Email Plus Android Guide
Uploaded by
jonjaballeEmail Plus Android Guide
Uploaded by
jonjaballeMobileIron Email+ 2.11.0.
0 for
Android Guide for Administrators
for Android AppConnect and Android
enterprise for MobileIron Core and
MobileIron Cloud
April 16, 2018
Proprietary and Confidential | Do Not Distribute
Copyright © 2015 - 2018 MobileIron, Inc. All Rights Reserved.
Any reproduction or redistribution of part or all of these materials is strictly prohibited. Information in this publication
is subject to change without notice. MobileIron, Inc. does not warrant the use of this publication. For some phone
images, a third-party database and image library, Copyright © 2007-2009 Aeleeta's Art and Design Studio, is used.
This database and image library cannot be distributed separate from the MobileIron product.
“MobileIron,” the MobileIron logos and other trade names, trademarks or service marks of MobileIron, Inc.
appearing in this documentation are the property of MobileIron, Inc. This documentation contains additional trade
names, trademarks and service marks of others, which are the property of their respective owners. We do not
intend our use or display of other companies’ trade names, trademarks or service marks to imply a relationship
with, or endorsement or sponsorship of us by, these other companies.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 2
Contents
Chapter 1 Overview of Email+ for Android.............................................................................. 5
About Email+ for Android ................................................................................................5
Email+ Android AppConnect ............................................................................................... 5
Email+ for Android enterprise ............................................................................................. 6
Where to find Email+ for Android .................................................................................... 6
Support and compatibility for Email+ for Android ......................................................... 6
About configuring Email+ for Android ............................................................................ 6
What users see in Email+ for Android ............................................................................ 7
Chapter 2 Configuring Email+ for Android AppConnect.......................................................... 8
Before you configure Email+ for Android AppConnect ................................................ 8
Main configuration steps for Email+ for Android AppConnect (Core) ........................ 9
Adding Email+ for Android AppConnect and Secure Apps Manager to MobileIron Core ... 9
Enabling third-party AppConnect apps in MobileIron Core ................................................. 9
Configuring the AppConnect global policy in MobileIron Core .......................................... 10
Configuring the AppConnect container policy in MobileIron Core .................................... 10
Applying the container policy to labels in MobileIron Core ..........................................................11
Removing labels from the automatically-created AppConnect container policy in MobileIron Core 11
Configuring an AppConnect app configuration for Email+ in MobileIron Core .................. 12
Creating a new AppConnect app configuration for Email+ for Android .......................................13
AppConnect app configuration field descriptions .............................................................. 13
Configuring email attachment control with Standalone Sentry in MobileIron Core ........... 14
Main configuration steps for Email+ for Android AppConnect (Cloud) .................... 15
Adding Email+ for Android AppConnect and Secure Apps Manager to MobileIron Cloud 15
Configuring Email+ for Android AppConnect in MobileIron Cloud .................................... 15
ActiveSync server synchronization due to app configuration changes (Core and Cloud)
17
Chapter 3 Configuring Email+ for Android enterprise ........................................................... 18
Before you configure Email+ for Android enterprise .................................................. 18
Requirements for configuring Email+ for Android enterprise ............................................ 18
Recommendations for configuring Email+ for Android enterprise ..................................... 18
Email+ for Android enterprise app configuration and distribution ............................ 19
Configuring app restrictions and distribution in MobileIron Core ...................................... 19
Configuring app restrictions and distribution in MobileIron Cloud ..................................... 20
Chapter 4 Additional configurations using key-value pairs.................................................... 21
Key-value pairs for Email+ (Android AppConnect) ..................................................... 21
App restrictions descriptions for Email+ (Android enterprise) .................................. 35
S/MIME support in Email+ for Android for identity and encryption ........................... 44
Importing certificates to Email+ for Android using app-specific configuration ................... 44
Configuring S/MIME certificates for Android AppConnect (Core) ................................................44
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 3
Configuring S/MIME certificates for Android AppConnect (Cloud) ..............................................45
Configuring S/MIME certificates for Email+ for Android enterprise (Core and Cloud) .................45
Importing certificates using email attachments .................................................................46
S/MIME behavior in Email+ ..............................................................................................46
Email attachment download to secure SD card folder ................................................ 47
Chapter 5 Secondary account on Email+ (Core only)........................................................... 48
About configuring a secondary account on Email+ ....................................................48
Configuring a secondary account on Email+ for Android AppConnect (Core and
Standalone Sentry) ......................................................................................................... 49
Configuring a secondary account on Email+ for Android enterprise (Core and Standalone
Sentry) .............................................................................................................................. 50
Mapping the custom attributes created in AD to LDAP settings ............................... 50
Syncing with LDAP ......................................................................................................... 51
Creating new label .......................................................................................................... 51
Creating a new AppConnect app configuration for Email+ for Android Appconnect 51
Applying the new AppConnect app configuration to a label ...................................... 52
Applying device user to label ........................................................................................ 52
Creating a new app configuration for Email+ for Android enterprise ........................ 52
Configuring a secondary account on Email+ for Android AppConnect (Core without
Standalone Sentry) ......................................................................................................... 53
Configuring a secondary account on Email+ for Android enterprise (Core without
Standalone Sentry) ......................................................................................................... 54
Key-value pairs for the secondary account (Android AppConnect) .......................... 54
Required keys for configuring the secondary account ...................................................... 54
Key-value pair for disabling the secondary account ......................................................... 55
Keys for customizing the secondary account .................................................................... 55
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 4
1
Overview of Email+ for Android
The following provide an overview of the Email+ app for Android devices:
• About Email+ for Android
• Where to find Email+ for Android
• Support and compatibility for Email+ for Android
• About configuring Email+ for Android
• What users see in Email+ for Android
About Email+ for Android
MobileIron Email+ provides secure email, calendar, contacts, and tasks on corporate-owned and personal Android
devices by communicating with an ActiveSync server in your enterprise.
Email+ for Android is available in two flavors, Android AppConnect and Android enterprise.
• Email+ Android AppConnect
• Email+ for Android enterprise
Email+ Android AppConnect
Email+ is available as an Android AppConnect app.
