App restrictions descriptions for Ivanti Email+ (Android Enterprise)

The app restriction described in the following table are available for Email+ for Android Enterprise. Before configuring new restrictions, the user should update to the latest Email+ application and then the administrator should configure new restrictions.

When there are multiple values available within a Restriction, the different features should be specified as a list of Comma Separated Strings, with or without a space. A semicolon between them will not work.

**Table 6.** App restriction description for Email+ (Android Enterprise)
Restriction	Value: Enter/Select one	Description
Email address	Substitution variable for email address	Required. Defines the email address for the email account. Ivanti EPMM Typically, enter $EMAIL$. You can also enter combinations of these variables, depending on your ActiveSync server requirements: $USERID$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$ Ivanti Neurons for MDM Typically, enter ${userEmailAddress}.
Exchange host	FQDN of the ActiveSync server or Standalone Sentry	Required. The fully qualified domain name (FQDN) of the ActiveSync server or Standalone Sentry. Example: mySentry.mycompany.com
Exchange username	Substitution variable for username	Required. Defines the username for the email account. Ivanti EPMM Typically, use $USERID$. If your ActiveSync server requires a domain, use <domain name>\$USERID$. Example: mydomain\$USERID$. Depending on your ActiveSync server requirements, you can also use combinations of these variables: $EMAIL$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$. Ivanti Neurons for MDM Typically, use ${userEmailAddressLocalPart}. If your ActiveSync server requires a domain, use <domain name>\${userEmailAddressLocalPart}. Example: mydomain\${userEmailAddressLocalPart}. Depending on your ActiveSync server requirements, you can use: ${userEmailAddress}
Email password	The user’s password for the ActiveSync server	If you provide a password, Email+ does not prompt the device user for the password. Ivanti, Inc recommends leaving this field blank. Ivanti EPMM only You can use the variable $PASSWORD$ if you have checked Save User Password in Settings > Preferences. Ivanti EPMM then passes the user’s password as the value to the device. If you plan to use the $PASSWORD$ variable, be sure to set Save User Password to Yes before any device users register. If a device user was registered before you set Save User Password, Email+ prompts the user to enter the password manually. Default if restriction is not configured: User is prompted for ActiveSync password.
Device ID (Ivanti EPMM only)	$DEVICE_UUID_NO_DASHES$	Required.
SSL required	Check box	Select if you want secure communication using https: to the server that you specified for Exchange host. Default: Selected.
Trust all certificates	Check box	Select to allow the app to automatically accepts untrusted certificates. Typically, you select this option only when working in a test environment. Default: Not selected.
Prompt email password	Check box	Select to prompt the user for the email account password when the user attempts to launch Email+. Default: Not selected. If the restriction is not selected, Email+ provides the password to the ActiveSync server when Email+ connects with the server. The ActiveSync server counts the initial connection initiated by Email+ as a password attempt. Therefore, Ivanti, Inc recommends selecting this restriction if the email server allows only a small number of password attempts.
Email login certificate	Ivanti EPMM $CERT_ALIAS:certificate enrollment setting name$ Ivanti Neurons for MDM Certificate setting from the dropdown list	Configure for certificate-based authentication to the ActiveSync server or to Standalone Sentry. Ivanti EPMM The certificate enrollment setting name is the name you gave to the certificate enrollment setting, which is configured in Configurations > Add New > Certificates or Certificate Enrollment. Ivanti Neurons for MDM The certificate setting is configured in Configurations > Add > Certificate or Identity Certificate. For certificate-based authentication, the Authorization Mode restriction must also be set to Certificate-based Authentication.
Email signing certificate	Ivanti EPMM $CERT_ALIAS:certificate enrollment setting name$ Ivanti Neurons for MDM Certificate setting from the dropdown list	Specifies the certificate to use for signing S/MIME emails. Ivanti EPMM The certificate enrollment setting name is the name you gave to the certificate enrollment setting, which is configured in Configurations > Add New > Certificates or Certificate Enrollment. Ivanti Neurons for MDM The certificate setting is configured in Configurations > Add > Certificate or Identity Certificate.
