Key-value pairs for Ivanti Email+ (Android AppConnect)
Key-value pairs for configuring Email+ for Android AppConnect app behavior describes the key-value pairs available to administrators to customize Email+ app behavior on Android devices. These key-value pairs define app behavior such as providing detailed notifications to device users and exporting contacts from Email+.
Key-value pairs marked as Ivanti EPMM only are not applicable to Ivanti Neurons for MDM. For Ivanti Neurons for MDM deployments, these variables are either provided as fields in Ivanti Neurons for MDM or are set automatically and do not require action from the administrator.
See Configuring Email+ for Android AppConnect in Ivanti Neurons for MDM for a description of the fields in Ivanti Neurons for MDM.
- Some values can use the UEM variables, such as $EMAIL$ for Ivanti EPMM and ${userEmailAddress} for Ivanti Neurons for MDM. The UEM substitutes the device user’s value when sending the app configuration to the device.
- If you make a mistake in configuring the required key-value pairs, the app displays a message to the device user that the configuration has an error, and to contact the administrator.
- Before configuring new key-value pairs, the user should update to the latest Email+ application and then the administrator should configure the new key-value pairs.
When there are multiple values available within a KVP, the different features should be specified as a list of Comma Separated Strings, with or without a space. A semicolon between them will not work.
You can configure and customize the following features with key-value pairs:
- Required Key-value pairs to configure an account on Email+
- Background email check and user notifications
- Certificates
- S/MIME
- Manage contacts
- Syncing
- Maximum size for email attachments
- Default signature
- SSL
- GAL search
- Prompt the device user for password
- Show pictures
- Default network timeout
- Troubleshooting
Key |
Value: Enter/Select one |
Description |
email_address |
Email address of the device user |
To validate that the account signed in is indeed the corporate account (the value is automatically set into modern auth UI, but can be changed there) Ivanti EPMM Typically, this field uses the Ivanti EPMM variable $EMAIL$. You can also use combinations of these Ivanti EPMM variables, depending on your ActiveSync server requirements: Ivanti Neurons for MDM Typically, this field uses the Ivanti Neurons for MDM variable ${userEmailAddress}. You can also use combinations of the user attribute variables, depending on your ActiveSync server requirements. The user attribute variables are listed in Ivanti Neurons for MDM in Admin > Attributes. |
email_device_id |
The device ID that the ActiveSync server uses for the device. |
Ivanti EPMM Always use the Ivanti EPMM variable $DEVICE_UUID_NO_DASHES$. Ivanti Neurons for MDM Always use the Ivanti Neurons for MDM variable ${deviceSN}. |
email_exchange_host |
FQDN of the ActiveSync server or Standalone Sentry |
The fully qualified domain name (FQDN) of the ActiveSync server or Standalone Sentry. This KVP should be set to outlook.office365.com. Example: mySentry.mycompany.com |
email_exchange_username |
User ID for the ActiveSync server |
Ivanti EPMM Typically, you use the Ivanti EPMM variable If your ActiveSync server requires a domain, use <domain name>\$USERID$. For example: mydomain\$USERID$. You can also use combinations of these Ivanti EPMM variables, depending on your ActiveSync server requirements: $EMAIL$, Ivanti Neurons for MDM Typically, you use ${userEmailAddressLocalPart}. If your ActiveSync server requires a domain, use Depending on your ActiveSync server requirements, you can use ${userEmailAddress} |
allow_detailed_notifications |
|
true: Device users see detailed notifications. The details can include sensitive information such as email subject and body previews, or event titles and times. false: Device users see normal notifications. Default if no key-value is configured: false. |
The necessary certificate setting must have been created in the UEM. |
||
email_login_certificate |
The certificate setting from the dropdown list |
The UEM sends the contents of the certificate as the value. Is also used when CBA is configured (to check if supported by Android) If the certificate is password-encoded, Ivanti EPMM automatically sends another key-value pair. The key’s name is the following string: <name of key for certificate>_MI_CERT_PW The value is the certificate’s password. Default if no key-value is configured: Certificates are not used. |
email_trust_all_certificates |
|
true: Email+ automatically accepts untrusted certificates. Typically, you enter true only when working in a test environment. false: Email+ does not accept untrusted certificates. Default if no key-value is configured: false. |
email_certificate_X, |
The certificate setting from the dropdown list |
Email+ imports the certificate into its keystore of trusted certificates, and trusts any certificates derived from the CA root certificate in its keystore. The certificate must be DER-encoded. You can add up to ten certificate authority (CA) root certificates. Reasons for designating a CA root certificate as trusted:
You specify this certificate to Email+ in the key email_login_certificate. It corresponds to the certificate you specified for device authentication in Standalone Sentry configuration in the Ivanti EPMM Admin Portal.