AppConnect is a MobileIron feature that containerizes apps to protect data on iOS and Android devices. Each
AppConnect-wrapped app becomes a secure container whose data is encrypted, and protected from unauthorized
access. Because each user has multiple business apps, each app container is also connected to other secure app
containers. This connection allows the AppConnect apps to share data, such as documents. AppConnect apps are
managed using policies configured in a MobileIron Enterprise Mobility Management (EMM) platform. The EMM
platform is either MobileIron Core or MobileIron Cloud.
As an AppConnect app, all Email+ data is secured. The app interacts with other apps according to the data loss
prevention policies that you specify. You can also take advantage of AppConnect features such as app
authorization and app configuration.
Email+ for Android AppConnect has the following secure features:
• Secure apps passcode: A secure apps passcode, if you require one, gives device users access to all secure
apps. This is the AppConnect passcode, which you define in the MobileIron EMM platform. The AppConnect
passcode provides an additional layer of security for secure apps, beyond the device passcode.
• Data encryption: AppConnect encrypts all AppConnect-related data on the device, such as Email+ app data,
app configurations, and policies. This means app data is secure even if a device is compromised. App data on
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 5
Overview of Email+ for Android
the device is encrypted using AES-256 encryption. The encryption key is not stored on the device. It is
programmatically derived, in part from the device user’s AppConnect passcode, if you require an Appconnect
passcode.
• Data loss prevention: You determine whether device users can take screen captures of protected data. You
also determine whether AppConnect apps can access camera photos or gallery images, and whether they can
stream media to media players. You can also specify copy/paste restrictions and a web browser policy.
• Secure apps data deletion: If a device is retired, or a secure app is retired, the secure app’s data is deleted.
For information about AppConnect features and configuration beyond Email+ for Android, see the AppConnect and
AppTunnel Guide.
Email+ for Android enterprise
Email+ for Android enterprise has the following secure features:
• Data loss prevention: You determine whether device users can take screen captures of protected data as well
as specify if users can copy/paste protected data.
• Data deletion: App data is removed from a device for any of the following:
- The device is retired.
- The app is removed from the label or the app catalog (MobileIron Core)
- Users are removed from app distribution (MobileIron Cloud)
- The app is uninstalled from the device
Where to find Email+ for Android
For the current download location see the MobileIron Email+ for Android Release Notes.
Support and compatibility for Email+ for Android
For support and compatibility information, see the MobileIron Email+ for Android Release Notes.
About configuring Email+ for Android
You configure settings for Email+ in the MobileIron EMM platform. Because the MobileIron EMM platform provides
these settings to the app, device users do not have to manually enter configuration details. By automating the
configuration for device users, each user has a better experience when installing and setting up the app. Also, the
enterprise has fewer support calls, and the app is secured from misuse due to configuration.
The Email+ settings include, for example:
• the Standalone Sentry that interacts with the ActiveSync server or the ActiveSync server if you are not using
Standalone Sentry.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 6
Overview of Email+ for Android
• the user’s ID for the ActiveSync server.
• the SCEP or certificate setting for the certificate that the device presents to the Standalone Sentry for
authentication, if you are using certificates for authentication.
• custom app configurations that allow administrators to control app behavior.
What users see in Email+ for Android
When users install Email+ for Android, the following apps are available on the home screen:
• Mail: Enables users to send and receive their corporate email, and manage any sub-folders.
• Calendar: Enables users to manage and synchronize their corporate calendar data, including meetings and
appointments in a daily, monthly, or list view.
• Contacts: Enables users to manage and synchronize their corporate contacts.
• Tasks: Enables users to manage, synchronize, and create new tasks.
Settings is available in each app and allows users to manage settings specific to the app.Users manage their
certificates, keys, recognized certificate authorities, S/MIME signing and encryption in Settings in the Mail app.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 7
2
Configuring Email+ for Android AppConnect
The following describe how to set up Email+ for Android AppConnect:
• Before you configure Email+ for Android AppConnect
• Main configuration steps for Email+ for Android AppConnect (Core)
• Main configuration steps for Email+ for Android AppConnect (Cloud)
• ActiveSync server synchronization due to app configuration changes (Core and Cloud)
Before you configure Email+ for Android AppConnect
Before you configure Email+ for Android for AppConnect:
• Ensure that all devices to which you plan to deploy Email+ are able to access
https://activate-emailplus.mobileiron.com. This URL enables the use of ActiveSync features in Email+. No
identifiable information, however, is reported to the server.
• Download the current version of the Email+ for Android app and Secure Apps Manager (SAM) from the
MobileIron support download site. SAM is required for Core deployments only. For the current download
location see the MobileIron Email+ for Android Release Notes.
• If your setup uses certificates, such as, for S/MIME or certificate-based authentication, ensure that the
necessary certificate settings are created in the MobileIron EMM.
MobileIron Core: For information about configuring certificates in MobileIron Core, see the “Managing
Certificates and Configuring Certificate Authorities” section in the MobileIron Core Device Management Guide.
MobileIron Cloud: For information about configuring certificates in MobileIron Cloud, see the “Certificate” and
the “Identity Certificate Configuration” sections in the MobileIron Cloud Administrator Guide.
• If you are using Standalone Sentry to allow access to your enterprise ActiveSync server, ensure that you have
a Standalone Sentry enabled for ActiveSync and the necessary device authentication configured.
For information on how to set up Standalone Sentry, see the MobileIron Sentry Guide for your MobileIron EMM
deployment.
• MobileIron recommends the following:
- Standalone Sentry should use a trusted CA certificate.