Email encryption certificate	Ivanti EPMM $CERT_ALIAS:certificate enrollment setting name$ Ivanti Neurons for MDM Certificate setting from the dropdown list	Specifies the certificate to use for encrypting S/MIME emails. Ivanti EPMM The certificate enrollment setting name is the name you gave to the certificate enrollment setting, which is configured in Configurations > Add New > Certificates or Certificate Enrollment. Ivanti Neurons for MDM The certificate setting is configured in Configurations > Add > Certificate or Identity Certificate.
Signing digest algorithm	SHA-1 SHA-256 SHA-384 SHA-512	Configures signature algorithm. The restriction is empty by default. If there is no value or invalid value set, then SHA-1 is used.
Email safe domains	Comma-separated list of safe domains	Specifies the safe domains. Example: mycompany.com,mycompany.net,internal.mycompany.com Ensure that there are no empty spaces before and after the comma. Email addresses not in the safe domain list are displayed in red color in Email+. You may want to use this key-value pair if your company has multiple domains and you want to identify the company domains as opposed to domains that are not company domains. To disable this feature, you can set the value to "*" Default if the restriction is not configured: Only the domain of the user's email address is considered safe. All other domains will be highlighted in red.
Allow logging	Check box	Select to allow Email+ to log data in the Android logging system. If selected, the Send Logs and Download Logs options are available in Email+ in General Settings in the Mail app. Device users can send log files via Email+ by the tapping Send Logs option or download logs by tapping the Download Logs option. The download option is useful if emails cannot be sent due to sync issues. Log data is useful for problem diagnosis. Typically, you select this option in a test environment. Default: Not selected.
Allow export contacts to email	Check box	Select to give device users the option to export contacts as an attachment in an email. Default: Check box is selected.
Allow detailed notifications	Checkbox	Select to allow device users see detailed notifications. The details can include sensitive information such as email subject and body previews, or event titles and times. Default: Check box is not selected. Device users see normal notifications.
Show picture by default	Checkbox	Select to allow device users to automatically see images in an email. The setting turns on the Show Pictures option on the device. Device users can override the configuration in the UEM by turning the Show Pictures option on or off on the device. If you change the value, Email+ does not change the Show Pictures option until Email+ does a full synchronization. A full synchronization occurs only when you change certain fundamental values like Email address, or when the device user uninstalls and reinstalls Email+. Default: Check box is not selected. The Show Pictures option is turned off.
Default signature	Ivanti EPMM: $DEFAULT$ Ivanti Neurons for MDM: The default email signature	The value entered is the default email signature for all emails. However, the device user can override the default email signature at any time. After the device user defines the default email signature, Email+ does not use the value entered in this field, even if the value is updated. For Ivanti EPMM, with $DEFAULT$, the system default is used. If $DEFAULT$ is not configured, a signature is not provided. Default if the restriction is not configured (system default): Sent by Email+.
GAL search minimum characters	A number	The minimum number of characters for Email+ to use for automatic Global Address List (GAL) lookup in Mail and Contacts. When entering a name, after the specified number of characters, Email+ starts searching the GAL and presents the matches that it finds. On your Exchange server, set the minimum number of characters for GAL search to the same value you set for this key. If you do not, GAL search will not work properly in Email+. Default: 4.
Max attachment size (MB)	A number	Specifies the maximum size in megabytes of an email that Email+ will send without a warning to the device user. The maximum size includes the body of the email plus its attachments. Also applicable for Delegated Mailbox. Allowed values are integers starting with 1. If the Exchange server has an email size limit that is less than the maximum size entered, the Exchange server does not deliver the email. Default: 10 MB.
Max mail body size	A number	Specifies the maximum limit for email message body size that can be received by the Email+ app. Default: 4 MB
Default sync period	1 2 3 4 5	Specifies the default period for which emails are downloaded: 1: emails received over the last one day. 2: emails received over the last three days. 3: emails received over the last seven days. 4: emails received over the last two weeks. 5: emails received over the last one month. If configured, all options will be available in Email+. Device users can change the default value. If the Max sync period restriction is also configured, options greater than sync period specified in the restriction will not be available on the device. Default: 2.