You specify these certificates in the keys email_encryption_certificate and email_signing_certificate. Use .DER format instead of normal .PEM format for email_certificate_X certificates. The trusted CA root certificate is listed in Email+ in Settings > Advanced Settings > KeyStore. |
eas_min_allowed_auth_mode |
|
Defines the authentication method to the Exchange ActiveSync server.
Modern Auth Authority URL and Modern Auth Resource URL: when configured through sentry uses the following values:
For certificate-based authentication, the key email_login_certificate must also be configured. Default if no key-value is configured: basic. |
allow_certificate_revocation_check |
|
The admin can use this KVP to check certificates validity. The CRL check for server certificate is performed only if th email_trust_ all_ certificates KVP is set to "false". |
email_encryption_certificate |
The certificate setting from the dropdown list |
Specifies the certificate to use for encrypting S/MIME emails. The UEM sends the contents of the certificate as the value. Email+ imports the key into the keystore and selects the certificate as the encryption certificate. If you change the certificate, Email+ imports the new certificate into the keystore and selects the new certificate as the encryption certificate. It leaves the previous certificate in the keystore. If you delete the key-value pair, Email+ leaves the certificate in the keystore. It changes its settings to specify that no certificate is selected as the encryption certificate. Using the Email+ user interface, the device user can:
Email+ automatically encrypts emails if the emails in the thread are encrypted. For more information about configuring S/MIME for Email+, see SMIME support in Email+ for Android for identity and encryption. Default if no key-value is configured: Certificate is not configured. For S/MIME certificates use .DER format instead of normal .PEM format. |
email_signing_certificate |
The certificate setting from the dropdown list |
Specifies the certificate to use for signing S/MIME emails. The UEM sends the contents of the certificate as the value. Email+ imports the key into the keychain and selects the certificate as the signing certificate. If you change the certificate, Email+ imports the new certificate into the keystore and selects the new certificate as the signing certificate. It leaves the previous certificate in the keystore. If you delete the key-value pair, Email+ leaves the certificate in the keystore and changes its settings to specify that no certificate is selected as the signing certificate. Using the Email+ user interface, the device user can:
For more information about configuring S/MIME for Email+, see SMIME support in Email+ for Android for identity and encryption. Default if no key-value is configured: Certificate is not configured. |
email_signing_digest |
|
Configures signature algorithm. The default value is set to SHA-1. The restriction is empty by default. If there is no value or invalid value set, then SHA-1 is used. |
allow_export_contacts |
|
true: Allows Email+ users to export the Email+ contacts outside of the AppConnect container to the native contacts app. Device users can select the “Sync to personal profile” option, in the settings of the Email+ Contacts app, to export the contacts. Exporting contacts allows users to see the caller ID of incoming calls from phone numbers in the list of corporate contacts. Third-party apps can also access the corporate contacts. If contacts are not exported, users see the caller ID only for personal contacts. false: Device users cannot export the Email+ contacts. They see the caller ID only for personal contacts. When the device is retired or Email+ is retired, the corporate contacts are removed from both Email+ and the native contacts app. Default if no key-value is configured: true. |
allow_export_contacts_to_email |
|
true: Device users have the option to export contacts as an attachment to an outgoing email. The attachment is an unencrypted VCF (Virtual Contact File) file. false: Device users do not have the option to export contacts as an attachment to an outgoing email. Default if no key-value is configured: true. |
allow_export_contacts_to_sdcard |
|
true: Device users have the option to export the contacts to the SD card. If the device user chooses the option, Email+ exports the contacts as an encrypted VCF (Virtual Contact File) file. The encrypted VCF file is readable only by Email+ and other secure apps. false: Device users do not have the option to export contacts to the SD card. Default if no key-value is configured: true. |
limit_contact_export_to |
|
name_number: Limits the exported contact information to each contact’s name and number information. Use this setting to minimize the exposure of corporate data. all: Exports all the contact information. This field is used only if allow_export_contacts is set to true. If you enter a value other than all or name_number, Email+ uses the value all. Default if no key-value is configured: all. |
email_safe_domains |
comma-separated list of safe domains |
Ensure that there are no spaces before or after the comma. Email addresses not in the safe domain list are displayed in red color when composing new emails or creating new calendar invitations in Email+. You may want to use this key-value pair if you company has multiple domains and you want to identify the company domains as opposed to domains that are not company domains. To disable this feature, you can set the value to "*" Example: Default if no key-value is configured: Only the domain of the user's email address is considered safe. All other domains will be highlighted in red. |
email_alert_unsafe_domains
|
|
true: Users see an alert if the recipients in an email or calendar invite include addresses that are not in a safe domain. If the key is configured but safe domains are not configured, only the domain of the user's email address is considered safe. Device users have the option to either proceed or cancel sending the email. false: An alert is not displayed for addresses not in a safe domain. Default if key-value is not configured: false. |