- If your EMM is MobileIron Core, and if the Standalone Sentry self-signed certificate is changed, you must
do the following additional setup in Core:
In the Services > Sentry page, for the Standalone Sentry, click the View Certificate link. This makes the
Standalone Sentry’s certificate known to MobileIron Core.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 8
Configuring Email+ for Android AppConnect
Main configuration steps for Email+ for
Android AppConnect (Core)
Following are the main steps for configuring and deploying Email+ for Android AppConnect on MobileIron Core:
1. Adding Email+ for Android AppConnect and Secure Apps Manager to MobileIron Core.
2. Enabling third-party AppConnect apps in MobileIron Core.
3. Configuring the AppConnect global policy in MobileIron Core.
4. Configuring the AppConnect container policy in MobileIron Core.
5. Configuring an AppConnect app configuration for Email+ in MobileIron Core.
6. Configuring email attachment control with Standalone Sentry in MobileIron Core. (For Standalone Sentry
deployments only)
Adding Email+ for Android AppConnect and Secure Apps Manager to
MobileIron Core
You add Email+ and Secure Apps Manager (SAM), in the same manner you would add any other Android in-house
app. After adding the apps to MobileIron Core, you can distribute the apps to devices by applying the apps to labels
that contain the devices you want to distribute the apps.
Procedure
1. In the MobileIron Core Admin Portal, go to Apps > App Catalog > Add+ > In-House. (Prior to
MobileIron Core 8.0 go to Apps > App Distribution Library, and select Add App).
2. Add the apps just as you would any in-house app. Add SAM if you have not already uploaded it to support other
secure apps.
3. After adding the apps, apply the apps to appropriate labels so that they are available to the required devices.
Next steps
Continue on to “Enabling third-party AppConnect apps in MobileIron Core” on page 9.
Related topics
For information on adding in-house apps for Android, see “Working with Apps for Android devices” in the
MobileIron Core Apps@Work Guide.
Enabling third-party AppConnect apps in MobileIron Core
Email+ requires that you enable the licensing option for third-party and in-house AppConnect apps.
Procedure
1. In the MobileIron Core Admin Portal, go to Settings > System Settings.
2. Click Additional Products > Licensed Products.
3. Select AppConnect For Third-party And In-house Apps if your organization has purchased it.
4. Click Save.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 9
Configuring Email+ for Android AppConnect
Next steps
Continue to “Configuring the AppConnect global policy in MobileIron Core” on page 10.
Configuring the AppConnect global policy in MobileIron Core
Because Email+ for Android is an AppConnect app, you need to configure an AppConnect global policy (if one has
not already been configured). This policy specifies settings that apply to all AppConnect apps on a device. For
example, you configure the AppConnect passcode requirements.
IMPORTANT: Make sure only one AppConnect global policy applies to each device.
NOTE: On the AppConnect global policy, you can authorize device users to use Email+ even if no
AppConnect container policy is applied to the device.
Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Policies.
2. Select Add New > AppConnect.
You can also use an existing AppConnect global policy. Select it, and click Edit.
3. Complete the form.
Most fields default to suitable values, but make sure that you select AppConnect: Enabled to enable
AppConnect on the device.
4. Click Save.
5. Select the policy.
6. Select Actions > Apply To Label.
7. Select the labels to which you want to apply this policy.
8. Click Apply.
Next steps
Continue to “Configuring the AppConnect container policy in MobileIron Core” on page 10.
Related topics
For general details on the AppConnect global policy, see “Configuring the AppConnect global policy” in the
AppConnect and AppTunnel Guide.
Configuring the AppConnect container policy in MobileIron Core
This task is only required:
• If you did not select Authorize for Apps without an AppConnect container policy, in the AppConnect Global
Policy.
• If you want to apply different data loss prevention policies to different devices. When you upload Email+ to
MobileIron Core, Core automatically creates an AppConnect container policy for the app. Create an
AppConnect container policy, if you want to apply different settings to different devices.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 10
Configuring Email+ for Android AppConnect
NOTE THE FOLLOWING:
• Make sure only one AppConnect container policy for Email+ is applied to each device.
• Core keeps in sync the labels that you apply to the app and the labels that you apply to the AppConnect
container policy that Core automatically created.
WARNING: When you apply Email+ to a label, Core automatically adds the same label to the
automatically-created AppConnect container policy. Be sure to remove that label from the
automatically-created AppConnect container policy if you are using that label on a manually
created AppConnect container policy.
Procedure
1. In the MobileIron Core Admin Portal, go to Policies & Configs > Configurations.
2. Click Add New > AppConnect > Container Policy.
Alternatively, edit the automatically-created AppConnect container Policy for Email+.
3. Enter a name for the policy.
4. Enter a description for the policy.
5. In the Application field, choose the Email+.
6. Select Allow Screen Capture if you want to override the default restriction on screen capture.
NOTE: The remaining settings do not apply to Android. Also, the ability to open a document is always
restricted to the secure container on Android devices.
7. Click Save.
Next steps
• If you created a new container policy, continue to “Applying the container policy to labels in MobileIron Core” on
page 11.
• If you edited the automatically-created AppConnect container policy, continue to “Configuring an AppConnect
app configuration for Email+ in MobileIron Core” on page 12.
Applying the container policy to labels in MobileIron Core
Do these steps if you created a new AppConnect container policy.
Procedure
1. Select the container policy.
2. Select Actions > Apply To Label.
3. Select the labels to which you want to apply this policy.
4. Click Apply.
Next steps
Continue to “Removing labels from the automatically-created AppConnect container policy in MobileIron Core” on
page 11.
Removing labels from the automatically-created AppConnect container policy in MobileIron Core
Do these steps if you are not using the automatically-created AppConnect container policy.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 11
Configuring Email+ for Android AppConnect
Procedure
1. Select the automatically-created AppConnect container policy.
2. Select Actions > Remove From Label.
3. Select any labels that you applied to the AppConnect container policy that you just created.
4. Click Remove.
Next steps
Continue to “Configuring an AppConnect app configuration for Email+ in MobileIron Core” on page 12.
Configuring an AppConnect app configuration for Email+ in MobileIron Core
When you add Email+ for Android AppConnect, an AppConnect app configuration is automatically created for
Email+. You can create a new AppConnect app configuration if you want to apply different settings to different
devices. Otherwise, edit the automatically-created AppConnect app configuration to configure the ActiveSync
server information and other settings that you want to customize.
The AppConnect app configuration for Email+ for Android AppConnect contains information such as:
• The fully qualified domain name and user ID for the ActiveSync server.
• Certificate information.
• Key-value pairs that determine the app’s settings and behavior.
The default configuration contains the bundle ID for the app and a set of default key-value pairs that can be
edited or deleted. You can also configure additional key-value pairs.