Max sync period	0 1 2 3 4 5	Specifies the maximum number of days for which emails are downloaded: 0: all emails. 1: emails received over the last one day. 2: emails received over the last three days. 3: emails received over the last seven days. 4: emails received over the last two weeks. 5: emails received over the last one month. Default: 0.
Disable Usage Statistics	Checkbox	Disables sending Email+ analytics. Default: Unchecked
Optional Features	block_external_gal skip_empty_links show_formatting multiple_accounts eas_16 allow_shortcuts calendar_delegation entrust_certificates smime_suppress_certificate_email_check delegated_shared_mailbox	block_external_gal: Disables global address lookup (GAL) of Email+ contacts in the native Contacts app. Configure the value only if the Google account configured for Android Enterprise supports GAL. skip_empty_links: Some exchange servers block custom links and the hyperlinks are stripped from the email body. For example, the url mibrowser:// that is used to launch Web@Work and may not become click-able when sent via email. The work around for this problem is, Email+ has additional capability to detect such emails and automatically fetch their body as MIME data that is unmodified by exchange. We recommend that administrators evaluate this capability in their environment by adding "skip_empty_links" into the "enabled_features" KVP. Fetching MIME data may not work in all configurations. show_formatting: Enables the “Always show formatting” option if it was not previously changed manually. multiple_accounts: Enables secondary email account on the same device. eas_16: Enables ActiveSync 16 specific folder synchronization features in Email+. When Email+ receives "eas_16" the first time, Folder resync is expected. When "eas_16" protocol is added to Optional Features restrictions: if the highest ActiveSync version for the server is 16.1 or higher, enable Email+ to sync via EAS 16.1 version. if the highest ActiveSync version for the server is 16.0, enable Email+ to sync via EAS 16.0 version if the highest ActiveSync version for the server is lower than 16.0, then it works as per the current settings. allow_shortcuts: Enables the user to create shortcuts for launch Calendar, Contact, Notes, and Tasks. calendar_delegation: Enables the Add Delegated Calendar option. entrust_certificates: Enable support for entrust certificate for Android Enterprise cloud. The Email+ app now fetches these certificates from the keystore. This is applicable for Android Enterprise device registration mode such as Profile Owner, Device Owner, and EPO with Microsoft Office 365 using Modern auth. The Email+ Android Enterprise apps uses the certificates is as follows: Authorization Cert: This certificate is used to login to the Email+ app. Signing /Encryption: This certificate is used for SMIME functionality. smime_suppress_certificate_email_check: Automatic certificate verification using email address is suppressed and the user can manually add a certificate using the Keystore and GALoptions. delegated_shared_mailbox: delegated_shared_mailbox: Enables the delegated mailbox option. When this value is removed: All added Delegated mailbox accounts are removed from Email and Setting's screen. "Add a Mailbox" button is removed under Email screen and Setting's screen. If only Primary account is added then the arrow to expand and collapse to show different mailbox's and Add a Mailbox label are also removed. If Secondary account is available then arrow to expand and collapse to show different mailbox's will be available but Add a Mailbox label is not available.
Disabled Features	save_attachment print show_snippet personal_events crl_signature_check	save_attachment: Disables the save attachments option. When this value is added the "Save as" button is not available for email attachments. Attachments can still be opened in Docs@Work. print: Disables the Print option for email messages. show_snippet: This option removes "Text preview" setting and disables message preview displaying. If this option is enabled the user can set the number of lines visible for message preview, through Email+ app Settings on the mobile device. By default the number of lines set for preview is set to two. personal_events: Disables the "Overlay personal events" option in the calendar Settings by admin. crl_signature_check: Disables CRL check for the email signature certificates.
Default Network Timeout	A positive integer	The value is represented in seconds. The value overwrites the default connection timeout value for all requests. You may want to configure the key-value pair to manage slow connections with the ActiveSync server or for syncing large folders and emails. If the value is 0, negative, or non-integer, the default value is used. Default: 90 seconds.