email_max_sync_period |
|
Specifies the maximum sync period for which emails are downloaded: 0: all emails. 1: emails received over the last one day. 2: emails received over the last three days. 3: emails received over the last seven days. 4: emails received over the last two weeks. 5: emails received over the last one month. Default if no key-value is configured: 0. |
email_default_sync_period |
|
Specifies the default period for which emails are downloaded. 1: emails received over the last one day. 2: emails received over the last three days. 3: emails received over the last seven days. 4: emails received over the last two weeks. 5: emails received over the last one month. If configured, all options will be available in Email+. Device users can change the default value. If email_max_sync_period is also configured, options greater than sync period specified in email_max_sync_period will not be available on the device. Default if no key-value is configured: 2. Additionally, the default value is used in the following cases:
After an upgrade, the app retains the default sync period set by the device user. |
email_max_attachment |
A number |
Specifies the maximum size in megabytes of an email that Email+ will send without a warning to the device user. The maximum size includes the body of the email plus its attachments. Also applicable for Delegated Mailbox. Allowed values are integers starting with 1. If the Exchange server has an email size limit that is less than the limit specified in email_max_attachment, the Exchange server does not deliver the email. Default if no key-value is configured: 10 MB. |
Maximum size for email attachments |
||
email_max_body_size |
A number |
Specifies the maximum limit for email message body size that can be received by the Email+ app. Default: 4 MB |
email_default_signature |
The default email signature |
The value of this key is the default email signature for all emails. However, the device user can override the default email signature at any time. After the user defines the default email signature, Email+ does not use the value in the key, even if you update it. Default if no key-value is configured: Sent by Email+. |
email_ssl_required |
|
true: Secures communication using HTTPS to the server specified in email_exchange_host. Typically, set this field to true unless you are working in a test environment. Default if no key-value is configured: true. |
gal_search_minimum_characters |
A number |
The minimum number of characters Email+ uses for automatic Global Address List (GAL) lookup in Mail, Calendar, and Contacts. When device users enter the specified number of characters of a name, Email+ searches the GAL, and presents the matches that it finds. On your Exchange server, set the minimum number of characters for GAL search to the same value you set for this key. If you do not, GAL search will not work properly in Email+. Default if no key-value is configured: 4. |
gal_search_display_name |
|
true: Enables Display Name in Email+ Settings > Contacts by default. false: Disables Display Name in Email+ Settings > Contacts by default. Default if key-value is not configured: true |
contacts_display_order |
|
Sets the default display order for contact names in search results. Device users can change the display order in Email+ in Settings > Contacts. The values are case sensitive; enter in lower case. first_last: Contact names in search results are displayed with first name followed by the last name. last_first: Contact names in search results are displayed with last name followed by the first name. Default if key-value is not configured: first_last. |
prompt_email_password |
|
true: Email+ prompts the user for the email password before attempting to connect to the email server. false: When Email+ first launches and connects to the email server, Email+ provides the password set in the Email+ configuration to the server. If a password is not configured, an empty string is provided to the server. In this case, after the connection is established, Email+ prompts the user for a password. If the email server limits the number of password attempts, the server counts the first connection as one failed attempt. Set the value of this key to true if the email server allows only a small number of password attempts. Example: If the email server allows only three attempts, setting this value to true ensures that device users get three attempts, not two attempts. Kerberos-based authentication is designed to work without user passwords. Since setting prompt_email_password to true always prompts the user for a password, be sure the value is false (the default) if using Kerberos-based authentication. Default if no key-value is configured: false. |
email_password |
User’s password for the ActiveSync server |
If configured, Email+ does not prompt users for a password. Delete this key if you want the device user to enter the password when using Email+. Ivanti, Increcommends deleting the key. Ivanti EPMM You can use the Ivanti EPMM variable $PASSWORD$ if you have checked Save User Password in Settings > Users&Devices > Registration. Ivanti EPMM then passes the user’s password as the value to the device. If you plan to use the $PASSWORD$ variable, be sure to set Save User Password to Yes before any device users register. If a device user was registered before you set Save User Password, Email+ prompts the user to enter the password manually. For Google accounts, as part of a larger setup for synchronizing Google account data, you can use $GOOGLE_AUTOGEN_PASSWORD$. For more information, see “Synchronizing Google account data” section in the Ivanti EPMM Device Management Guide for your device platform. Default if no key-value is configured: Email+ requests device users to enter the password. |
Dialing |
||
show_dialing_confirmation |
|