WARNING: Make sure only one AppConnect app configuration for Email+ is applied to each device.
NOTE: Always set the value of the email_device_id key to $DEVICE_UUID_NO_DASHES$. Standalone Sentry
uses this key-value pair for ActiveSync correlation.
Procedure
1. In the Core Admin Portal, go to Policy & Configs > Configurations.
2. Select the automatically-created AppConnect app configuration for Email+ for Android, and click Edit.
3. Edit the configuration as needed.
4. Click Save.
The automatically-created app configuration has the same labels you applied to the app. You do not need to
apply the automatically-created app configuration to a label.
Related topics
• For a description of the fields see AppConnect app configuration field descriptions.
• For descriptions and list of supported key-value pairs, see Key-value pairs for Email+ (Android AppConnect).
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 12
Configuring Email+ for Android AppConnect
Creating a new AppConnect app configuration for Email+ for Android
Create a new AppConnect app configuration by saving the automatically created AppConnect app configuration for
Email+ if you want to apply different settings to different devices.
Procedure
1. In the Admin Portal, go to Policy & Configs > Configurations.
2. Select the automatically created AppConnect app configuration for Email+.
3. Click Actions > Save As and save it as a new configuration.
4. Enter a new name and description for the configuration.
5. Edit the configuration as needed.
6. Click Save.
7. Select the new AppConnect app configuration.
8. Select Actions > Apply To Label.
9. Select the labels to which you want to apply this AppConnect app configuration.
10. Click Apply.
The automatically-created app configuration is automatically applied to the same labels you applied to the app.
However, only one app configuration should be applied to any one device. Therefore, remove the labels from
the automatically-created app configuration.
11. Select the automatically-created AppConnect app configuration.
12. Select Actions > Remove From Label.
13. Select any labels that you applied to the AppConnect app configuration that you just created.
14. Click Remove.
Related topics
• For a description of the fields, see AppConnect app configuration field descriptions.
• For descriptions and list of supported key-value pairs, see Key-value pairs for Email+ (Android AppConnect).
AppConnect app configuration field descriptions
The following table provides description of the fields in an AppConnect app configuration for Email+ for Android.
TABLE 1. APPCONNECT APP CONFIGURATION FIELD DESCRIPTIONS
Item Description
Name Edit the default name if necessary.
The name is not the same as the name that appears in the name column in
Policy & Configs > Configurations.
Description If necessary, edit the text to clarify the purpose of this AppConnect app
configuration.
Application Email+ is selected.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 13
Configuring Email+ for Android AppConnect
TABLE 1. APPCONNECT APP CONFIGURATION FIELD DESCRIPTIONS
Item Description
AppTunnel Rules
This section is not applicable for Email+. If you are using a Standalone Sentry, all communication with the
ActiveSync server is through a secure connection to the Standalone Sentry.
App-specific Configurations
Add key-value pairs to configure app behavior.
The automatically-created app configuration for Email+ contains a set of default key-value pairs. Each key-
value pair is configured as a separate row. Do the following:
• For the Value of the email_exchange_host Key, enter the fully qualified domain name (FQDN) of the
ActiveSync server, or the Standalone Sentry server if you are using a Standalone Sentry.
• Edit the default key-value pairs as necessary.
• To add a key-value pair, click Add+ .
• To delete a key-value pair, click X.
The following key-value pairs are required:
email_address
email_device_id
email_exchange_host
email_exchange_username
Configuring email attachment control with Standalone Sentry in MobileIron Core
This is only required if attachment control is enabled in Standalone Sentry.
Procedure
1. In the MobileIron Core Admin Portal, go to Services > Sentry.
2. Select the Standalone Sentry that handles email for the devices.
3. Click the edit icon.
4. In the Attachment Control Configuration section, for iOS and Android Using Secure Email Apps, select
Open With Secure Email App.
5. Click Save.
Related topics
See “Email Attachment Control with Standalone Sentry” in the MobileIron Sentry Guide for MobileIron Core.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 14
Configuring Email+ for Android AppConnect
Main configuration steps for Email+ for Android
AppConnect (Cloud)
Following are the main steps for configuring and deploying Email+ for Android AppConnect on MobileIron Cloud:
1. Adding Email+ for Android AppConnect and Secure Apps Manager to MobileIron Cloud.
2. Configuring Email+ for Android AppConnect in MobileIron Cloud.
Adding Email+ for Android AppConnect and Secure Apps Manager to
MobileIron Cloud
You add Email+ in the same manner you would add any other Android in-house app. After adding to
MobileIron Cloud, you can distribute the app to devices.
Procedure
1. In the MobileIron Cloud, go to Apps > App Catalog > +Add > In-House.
Add the app just as you would any in-house app.
2. After adding the apps, select the distribution option that includes the users and devices to which you want to
make Email+ for Android available.
3. Click Next.
If the app was already in the catalog and you are editing the app, click Save.
Next steps
• “Configuring Email+ for Android AppConnect in MobileIron Cloud” on page 15.
Related topics
For details on adding in-house apps for Android, see the MobileIron Cloud Guide or click on Help in MobileIron
Cloud.
Configuring Email+ for Android AppConnect in MobileIron Cloud
The Email+ for Android app configuration contains information such as:
• The fully qualified domain name and user ID for the ActiveSync server.
• Certificate information.
• Key-value pairs that determine the app’s settings and behavior.
The configuration contains a set of default key-value pairs that can be edited or deleted. You can also configure
additional key-value pairs.
• The following key-value pairs are required:
- email_address
- email_device_id
- email_exchange_host
- email_exchange_username
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 15
Configuring Email+ for Android AppConnect
IMPORTANT: MobileIron recommends changing to the default values as listed in Table 2 on page 16 and
Table 3 on page 16.
TABLE 2. CHANGE DEFAULT VALUES TO RECOMMENDED VALUE
Key Default value Recommended value
email_device_id $DEVICE_UUID_NO_DASHES$ ${deviceSN}
email_exchange_username $USERID$ ${userEmailAddressLocalPart}
email_address $EMAIL$ ${userEmailAddress}
TABLE 3. DELETE RECOMMENDED DEFAULT KEY-VALUE PAIRS
Key Default value Recommended action
email_password $PASSWORD$ DELETE
limit_contact_export_to $NULL$ DELETE
email_safe_domains $NULL$ DELETE
NOTE: If you were editing the Email+ app that has already been uploaded to the App Catalog, click on the
App Configurations tab to edit the app installation, promotion, and configuration options.