Authorization Mode	Basic Authorization Certificate-based Authentication Modern Authentication	Defines the authentication method to the Exchange ActiveSync service. Basic Authorization: user name and password Certificate-Based Authentication: identity certificates Modern Authentication: enable modern auth for corresponding protocol. Enables Oauth 2.0 authorization. Modern Auth Authority URL and Modern Auth Resource URL: when configured through sentry uses the following values: modern_auth_authority_url: https://<SentryHostname>/proxyservice modern_auth_resource_url: https://<SentryHostname> For certificate-based authentication, the Email login certificate restriction must also be configured. If you have configured Certificate-Based Authentication and there are errors in your configuration, the authentication method defaults to basic. Default: Basic Authorization.
Alert unsafe domains	Checkbox	Select to alert Email+ users if the recipients in an email or calendar invite include addresses that are not in a safe domain. If the restriction is configured, but safe domains (Email safe domains) are not configured, only the domain of the user's email address is considered safe. Device users have the option to either proceed or cancel sending the email. Default: Not selected. An alert is not displayed for addresses not in a safe domain.
Show dialing confirmation	Checkbox	Select to present a confirmation dialog when users tap on a phone number in an email. Tapping on the phone number in the dialog, dials the phone number. Tapping the back arrow cancels the call. Default if no key-value is configured: Not selected. Users do not see a confirmation dialog. When a user taps on a phone number in Email+, the number is automatically dialed.
Display Order	first_last last_first	Sets the default display order for contact names in search results. Device users can change the display order in Email+ in Settings > Contacts. first_last: Contact names in search results are displayed with first name followed by the last name. last_first: Contact names in search results are displayed with last name followed by the first name. Default: first_last.
Use Display Name	true false	true: Enables Display Name in Email+ Settings > Contacts by default. false: Disables Display Name in Email+ Settings > Contacts by default. Default: true
Modern Auth Authority URL	https://login.microsoftonline.com/common	This is enabled to specify Microsoft Office 365 authority url.
Modern Auth Resource URL	https://outlook.office365.com	This is enabled to specify Microsoft Office 365 resource url.
Security classification JSON	Default value for this key is empty.	Enables the email classification feature. If present, it specifies the list of classification values to be used and all the supported permutations. See Document classification capabilitiessection for more information.
Allow certificate revocation check	true false	This is enabled to check certificate validity. The CRL check for server certificate is performed when Allow certificate revocation check is set to true and Trust all certificates is set to false.
Allow files from personal apps	true false	Enable this option to allow import or add attachments from personal profile applications. For example, importing certificates from storage or attaching images from photo gallery.
Report phishing	email address	Enable the 'Report Phishing' option on view screen in the "More" menu. The suspicious mail is deleted and sent to a pre-configured (for security review) email address.
Organize by date	true false	Disables email treading for email messages. false: "Email Threading” is turned "ON".
Show week number	true false	Displays the week number in the week and month view for Calendar. You can enable or disable week number view from device Settings. Default: true
Exchange host for EWS	FQDN of the EWS server	To support EWS authentication when Exchange host restriction contains NOT the fully qualified domain name (FDQN) of the EWS server, Exchange host for EWS restriction should have a FDQN as the value for the EWS server. If not configured, the value of Exchange host restriction is used as the EWS server.
EWS Authentication Mode	Basic Authentication Modern Authentication Certificate Based Authentication	Defines the authentication method to the EWS. Basic Authentication: username and password Modern Authentication: enable modern auth for corresponding protocol. Enables Oauth 2.0 authentication Certificate Based Authentication: support delegated calendar with certificate based authentication. Default: Basic Authentication
(Optional) Encryption algorithm	3des (currently used by Email+, the most compatible and default) aes256 aes192 aes128	Configures encryption algorithm. The restriction is empty by default. if there is no value of invalid set, then 3des is used.
Calendars sync period	0: sync all events 1: sync events for one month 3: sync events for three months 6: sync events for six months	Calendars sync period is added to sync all calendar events matching the sync period provided in Email+, with default value set to 1 for syncing one month calendar events.