true: Users see a confirmation dialog when they tap on a phone number in an email. Tapping on the phone number in the dialog, dials the phone number. Tapping the back arrow cancels the call. false: Users do not see a confirmation dialog. When a user taps on a phone number in Email+, the number is automatically dialed. Default if no key-value is configured: false. |
show_pictures_default |
|
true: Enables the Show Pictures option. Device users automatically see images when opening an email. false: Disables the Show Pictures option. Device users must tap Show Pictures to view images when opening an email. Device users can override the value you configure by turning the Show Pictures option on or off. If you change the key’s value, Email+ does not change the Show Pictures option until Email+ does a full synchronization. A full synchronization occurs only when you change certain fundamental key-value pairs like email_address, or when the device user uninstalls and reinstalls Email+. Default if no key-value is configured: false. |
default_network_timeout |
A positive integer
|
The value is represented in seconds. The value overwrites the default connection timeout value for all requests. You may want to configure the key-value pair to manage slow connections with the ActiveSync server or for syncing large folders and emails. If the value is 0, negative, or non-integer, the default value is used. Default if no key-value is configured: 90 seconds. |
disable_analytics |
|
true: Disables sending Email+ analytics. false: Enables sending Email+ analytics. Default if no key-value is configured: False. |
allow_logging |
|
true: Email+ logs data in the Android logging system.This is useful for problem diagnosis. Typically, you enter true only when working in a test environment. Otherwise, enter false. Default if no key-value is configured: false. |
enabled_features |
|
export_contacts: If allow_export_contacts key-value pair is set to true and export_contacts value is added to the keyvalue pair then Email+ contacts will be automatically synced to native Contacts app. skip_empty_links: Some exchange servers block custom links and the hyperlinks are stripped from the email body. For example, the url mibrowser:// that is used to launch Web@Work and may not become click-able when sent via email. The work around for this problem is, Email+ has additional capability to detect such emails and automatically fetch their body as MIME ata that is unmodified by exchange. We recommend that administrators evaluate this capability in their environment by adding "skip_empty_links" into the "enabled_features" KVP. Fetching MIME data may not work in all configurations. show_formatting: Enables the “Always show formatting” option if it was not previously changed manually. block_external_gal: Disables contacts search through Email+ contacts for external applications. rms_support: Enables fetching, displaying and composing of the protected messages. multiple_accounts: Enables secondary email account on the same device. allow_shortcuts: Enables the user to create shortcuts for Calendar, Contacts, Tasks, and Notes. eas_16: Enables ActiveSync 16 specific folder synchronization features in Email+. When Email+ receives "eas_16" the first time, Folder resync is expected. When "eas_16" protocol is added to enabled_features KVP:
calendar_delegation: Enables the Add Delegated Calendar option. delegated_shared_mailbox: Enables the delegated mailbox option. When this value is removed:
|
disabled_features |
|
save_attachment: Disables the save attachments option. When this option is added the “Save As” button is not available for email attachments. Attachments can still be opened and viewed in Docs@Work or mail application. print: Disables the ability to print a message. show_snippet: This option removes "Text preview" setting and disables message preview displaying. If this option is enabled the user can set the number of lines visible for message preview, through Email+ app Settings on the mobile device. personal_events:Adding 'personal_events' value to 'disabled_features' KVP removes "Overlay personal events" in Settings by admin. When 'personal_events' value is removed from 'disabled_features', the "Overlay personal events" appears in Settings and has previous state that user had applied. crl_signature_check: Disables CRL check for the email signature certificates. |
Microsoft Office 365 authority and resource URL |
||
modern_auth_authority_url |
https://login.microsoftonline.com/common |
This KVP is added to specify Microsoft Office 365 authority url. |
modern_auth_resource_url |
https://outlook.office365.com |
This KVP is added to specify Microsoft Office 365 resource url. |
Document classification capabilities |
||
email_security_classification_json |
Default value for this key is empty. |
Enables the email classification feature. If present, it specifies the list of classification values to be used and all the supported permutations. See Document classification capabilities section for more information. |
Report phishing |
||
report_phishing_address |
email address |
Enabling 'Report Phishing' option onView screen in the "More" menu. Phishing email is sent to email address set in value. |
Mail organization |
||
organize_by_date |
|
Disables email treading for email messages. false: "Email Threading” is turned "ON". |
Calendar week view |
||
show_week_number |
|
Displays the week number in the week and month view for Calendar. You can enable or disable week number view from device Settings. Default if no key-value is configured: true |
Setup access to Exchange server via EWS protocol |
||
email_ews_host |
FQDN of the EWS server |
To support EWS authentication when email_exchange_host KVP does not contain a fully qualified domain name (FDQN) of the EWS server, email_ews_host KVP should be added and have a FDQN as the value for the EWS server. If not configured, the value of email_exchange_host KVP is used as the EWS server by Email+. Update the host name in the email_ews_host key-value pair. |
ews_min_allowed_auth_mode |
|
Defines the authentication method for the Exchange server through EWS protocol. Supported authentication methods are:
|