Procedure
1. In App Configurations for Email+ select the install options and promotion options.
2. Click Add to add an Email+ Configuration.
3. Enter a Name for the configuration.
4. Click +Add Description, to add text describing the configuration.
5. In AppConnect Custom Configuration, for email_exchange_host, enter the fully qualified domain name
(FQDN) of the ActiveSync server, or the Standalone Sentry server if you are using a Standalone Sentry.
6. Add, remove, or edit key-value pairs as necessary.
7. If setup uses Standalone Sentry and the Standalone Sentry is set up to authenticate devices using identity
certificates, enter the following key-value pair in AppConnect Certificate Configuration:
Key Value
email_login_certificate Select the Identity Certificate setting created for the Certificate Authority
certificate for Standalone Sentry. This sets up trust between Sentry and the device.
8. Click Save.
Related topics
For descriptions and list of supported key-value pairs, see “Key-value pairs for Email+ (Android AppConnect)” on
page 21.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 16
Configuring Email+ for Android AppConnect
ActiveSync server synchronization due to app
configuration changes (Core and Cloud)
Email+ synchronizes all emails, tasks, contacts, and calendar items with the ActiveSync server when the device
user first launches Email+. It also does a full synchronization if you change the values of the following keys in the
app configuration:
• email_address
• email_exchange_host
• email_exchange_username
• email_login_certificate
The full synchronization occurs the next time the device checks in after you have changed the app configuration.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 17
3
Configuring Email+ for Android enterprise
The following describe the configuration for deploying Email+ for Android enterprise (Android for Work):
• Before you configure Email+ for Android enterprise
• Email+ for Android enterprise app configuration and distribution
Before you configure Email+ for Android enterprise
Before you set up Email+ for Android enterprise ensure the following:
• Requirements for configuring Email+ for Android enterprise
• Recommendations for configuring Email+ for Android enterprise
Requirements for configuring Email+ for Android enterprise
The following are requirements for setting up Email+ for Android enterprise:
• Your MobileIron Enterprise Mobility Management (EMM) platform must be set up for Android enterprise.
Your MobileIron EMM is either MobileIron Cloud or MobileIron Core.
MobileIron Core: See the MobileIron Core Device Management Guide for Android for Work.
MobileIron Cloud: See the MobileIron Cloud online help documentation.
• Your MobileIron setup must also include Standalone Sentry configured for ActiveSync.
For information on how to set up Standalone Sentry, see the MobileIron Sentry Guide for your MobileIron EMM
deployment.
• Ensure that the appropriate ports are open.
MobileIron Core: See the On-Premise Installation Guide for information on required ports and firewall rules
associated with Standalone Sentry and different backend resources.
MobileIron Cloud: See the MobileIron Cloud Architecture and Port Requirements document.
• If you are using certificate-based authentication to the ActiveSync server or to Standalone Sentry, ensure that
certificates are distributed to the device.
MobileIron Core: For information about configuring certificates in MobileIron Core, see the “Managing
Certificates and Configuring Certificate Authorities” section in the MobileIron Core Device Management Guide.
MobileIron Cloud: Ensure the certificate configuration is distributed to the same group as the Email+ app.
Recommendations for configuring Email+ for Android enterprise
MobileIron recommends the following:
• Standalone Sentry should use a trusted CA certificate.
• If your EMM is MobileIron Core, and if the Standalone Sentry self-signed certificate is changed, you must do
the following additional setup in Core:
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 18
Configuring Email+ for Android enterprise
- In the Services > Sentry page, for the Standalone Sentry, click the View Certificate link. This makes the
Standalone Sentry’s certificate known to MobileIron Core.
Email+ for Android enterprise app configuration and
distribution
You add MobileIron Email+ for Android enterprise from your EMM platform from Google Play and configure the app
to make it available to Android enterprise devices.
• Configuring app restrictions and distribution in MobileIron Core
• Configuring app restrictions and distribution in MobileIron Cloud
Configuring app restrictions and distribution in MobileIron Core
If your MobileIron EMM platform is MobileIron Core, you set up app configuration and distribution in the
MobileIron Core Admin Portal.
Procedure
1. In the MobileIron Core Admin Portal, go to Apps > App Catalog.
2. Click Add+.
3. Click Google Play.
4. For Application Name, enter MobileIron Email+.
5. Click Search.
6. Select MobileIron Email+ in the search results.
7. Click Next.
8. (Optional) Update the following information:
a. Edit the description for the app.
b. Select the category you want the app to appear in Apps@Work on the device.
9. Click Next.
10. (Optional) In the Apps@Work Catalog section, select the promotion options as needed.
These options determine if and how Email+ will be promoted in Apps@Work.
NOTE: The Per App VPN Settings are not applicable to Android enterprise apps.
11. (Required) In the Android Enterprise section, select Install this app for Android enterprise.
You may need to scroll down to see the option. Additional fields are exposed when you select the option.
12. Select the install options as needed.
These options determine how the app is installed and updated on the device:
- Silently Install: Select to silently install the app without any user action.
- Auto Update this App: Select to automatically update the app on users’ devices whenever a new version
of the app is available on Google Play.
NOTE: If auto update is selected, but the app fails update on a user’s device (for example, if the device
has an incompatible Android version), then the app may attempt to update repeatedly. The
workaround is to deselect Auto Update this App for that app.
- Block Uninstall: Select to block device users from uninstalling the app.
13. In the Configuration Choices section, add a new configuration or edit the default configuration.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 19
Configuring Email+ for Android enterprise
If you add a new custom configuration be sure apply it to a label. If you have multiple configurations, you can
assign priority by moving the configuration higher or lower in the list. The position in list determines the priority.
The default configuration has the lowest priority and cannot be moved.
14. Click Finish.
15. Apply the Email+ Android enterprise app to the same labels as the app configuration you created in Step 13.
Related topics
See “App restrictions descriptions for Email+ (Android enterprise)” on page 35 for a description of the fields.
