Email has long been the backbone of employees staying connected and informed about corporate information while connecting them with customers.
But email on mobile devices has created problems for IT teams as they grapple with how to secure email on personal and corporate devices to prevent breaches and data leakage. Luckily, mobile device management (MDM) and mobile email management (MEM) give IT admins broader security controls for email access and control.
What is mobile email management?
An MDM tool allows IT to provide email access to personal and employee-owned devices while enforcing security policies to protect corporate data, including the following:
- secure over-the-air provisioning of email and email clients across different device types and operating systems;
- securing email access using Secure Sockets Layer (SSL) and certificates;
- data loss protection policies to protect and prevent sensitive information, including email attachments, from third-party and unmanaged applications on a device;
- restricting and blocking email access from unauthorized, unmanaged, lost or stolen devices;
- restricting email access to only company-approved devices; and
- discover existing unmanaged devices accessing corporate email.
Getting started with an MEM tool
The best way to manage and distribute access to email on employee devices is by using MDM. MDM products like Microsoft Endpoint Manager (formerly InTune), VMware Workspace One (formerly Airwatch), Jamf, Maas360 and MobileIron (acquired by Ivanti) are some of the most well-known options in the industry.
An MDM tool can integrate into different directory services to provide over-the-air configuration of user email accounts on devices enrolled and managed by MDM and includes support for Office 365 and Exchange On-Premises accounts. An email usage policy helps employees use their company email appropriately and understand how to protect their data from breaches and vulnerabilities.
Implementing mobile email management
MDM with MEM allows IT teams to provide a native email experience on end-user devices while using different email clients, configurations and security policies such as containerization, securing email traffic and securing access to Exchange.
Containerizing email access
Many MDM tools have a set of mobile applications that give organizations the ability to lock down corporate data. This includes containerized email applications that allow security controls like blocking all email applications except specified email clients, blocking access to other third-party accounts on the corporate email client and using conditional access controls to manage data sharing. These include Microsoft's Outlook using Microsoft Endpoint Manager, VMware's Workspace One Boxer, Maas360 Mail and Citrix Secure Mail.
Securing email traffic
To ensure that email traffic is secured and not left vulnerable, organizations can use the MDM tool to establish a secure communication channel for emails by enforcing an SSL/Transport Layer Security connection or using SSL certificates for managed mobile devices.
Securing access to Exchange
Many organizations use Microsoft Exchange Server to manage corporate email, which has controls that IT teams can use to enforce conditional access for Exchange Server and Exchange Online. However, Exchange Online has limitations, including what email clients and features are supported on different platforms.
Organizations moving to Microsoft 365 have the ability to set different conditional access policies for individual Office 365 applications, such as Outlook, for both managed and unmanaged devices. For instance, an IT admin can opt to allow users to access Microsoft Word on any device while restricting Outlook access to only managed and compliant devices.
Building compliance policies
What happens if a device's state changes after the organization has enabled email access on an end-user device? For example, what if the device's encryption state changes or a device becomes jailbroken or rooted, making it more vulnerable to attack, or is lost or stolen?
Organizations can use compliance policies from the MDM tool to automate actions such as wiping corporate applications and data from an end-user device if a device becomes noncompliant. These compliance policies, once set up, are automated, allowing immediate actions without IT having to monitor device activity 24/7. That helps ensure that corporate data and access are always secured.
Compliance policies for devices can include the following:
- encryption status
- compromised status (including rooted or jailbroken)
- model, OS version
- device last seen
Actions for noncompliance can include the following:
- profile compliance install;
- profile block or removal;
- enterprise wipe of corporate data and applications;
- notification to admin and end users via email or SMS;
- block email; and
- block or removal of all or managed applications (based on personal or corporate-only devices).