Delegated mailbox

Ivanti Email+ supports delegated access for Mailbox. Currently, we support delegation of up to four mailboxes. In case of multiple mailboxes, each mailbox is independent and has its own Delegated Mailbox account settings.

When configuring the mailbox delegation, the owner delegates mailbox to another user (Delegate) to manage it as per delegation level set on Outlook.

The delegated user can add upto four delegated mailboxes from multiple owners. .When multiple accounts are available then only mailboxes delegated to primary account can be added to Email+.

To configure Delegated Mailbox on Android AppConnect or Android Enterprise, configure the following key-value pairs or restrictions:

  • Add delegated_shared_mailbox value to enabled_features key-value pair or to Optional Features restriction to add the Add Mailbox option in the Email+ app.

When you select the Add a Mailbox option, Email+ searches email address in GAL and provides list of contacts to add mailbox. If the search result is successful, the 'Mailbox added' pop-up is displayed and Delegated Mailbox is added. Once Delegated Mailbox is added, the Add Mailbox option appears in the navigation drawer and Settings.

Email+ supports delegated mailbox permissions similar to Microsoft Exchange server such as Reviewer, Editor, and Author level permissions. Ivanti Email+ 4.7.0 supports only 'Reviewer' level permission. Starting Ivanti Email+ 4.10.0 all permissions levels are supported in Email+.

Delegated user can now save draft mail in the Delegated Mailbox. The Delegated Drafts folder is not synced with the server and only available locally. Delegate can store draft emails in "Drafts" folder. These folders are local and are not synced with the server.

Delegated Mailbox with Reviewer permission can perform the following actions:

  • Mark as Unread or Read

  • Download and view attachments from mail or invite mails.

Search of the delegated mails is out of scope for Email+ 4.7.0 release.

All the folders are auto synced when the user clicks on each folder to start and stop the sync. The delegated user can manually delete the delegated mailbox added from the Email+ app.

Microsoft server does not provide any permissions to load sub folders and doesn't return in requests for the sub folders synchronization so sub folder in the Inbox is not displayed for added delegated mailbox of such accounts in Email+ as well as on Outlook.

The mailbox owner can change permissions from any role (Reviewer/Author/Editor) to any role (Reviewer/Author/Editor), also for existing drafts.

  • When the Owner revokes access to Delegated Mailbox completely, or the user removes the Delegated Mailbox manually from the Email+ settings, related Drafts folder is removed with all its content.

  • When the Owner revokes access to Delegated Calendar, all related drafts from the "Delegated Drafts", Delegated Mailbox "Drafts", and Outbox (if any emails are stuck there) folders are removed.

  • When the Admin removes the delegated_shared_mailboxkey-value pair from the Email+app config, then all Delegated Mailbox drafts are deleted from the app along with the other information from the Delegated Mailbox.

The mailbox owner can update the following permission combinations:

Permission level Combinations
Reviewer
  • Reviewer > Author
  • Reviewer > Editor
  • Reviewer > None
Author
  • Author > Reviewer
  • Author > Editor
  • Author > None
Editor
  • Editor > Author
  • Editor > Reviewer
  • Editor > None

The following table displays the different delegation permissions and the actions they can perform:

Action

Reviewer

Author

Editor

Reading emails

Yes

Yes

Yes

Downloading and viewing email attachment

Yes Yes Yes

Searching emails

Yes Yes Yes

Marking emails as Read/Unread

Yes Yes Yes

Flagging emails

No No Yes

Moving an email to a different folder within the account

No No Yes

Deleting emails

No No Yes
Sending emails with attachments No Yes Yes
Options to Reply/Reply All/Forward emails No Yes Yes

Saving draft emails locally in the app.

*Reviewer cannot compose emails and create drafts. The only possible way to create draft is an edge case when doing Reply/Reply All/Forward a delegated calendar event.

Yes Yes Yes

Responding to meeting invites from emails (no delegated calendar added)

No No No

Responding to meeting invites from emails (DC added).

 

* Becomes available if the Delegated Calendar of the same owner's account is added with Author or Editor permissions.

Yes Yes Yes

Reading signed and/or encrypted emails

 

Yes Yes Yes

Sending signed and/or encrypted emails

 

No Yes Yes

Reading emails with Classification

 

Yes Yes Yes

Sending emails with Classification

 

No Yes Yes

Adding delegated mailbox to the Email+ app

To add the delegated mailbox to the Email+ app on your Android device, perform the following steps:

Before you begin 

  • Configure the enabled_features key-value pair and add the delegated_shared_mailbox value.

  • Set both EWS and Exchange host

  • Set EWS Authorization mode,

    • For Modern Auth, set value to modern_auth

    • For Certificate based Auth, set value to cert_base

Procedure 

  1. In the Email+ app, go to Settings > Mail > Accounts > Add.
  2. On the Add delegated Mailbox screen, type the Email ID of the mailbox owner. Delegated mailbox is added in Mail section - Mailboxes.​ The delegate gets access to Inbox, sub folders, and smart folders.