Configuring app restrictions and distribution in MobileIron Cloud
If your MobileIron EMM platform is MobileIron Cloud, you set up app configuration and distribution in the
MobileIron Cloud portal. Email+ (Android for Work) is available in the app catalog under Business Apps.
Procedure
1. In the MobileIron Cloud portal, go to Apps >App Catalog.
2. Select Email+ (Android for Work) from Business Apps.
A description and screen shots of the app are displayed.
3. Make changes, as needed, and click Next.
4. (Required) Select the check box for I accept the following app permissions for all users of this app, and
click Next.
5. Select a distribution option and click Next.
The configuration will be distributed to the devices in the group you selected.
6. Click + for Android for Work to configure settings for the app.
7. Enter a name and description for the configuration.
8. Select Blocks the user for uninstalling the app if you do not want device users to uninstall the app.
9. Configure the restrictions for the app and click Next.
10. Click Install Application configuration settings to configure the install options.
a. Edit the Name and Description of the settings if necessary.
b. Install on Device: Enable if you want to require that the app is installed on devices.
c. Silently install on Samsung KNOX and Zebra devices: This option is not applicable to Android enterprise
apps.
d. Do not show app in end user App Catalog: Select if you do not want the app displayed in the MobileIron
app catalog on users’ devices.
11. Click Next.
12. Click Promotion distribution configuration settings and select a promotion option.
The promotion option determines how the app appears in the app catalog on the device.
13. Click Next and then click Done.
Related topics
See “App restrictions descriptions for Email+ (Android enterprise)” on page 35 for a description of the restrictions.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 20
4
Additional configurations using key-value pairs
The following describe how to customize Email+ app behavior:
• Key-value pairs for Email+ (Android AppConnect)
• App restrictions descriptions for Email+ (Android enterprise)
• S/MIME support in Email+ for Android for identity and encryption
• Email attachment download to secure SD card folder
Key-value pairs for Email+ (Android AppConnect)
Table 1 on page 22 describes the key-value pairs available to administrators to customize Email+ app behavior on
Android devices. These key-value pairs define app behavior such as providing detailed notifications to device
users and exporting contacts from Email+.
TIP: Key-value pairs marked as Core only are not applicable to MobileIron Cloud. For MobileIron Cloud
deployments, these variables are either provided as fields in MobileIron Cloud or are set automatically
and do not require action from the administrator. See “Configuring Email+ for Android AppConnect in
MobileIron Cloud” on page 15 for a description of the fields in MobileIron Cloud.
NOTE THE FOLLOWING:
• Some values can use the MobileIron EMM variables, such as $EMAIL$ for MobileIron Core and
${userEmailAddress} for MobileIron Cloud. The MobileIron EMM substitutes the device user’s value when
sending the app configuration to the device.
• If you make a mistake in configuring the required key-value pairs, the app displays a message to the device
user that the configuration has an error, and to contact the administrator.
You can configure and customize the following features with key-value pairs:
• Required Key-value pairs to configure an account on Email+
• Background email check and user notifications
• Certificates
• S/MIME
• Manage contacts
• Syncing
• Maximum size for email attachments
• Default signature
• IBM Lotus Notes Traveler
• SSL
• GAL search
• Prompt the device user for password
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 21
Additional configurations using key-value pairs
• Show pictures
• Default network timeout
• Troubleshooting
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
Required Key-value pairs to configure an account on Email+
email_address Email MobileIron Core
address of
Typically, this field uses the Core variable $EMAIL$.
the device
user You can also use combinations of these Core variables,
depending on your ActiveSync server requirements:
$USERID$, $USER_CUSTOM1$,
$USER_CUSTOM2$, $USER_CUSTOM3$,
$USER_CUSTOM4$.
MobileIron Cloud
Typically, this field uses the Cloud variable
${userEmailAddress}.
You can also use combinations of the user attribute variables,
depending on your ActiveSync server requirements. The user
attribute variables are listed in MobileIron Cloud in Admin >
Attributes.
email_device_id The device ID MobileIron Core
that the
Always use the Core variable
ActiveSync
$DEVICE_UUID_NO_DASHES$.
server uses
for the MobileIron Cloud
device.
Always use the Cloud variable ${deviceSN}.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 22
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
email_exchange_host FQDN of the The fully qualified domain name (FQDN) of the ActiveSync
ActiveSync server or Standalone Sentry.
server or
Example: mySentry.mycompany.com
Standalone
Sentry IBM Lotus Notes Traveler
• If you are using an IBM Lotus Notes Traveler server with a
Standalone Sentry, append the Standalone Sentry FQDN
with the host path of the IBM Lotus Traveler server.
Example: mySentry.mycompany.com/servlet/traveler
• If you are using an IBM Lotus Notes Traveler server
without a Standalone Sentry, append the IBM Lotus
Notes Traveler server FQDN with the host path of the IBM
Lotus Traveler server.
NOTE: Typically, the host path is
/servlet/traveler, which is the default path in
the IBM Lotus Notes Traveler server. If you use a
custom path, append the custom path to the
FQDN.
email_exchange_username User ID for MobileIron Core
the
Typically, you use the Core variable
ActiveSync
$USERID$.
server
If your ActiveSync server requires a domain, use <domain
name>\$USERID$. For example: mydomain\$USERID$.
You can also use combinations of these Core variables,
depending on your ActiveSync server requirements:
$EMAIL$,
$USER_CUSTOM1$, $USER_CUSTOM2$,
$USER_CUSTOM3$, $USER_CUSTOM4$.
MobileIron Cloud
Typically, you use ${userEmailAddressLocalPart}.
If your ActiveSync server requires a domain, use
<domain name>\${userEmailAddressLocalPart}.
Example: mydomain\${userEmailAddressLocalPart}.
Depending on your ActiveSync server requirements, you can
use ${userEmailAddress}
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 23
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
Background email check and user notifications
allow_detailed_notifications • true true: Device users see detailed notifications. The details can
• false include sensitive information such as email subject and body
previews, or event titles and times.
false: Device users see normal notifications.
Default if no key-value is configured: false.
