one month.

If configured, all options will be available in Email+. Device users can change the default value. If the Max sync period restriction is also configured, options greater than sync period specified in the restriction will not be available on the device.

Default: 2.

Max sync period

  • 0
  • 1
  • 2
  • 3
  • 4
  • 5

Specifies the maximum number of days for which emails are downloaded:

0: all emails.

1: emails received over the last one day.

2: emails received over the last three days.

3: emails received over the last seven days.

4: emails received over the last two weeks.

5: emails received over the last one month.

Default: 0.

Disable Usage Statistics

Checkbox

Disables sending Email+ analytics.

Default: Unchecked

Optional Features

  • block_external_gal
  • skip_empty_links
  • show_formatting
  • lotus
  • multiple_accounts
  • eas_16
  • allow_shortcuts
  • calendar_delegation

  • entrust_certificates

  • smime_suppress_certificate_email_check

block_external_gal: Disables global address lookup (GAL) of Email+ contacts in the native Contacts app. Configure the value only if the Google account configured for Android Enterprise supports GAL.

skip_empty_links: Some exchange servers block custom links and the hyperlinks are stripped from the email body. For example, the url mibrowser:// that is used to launch [email protected] and may not become click-able when sent via email. The work around for this problem is, Email+ has additional capability to detect such emails and automatically fetch their body as MIME data that is unmodified by exchange. We recommend that administrators evaluate this capability in their environment by adding "skip_empty_links" into the

"enabled_features" KVP. Fetching MIME data may not work in all configurations.

show_formatting: Enables the “Always show formatting” option if it was not previously changed manually.

lotus: Enables Lotus server support.

multiple_accounts: Enables secondary email account on the same device.

eas_16: Enables ActiveSync 16 specific folder synchronization features in Email+. When Email+ receives "eas_16" the first time, Folder resync is expected.

When "eas_16" protocol is added to Optional Features restrictions:

    • if the highest ActiveSync version for the server is 16.1 or higher, enable Email+ to sync via EAS 16.1 version.
    • if the highest ActiveSync version for the server is 16.0, enable Email+ to sync via EAS 16.0 version
    • if the highest ActiveSync version for the server is lower than 16.0, then it works as per the current settings.

allow_shortcuts: Enables the user to create shortcuts for launch Calendar, Contact, Notes, and Tasks.

calendar_delegation: Enables the Add Delegated Calendar option.

entrust_certificates: Enable support for entrust certificate for Android Enterprise cloud. The Email+ app now fetches these certificates from the keystore. This is applicable for Android Enterprise device registration mode such as Profile Owner, Device Owner, and EPO with Microsoft Office 365 using Modern auth. The Email+ Android Enterprise apps uses the certificates is as follows:

  • Authorization Cert: This certificate is used to login to the Email+ app.
  • Signing /Encryption: This certificate is used for SMIME functionality.

smime_suppress_certificate_email_check: Automatic certificate verification using email address is suppressed and the user can manually add a certificate using the Keystore and GALoptions.


Disabled Features

  • save_attachment
  • print
  • show_snippet
  • personal_events
  • crl_signature_check
  • richtext_event_support

save_attachment: Disables the save attachments option. When this value is added the "Save as" button is not available for email attachments. Attachments can still be opened in [email protected]

print: Disables the Print option for email messages.

show_snippet: This option removes "Text preview" setting and disables message preview displaying. If this option is enabled the user can set the number of lines visible for message preview, through Email+ app Settings on the mobile device.
By default the number of lines set for preview is set to two.

personal_events: Disables the "Overlay personal events" option in the calendar Settings by admin.

crl_signature_check: Disables CRL check for the email signature certificates.

richtext_event_support: Disables the user to fetch an event note's content in HTML format and then edit it using rich text editor. Enabled by default.

Default Network Timeout

A positive integer

The value is represented in seconds.

The value overwrites the default connection timeout value for all requests. You may want to configure the key-value pair to manage slow connections with the ActiveSync server or for syncing large folders and emails.

