How to secure Exchange e-mail using MDM?

Description

Organizations use Exchange or Office 365 e-mail as primary means of passing confidential corporate data. Further, data is also shared in the form of e-mail attachments. This data must be secured to prevent any unauthorized access/usage of data. MDM provides mutliple solutions across platforms, to secure Exchange e-mail or Office 365, as explained below.

Pre-requisites

  • Exchange ActiveSync profile has to be distributed to the devices.
  • In case of iOS/iPadOS devices, Exchange account associated with the devices prior to profile distribution should be removed from the devices before associating an Exchange ActiveSync profile.
  • In case of Android devices, email client apps such as Gmail, Outlook, Samsung mail have to be installed on the devices.

Securing E-mail

Conditional Exchange Access

Conditional Exchange Access automates granting Exchange mailbox access to managed devices, while restricting devices not enrolled with MDM from accessing Exchange. This ensures devices accessing confidential corporate data, are under the management of MDM. You can either restrict access to Exchange immediately or configure a grace period allowing users to access Exchange from unmanaged devices until the grace period ends. Conditional Exchange Access is applicable for all three platforms. Know more about Conditional Exchange Access here.

Supported platform/client apps

  • In iOS/iPadOS devices and Windows - Native mail app
  • In Android devices - Gmail app (Note: CEA is also applicable in Native mail app on Samsung devices running 8.0 or below.)

Office 365 Conditional Access

With Office 365 Conditional Access, admins can ensure only Windows 10 devices enrolled with MDM can access Office 365 (and/or other apps that require Microsoft Azure sign in), while restricting access to unenrolled devices. Know more about Office 365 Conditional Access here.

Using E-mail/Exchange ActiveSync policies

iOS

While configuring E-mail/Exchange policy for iOS devices, disabling options Prevent Moving Messages to other Mail Accounts and Block Account usage from non-Mail Apps, ensures the messages can neither be moved nor be accessed by any other app other than the default mail app. 

The advantage of using Exchange ActiveSync over E-mail, is that you can configure and secure Exchange using certificates. Certificate-based authentication(CBA) provides more security, as the account details can be distributed through the certificates. Know more about certificates here. Further, configuring Exchange ensures you can customize even the mail sync settings. This ensures a virtual container is created, whereby there is no unauthorized access of data. You can also use SSL for mail communication and enable S/MIME to encrypt or decrypt mails. In addition, you can enable OAuth to ensure that the Exchange client does not have access to the users credentials. The users are redirected to Exchange Online to login to their account.

Know more about E-mail and Exchange ActiveSync policies for iOS.

Android

While configuring E-mail/Exchange policy for Android devices, disabling Allow Forwarding Mails ensure the e-mails cannot be moved from corporate mail accounts to personal mail accounts. Also, disabling Allow User to change settings ensures Admin-configured settings cannot be modified.

The advantage of using Exchange ActiveSync over E-mail, is that you can configure and secure Exchange using certificates. Certificate-based authentication provides more security, as the account details can be distributed through the certificates. Know more about certificates here. Further, configuring Exchange ensures you can customize even the mail sync settings.

Know more about E-mail and Exchange ActiveSync policies for Android.

In general e-mail communication can be secured by using SSL and other security settings provided in MDM.

Using device configurations & restrictions

E-mail can also be secured using restrictions, with the only downside being the restrictions are applied to all features and capabilities of the device including E-mail and may affect the normal functioning of the device.

The following restrictions can be applied, to secure e-mail:

  • Deploy a strict passcode policy on the devices or on the work profile to securely access the corporate data.
  • Restrict adding personal accounts or modifying the added account settings in managed devices
  • Disable clipboard sharing, mail forwarding and screen capture to prevent users from sharing sensitive corporate data
  • Restrict sensitive email content from being displayed on the device lock screen
  • Disable syncing with cloud services such as iCloud, iTunes etc.,
  • Disable sharing of data from managed apps to unmanaged apps
  • Disable transfer of data(e-mail attachments) through USB, Bluetooth connections, AirPrint and AirDrop
  • Restrict users from printing email content by connecting via bluetooth printers
  • Restrict account usage from native contacts app/ non-mail apps.

Know more about Restrictions for iOS/iPadOS, Android and Windows.

MDM recommends using Conditional Exchange Access to secure E-mail as the restriction is applied on the accounts and not on the device, ensuring e-mail cannot be access from other unamanaged devices and also ensuring the normal functionality of the device is unaffected. 

Data Loss Prevention policies

In addition to the above device configurations and restrictions, you can also impose policies on how the data should be accessed from apps and apply essential data loss prevention (DLP) policies if sensitive corporate data are being shared via mail.

Data protection

  • Disable data backup to any third-party Android backup services and iTunes/iCloud.
  • Mandate PIN for accessing mail apps and define PIN complexity by configuring PIN type, PIN length, Biometric unlocking, etc.

Sign-in security requirements

  • Specify the number of incorrect PIN attempts after which the data stored in the device will be factory reset.
  • Specify the duration allowed for offline access, after which the corporate data stored will be wiped or for the specified grace period access to the app will be blocked.
  • You can specify the minimum app version that must be installed on the device to access corporate data. If the specified version is not yet updated, you can choose whether the user must be notified to update the app or block access to app until the app is updated.
  • You can specify the minimum OS/patch version to be updated on the devices. If the specified version is not yet updated, you can choose whether the user must be notified to update the OS/patch or block access until the specified OS/patch version is updated.

Securing E-mail attachments

MDM also supports securing attachments sent through mail. The document viewer present in the ME MDM app lets you securely view and organize your e-mail attachments. You can also distribute required apps from MDM to view the email attachments.Know more about document viewer here

Deleting data from devices

Once the user leaves the organization, the corporate data can be wiped by performing either a Corporate or Complete Wipe on the device. Corporate wipe will remove the e-mail account configured along with the apps and content shared using MDM.