Certificates
The necessary certificate setting must have been created in the MobileIron EMM.
email_login_certificate The The MobileIron EMM sends the contents of the certificate as
certificate the value.
setting from
If the certificate is password-encoded, MobileIron Core
the dropdown
automatically sends another key-value pair. The key’s name
list
is the following string:
<name of key for certificate>_MI_CERT_PW
The value is the certificate’s password.
Default if no key-value is configured: Certificates are not
used.
email_trust_all_certificates • true true: Email+ automatically accepts untrusted certificates.
• false Typically, you enter true only when working in a test
environment.
false: Email+ does not accept untrusted certificates.
Default if no key-value is configured: false.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 24
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
email_certificate_X, The Email+ imports the certificate into its keystore of trusted
where X is 1 through 10 certificate certificates, and trusts any certificates derived from the CA
setting from root certificate in its keystore. The certificate must be DER-
the dropdown encoded. You can add up to ten certificate authority (CA) root
list certificates.
Reasons for designating a CA root certificate as trusted:
• Standalone Sentry requires a certificate, whose certificate
authority is not in the Email+ keychain, for device
authentication. A common scenario is if Standalone
Sentry uses a self-signed certificate or a certificate that is
not derived from a well-known certificate authority.
NOTE: You specify this certificate to Email+ in the key
email_login_certificate. It corresponds to the
certificate you specified for device
authentication in Standalone Sentry
configuration in the MobileIron Core Admin
Portal.
• Certificates configured for encrypting or signing S/MIME
emails are self-signed or not derived from a well-known
certificate authority.
NOTE: You specify these certificates in the keys
email_encryption_certificate and
email_signing_certificate.
The trusted CA root certificate is listed in Email+ in Settings >
Advanced Settings > KeyStore.
eas_min_allowed_auth_mode • basic Defines the authentication method to the Exchange
• cert_base ActiveSync server.
• basic: Uses user name and password.
• cert_base: Uses identity certificates for certificate-based
authentication.
For certificate-based authentication, the key
email_login_certificate must also be configured.
Default if no key-value is configured: basic.
allow_certificate_revocation_check • true true: If email_ssl_required is set to true, Email+ checks the
• false SSL certificate against a certificate revocation list (CRL).
false: Email+ does not check the SSL certificate against a
CRL.
Default if no key-value is configured: false.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 25
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
S/MIME
email_encryption_certificate The Specifies the certificate to use for encrypting S/MIME emails.
certificate
The MobileIron EMM sends the contents of the certificate as
setting from
the value.
the dropdown
list Email+ imports the key into the keystore and selects the
certificate as the encryption certificate.
If you change the certificate, Email+ imports the new
certificate into the keystore and selects the new certificate as
the encryption certificate. It leaves the previous certificate in
the keystore.
If you delete the key-value pair, Email+ leaves the certificate
in the keystore. It changes its settings to specify that no
certificate is selected as the encryption certificate.
Using the Email+ user interface, the device user can:
• change the encryption certificate by manually importing
one and selecting it for use.
• encrypt all emails with the certificate or encrypt a specific
email with the certificate.
NOTE: Email+ automatically encrypts emails if the
emails in the thread are encrypted.
For more information about configuring S/MIME for Email+,
see “S/MIME support in Email+ for Android for identity and
encryption” on page 44.
Default if no key-value is configured: Certificate is not
configured.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 26
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
email_signing_certificate The Specifies the certificate to use for signing S/MIME emails.
certificate
The MobileIron EMM sends the contents of the certificate as
setting from
the value.
the dropdown
list Email+ imports the key into the keychain and selects the
certificate as the signing certificate.
If you change the certificate, Email+ imports the new
certificate into the keystore and selects the new certificate as
the signing certificate. It leaves the previous certificate in the
keystore.
If you delete the key-value pair, Email+ leaves the certificate
in the keystore and changes its settings to specify that no
certificate is selected as the signing certificate.
Using the Email+ user interface, the device user can:
• change the signing certificate by manually importing one
and selecting it for use.
• sign all emails with the certificate or sign a specific email
with the certificate.
For more information about configuring S/MIME for Email+,
see “S/MIME support in Email+ for Android for identity and
encryption” on page 44.
Default if no key-value is configured: Certificate is not
configured.
Manage contacts
allow_export_contacts • true true: Allows Email+ users to export the Email+ contacts
• false outside of the AppConnect container to the native contacts
app. Device users can select the “Sync to personal profile”
option, in the settings of the Email+ Contacts app, to export
the contacts.
Exporting contacts allows users to see the caller ID of
incoming calls from phone numbers in the list of corporate
contacts. Third-party apps can also access the corporate
contacts. If contacts are not exported, users see the caller ID
only for personal contacts.
false: Device users cannot export the Email+ contacts. They
see the caller ID only for personal contacts.
NOTE: When the device is retired or Email+ is retired, the
corporate contacts are removed from both Email+
and the native contacts app.
Default if no key-value is configured: true.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 27
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
allow_export_contacts_to_email • true true: Device users have the option to export contacts as an
• false attachment to an outgoing email. The attachment is an
unencrypted VCF (Virtual Contact File) file.
false: Device users do not have the option to export contacts
as an attachment to an outgoing email.
Default if no key-value is configured: true.
allow_export_contacts_to_sdcard • true true: Device users have the option to export the contacts to
• false the SD card.
If the device user chooses the option, Email+ exports the
contacts as an encrypted VCF (Virtual Contact File) file. The
encrypted VCF file is readable only by Email+ and other
secure apps.
false: Device users do not have the option to export contacts
to the SD card.
Default if no key-value is configured: true.
limit_contact_export_to • name_num name_number: Limits the exported contact information to
ber each contact’s name and number information. Use this setting
• all to minimize the exposure of corporate data.
all: Exports all the contact information.
This field is used only if allow_export_contacts is set to true.
NOTE: If you enter a value other than all or name_number,
Email+ uses the value all.
Default if no key-value is configured: all.
allow_recent_contacts_cache • true true: Enables local caching.
• false false: Disables local caching.
Enabling local caching allows Email+ to bring up a shortlist of
suggested contacts as the user types a name in the To field. If
the key is not configured, local caching is enabled by default.