If the value is 0, negative, or non-integer, the default value is used.

Default: 90 seconds.

Authorization Mode

  • Basic Authorization
  • Certificate-based Authentication
  • Modern Authentication

Defines the authentication method to the Exchange ActiveSync service.

  • Basic Authorization: user name and password
  • Certificate-Based Authentication: identity certificates
  • Modern Authentication: enable modern auth for corresponding protocol. Enables Oauth 2.0 authorization.

Modern Auth Authority URL and Modern Auth Resource URL: when configured through sentry uses the following values:

  • modern_auth_authority_url: https://<SentryHostname>/proxyservice
  • modern_auth_resource_url: https://<SentryHostname>

For certificate-based authentication, the Email login certificate restriction must also be configured.

If you have configured Certificate-Based Authentication and there are errors in your configuration, the authentication method defaults to basic.

Default: Basic Authorization.

Alert unsafe domains

Checkbox

Select to alert Email+ users if the recipients in an email or calendar invite include addresses that are not in a safe domain.

If the restriction is configured, but safe domains (Email safe domains) are not configured, only the domain of the user's email address is considered safe. Device users have the option to either proceed or cancel sending the email.

Default: Not selected. An alert is not displayed for addresses not in a safe domain.

Show dialing confirmation

Checkbox

Select to present a confirmation dialog when users tap on a phone number in an email. Tapping on the phone number in the dialog, dials the phone number. Tapping the back arrow cancels the call.

Default if no key-value is configured: Not selected. Users do not see a confirmation dialog. When a user taps on a phone number in Email+, the number is automatically dialed.

Display Order

  • first_last
  • last_first

Sets the default display order for contact names in search results. Device users can change the display order in Email+ in Settings > Contacts.

first_last: Contact names in search results are displayed with first name followed by the last name.

last_first: Contact names in search results are displayed with last name followed by the first name.

Default: first_last.

Use Display Name

  • true
  • false

true: Enables Display Name in Email+ Settings > Contacts by default.

false: Disables Display Name in Email+ Settings > Contacts by default.

Default: true

Modern Auth Authority URL

https://login.microsoftonline.com/common

This is enabled to specify Microsoft Office 365 authority url.

Modern Auth Resource URL

https://outlook.office365.com

This is enabled to specify Microsoft Office 365 resource url.

Security classification JSON

Default value for this key is empty.

Enables the email classification feature. If present, it specifies the list of classification values to be used and all the supported permutations.

See Document classification capabilitiessection for more information.

Allow certificate revocation check

  • true
  • false

This is enabled to check certificate validity. The CRL check for server certificate is performed when Allow certificate revocation check is set to true and Trust all certificates is set to false.

Allow files from personal apps

  • true
  • false

Enable this option to allow import or add attachments from personal profile applications. For example, importing certificates from storage or attaching images from photo gallery.

Report phishing

email address

Enable the 'Report Phishing' option on view screen in the "More" menu. The suspicious mail is deleted and sent to a pre-configured (for security review) email address.

Organize by date

  • true
  • false

Disables email treading for email messages.

false: "Email Threading” is turned "ON".

Show week number

  • true
  • false

Displays the week number in the week and month view for Calendar. You can enable or disable week number view from device Settings.

Default: true

Exchange host for EWS

FQDN of the EWS server

To support EWS authentication when Exchange host restriction contains NOT the fully qualified domain name (FDQN) of the EWS server, Exchange host for EWS restriction should have a FDQN as the value for the EWS server.

If not configured, the value of Exchange host restriction is used as the EWS server.

EWS Authentication Mode

  • Basic Authentication
  • Modern Authentication
  • Certificate Based Authentication

Defines the authentication method to the EWS.

  • Basic Authentication: username and password

  • Modern Authentication: enable modern auth for corresponding protocol. Enables Oauth 2.0 authentication

  • Certificate Based Authentication: support delegated calendar with certificate based authentication.

Default: Basic Authentication