Support for SMIME

The signing and encryption functionality is extended to support Delegated Mailboxes, the functionality works similar to that of Primary Account. Delegated user can:

  • Read/Send signed/encrypted emails depending upon the user permission

  • Read emails with Classification

The keychain is common for all mailboxes and not only for the mailbox you are working on. The app searches certificates in the keychain and GAL (same as the primary account).

The process of adding certificates to the Keychain is:

  • Through email_signing_certificate and email_encryption_certificate KVPs.

  • From the email attachment

Signing

A Delegate can view, search, reply, and forward signed emails in the delegator's mailbox (depending on permissions).

In the received email, the sender's signing certificate can be verified if their public certificate is available in GAL, or if it is available in the delegate's keystore in Email+. Otherwise, the certificate will be marked red as not trusted.

A Delegate can sign emails with the actual sender's certificate (Primary account) and send signed emails from the Primary account on behalf of the delegator.

If the certificate of the signed email cannot be validated (there is no user certificate in the keychain and in GAL), the red check mark icon is be displayed according to the existing logic.

Encryption

A Delegate can encrypt emails with the actual sender's certificate (Primary account) and send encrypted emails from the Primary account on behalf of the Delegator.

A Delegate can decrypt emails if the Delegator provides the Delegate with their private certificates, and these certificates are added to the app Keychain.

Suppressing Name Check on certificate mismatch

When the feature flag for suppressing name checks on certificate mismatch is enabled by admin, the feature is available for delegated mailboxes. Existing certificate associations are automatically accessible for delegated mailboxes.

The user can encrypt/decrypt emails using existing certificate associations and create new associations.

Classification

When classification is configured by Admin, it is available for delegated mailboxes. The user is able to parse emails in the delegated mailboxes having classification, reply/forward, and compose new emails.

The delegate receives a notification when a new mail is received in the delegated mailbox. Also, the delegated user receives following notification when the owner removes the access to the delegated mailbox:

Mailbox access has been denied

You cannot delegate a particular sub folder in a mailbox, you can only delegate only the mailbox

Ivanti Email+ configurations supported for Delegated and Shared Mailbox

The following table lists the supported Email+ and EWS configurations.

Before you begin 

EWS must have Basic Auth enabled in Internet Information Services (IIS) manager (Microsoft Exchange server) for Android.

If EWS server is not accessible publicly (located in private network), then VPN should be configured.

Update the host name in the email_ews_host key-value pair.

Email+ Configuations

Additional Configurations for EWS

Supported

Android AppConnect:

Ivanti EPMM and Ivanti Neurons for MDM with sentry, Modern auth with or without email_password KVP, Microsoft Office 365

Add email_ews_host KVP with EWS server value

Add ews_min_allowed_auth_mode = modern_auth KVP

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, without sentry, Modern auth with or without email_password KVP, Microsoft Office 365

Add ews_min_allowed_auth_mode = modern_auth KVP

Yes

Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, with sentry, Modern auth with or without email_password KVP, Microsoft Office 365

Exchange host for EWS should have value of the EWS server

EWS Authentication Mode should have Modern Authentication value

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, with sentry + Local certificate, Basic auth with or without email_password KVP, Microsoft Exchange versions 2016 and 2019, Microsoft Office 365

Android AppConnect: add email_ews_host with EWS server value

Android Enterprise: Exchange host for EWS should have value of the EWS server

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM, with sentry + group certificate, Basic auth with or without email_password KVP, Microsoft Exchange versions 2016 and 2019, Microsoft Office 365

Android AppConnect: Add email_ews_host with EWS server value

Android Enterprise: Exchange host for EWS should have value of the EWS server

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM, with Sentry + MS scep certificate, Basic auth with or without email_password KVP, Microsoft Exchange versions 2016 and 2019, Microsoft Office 365

Android AppConnect: add email_ews_host with EWS server value

Android Enterprise: Exchange host for EWS should have value of the EWS server

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, with Sentry, Kerberos with prompt_email_password=true and enter password on Email+ login screen, Microsoft Exchange versions 2016 and 2019

Android AppConnect: add email_ews_host with EWS server value

Android Enterprise: Exchange host for EWS should have value of the EWS server

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, with Sentry, Kerberos with email_password KVP with hard coded value (which is not probably a use case), Microsoft Exchange versions 2016 and 2019

Android AppConnect: add email_ews_host with EWS server value.

Android Enterprise: Exchange host for EWS should have value of the EWS server

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, without sentry, Basic auth (with or without 'email_password' KVP), Microsoft Exchange versions 2016 and 2019, Microsoft Office 365

 

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, with or without sentry, Certificate based auth, Microsoft Exchange versions 2016 and 2019, Microsoft Office 365

Android AppConnect: add 'ews_min_allowed_auth_mode' = cert_base KVP

Android Enterprise: add 'EWS Authentication Mode' should have 'Certificate-Based Authentication' value

Yes

Android AppConnect and Android Enterprise:

Ivanti EPMM or Ivanti Neurons for MDM, with sentry, Kerberos (without 'email_password' KVP), Microsoft Exchange versions 2016 and 2019

 

No