Organizations use Exchange or Office 365 e-mail as primary means of passing confidential corporate data. Further, data is also shared in the form of e-mail attachments. This data must be secured to prevent any unauthorized access/usage of data. MDM provides mutliple solutions across platforms, to secure Exchange e-mail or Office 365, as explained below.
Conditional Exchange Access automates granting Exchange mailbox access to managed devices, while restricting devices not enrolled with MDM from accessing Exchange. This ensures devices accessing confidential corporate data, are under the management of MDM. You can either restrict access to Exchange immediately or configure a grace period allowing users to access Exchange from unmanaged devices until the grace period ends. Conditional Exchange Access is applicable for all three platforms. Know more about Conditional Exchange Access here.
With Office 365 Conditional Access, admins can ensure only Windows 10 devices enrolled with MDM can access Office 365 (and/or other apps that require Microsoft Azure sign in), while restricting access to unenrolled devices. Know more about Office 365 Conditional Access here.
While configuring E-mail/Exchange policy for iOS devices, disabling options Prevent Moving Messages to other Mail Accounts and Block Account usage from non-Mail Apps, ensures the messages can neither be moved nor be accessed by any other app other than the default mail app.
The advantage of using Exchange ActiveSync over E-mail, is that you can configure and secure Exchange using certificates. Certificate-based authentication(CBA) provides more security, as the account details can be distributed through the certificates. Know more about certificates here. Further, configuring Exchange ensures you can customize even the mail sync settings. This ensures a virtual container is created, whereby there is no unauthorized access of data. You can also use SSL for mail communication and enable S/MIME to encrypt or decrypt mails. In addition, you can enable OAuth to ensure that the Exchange client does not have access to the users credentials. The users are redirected to Exchange Online to login to their account.
While configuring E-mail/Exchange policy for Android devices, disabling Allow Forwarding Mails ensure the e-mails cannot be moved from corporate mail accounts to personal mail accounts. Also, disabling Allow User to change settings ensures Admin-configured settings cannot be modified.
The advantage of using Exchange ActiveSync over E-mail, is that you can configure and secure Exchange using certificates. Certificate-based authentication provides more security, as the account details can be distributed through the certificates. Know more about certificates here. Further, configuring Exchange ensures you can customize even the mail sync settings.
In general e-mail communication can be secured by using SSL and other security settings provided in MDM.
E-mail can also be secured using restrictions, with the only downside being the restrictions are applied to all features and capabilities of the device including E-mail and may affect the normal functioning of the device.
The following restrictions can be applied, to secure e-mail:
MDM recommends using Conditional Exchange Access to secure E-mail as the restriction is applied on the accounts and not on the device, ensuring e-mail cannot be access from other unamanaged devices and also ensuring the normal functionality of the device is unaffected.
In addition to the above device configurations and restrictions, you can also impose policies on how the data should be accessed from apps and apply essential data loss prevention (DLP) policies if sensitive corporate data are being shared via mail.
MDM also supports securing attachments sent through mail. The document viewer present in the ME MDM app lets you securely view and organize your e-mail attachments. You can also distribute required apps from MDM to view the email attachments.Know more about document viewer here.
Once the user leaves the organization, the corporate data can be wiped by performing either a Corporate or Complete Wipe on the device. Corporate wipe will remove the e-mail account configured along with the apps and content shared using MDM.