Default if no key-value is configured: true.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 28
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
email_safe_domains comma- Ensure that there are no spaces before or after the comma.
separated list
Email addresses not in the safe domain list are displayed in
of safe
red color when composing new emails or creating new
domains
calendar invitations in Email+.
You may want to use this key-value pair if you company has
multiple domains and you want to identify the company
domains as opposed to domains that are not company
domains.
To disable this feature, you can set the value to "*"
Example:
mycompany.com,mycompany.net,internal.mycompany.com
Default if no key-value is configured: Only the domain of the
user's email address is considered safe. All other domains will
be highlighted in red.
email_alert_unsafe_domains • true true: Users see an alert if the recipients in an email or
• false calendar invite include addresses that are not in a safe
domain.
If the key is configured but safe domains are not configured,
only the domain of the user's email address is considered
safe. Device users have the option to either proceed or cancel
sending the email.
false: An alert is not displayed for addresses not in a safe
domain.
Default if key-value is not configured: false.
Syncing
email_max_sync_period • 0 Specifies the maximum sync period for which emails are
• 1 downloaded:
• 2 0: all emails.
• 3
1: emails received over the last one day.
• 4
2: emails received over the last three days.
• 5
3: emails received over the last seven days.
4: emails received over the last two weeks.
5: emails received over the last one month.
Default if no key-value is configured: 0.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 29
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
email_default_sync_period • 1 Specifies the default period for which emails are downloaded.
• 2
1: emails received over the last one day.
• 3
2: emails received over the last three days.
• 4
• 5 3: emails received over the last seven days.
4: emails received over the last two weeks.
5: emails received over the last one month.
If configured, all options will be available in Email+. Device
users can change the default value. If
email_max_sync_period is also configured, options greater
than sync period specified in email_max_sync_period will not
be available on the device.
Default if no key-value is configured: 2.
Additionally, the default value is used in the following cases:
• If the value is not 1,2,3,4, or 5.
• The value is larger than the value for
email_max_sync_period.
After an upgrade, the app retains the default sync period set
by the device user.
sync_while_roaming • user_choice Configures the Sync While Roaming feature:
• never • user_choice: Device users can turn syncing while roaming
• always on or off in the app. By default, syncing while roaming is
on.
• never: Syncing while roaming is off. Device users cannot
modify the setting.
• always: Syncing while roaming is on. Device users cannot
modify the setting.
Default if no key-value is configured: always.
Maximum size for email attachments
email_max_attachment A number Specifies the maximum size in megabytes of an email that
Email+ will send without a warning to the device user. The
maximum size includes the body of the email plus its
attachments.
Allowed values are integers starting with 1.
NOTE: If the Exchange server has an email size limit that is
less than the limit specified in email_max_attachment,
the Exchange server does not deliver the email.
Default if no key-value is configured: 10 MB.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 30
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
Default signature
email_default_signature The default The value of this key is the default email signature for all
email emails. However, the device user can override the default
signature email signature at any time. After the user defines the default
email signature, Email+ does not use the value in the key,
even if you update it.
Default if no key-value is configured: empty string
IBM Lotus Notes Traveler
email_enable_lotus • true Enter true only if your email server is IBM Lotus Notes
• false Traveler. Otherwise, enter false.
Default if no key-value is configured: false.
SSL
email_ssl_required • true true: Secures communication using HTTPS to the server
• false specified in email_exchange_host. Typically, set this field to
true unless you are working in a test environment.
Default if no key-value is configured: true.
GAL search
gal_search_minimum_characters A number The minimum number of characters Email+ uses for
automatic Global Address List (GAL) lookup in Mail, Calendar,
and Contacts.
When device users enter the specified number of characters
of a name, Email+ searches the GAL, and presents the
matches that it finds.
IMPORTANT: On your Exchange server, set the minimum
number of characters for GAL search to the
same value you set for this key. If you do not,
GAL search will not work properly in Email+.
Default if no key-value is configured: 4.
gal_search_display_name • true true: Enables Display Name in Email+ Settings > Contacts by
• false default.
false: Disables Display Name in Email+ Settings > Contacts
by default.
Default if key-value is not configured: true
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 31
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
contacts_display_order • first_last Sets the default display order for contact names in search
• last_first results. Device users can change the display order in Email+
in Settings > Contacts.
The values are case sensitive; enter in lower case.
first_last: Contact names in search results are displayed with
first name followed by the last name.
last_first: Contact names in search results are displayed with
last name followed by the first name.
Default if key-value is not configured: first_last.
Prompt the device user for password
prompt_email_password • true true: Email+ prompts the user for the email password before
• false attempting to connect to the email server.
false: When Email+ first launches and connects to the email
server, Email+ provides the password set in the Email+
configuration to the server. If a password is not configured, an
empty string is provided to the server. In this case, after the
connection is established, Email+ prompts the user for a
password. If the email server limits the number of password
attempts, the server counts the first connection as one failed
attempt.
Set the value of this key to true if the email server allows only
a small number of password attempts. Example: If the email
server allows only three attempts, setting this value to true
ensures that device users get three attempts, not two
attempts.
NOTE: Kerberos-based authentication is designed to work
without user passwords. Since setting
prompt_email_password to true always prompts the
user for a password, be sure the value is false (the
default) if using Kerberos-based authentication.
Default if no key-value is configured: false.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 32
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
email_password User’s If configured, Email+ does not prompt users for a password.
password for
Delete this key if you want the device user to enter the
the
password when using Email+. MobileIron recommends
ActiveSync
deleting the key.
server
MobileIron Core
You can use the Core variable $PASSWORD$ if you have
checked Save User Password in Settings >
Users&Devices > Registration. Core then passes the user’s
password as the value to the device.
WARNING: If you plan to use the $PASSWORD$ variable,
be sure to set Save User Password to Yes
before any device users register. If a device
user was registered before you set Save User
Password, Email+ prompts the user to enter
the password manually.
For Google accounts, as part of a larger setup for
synchronizing Google account data, you can use
$GOOGLE_AUTOGEN_PASSWORD$. For more
information, see “Synchronizing Google account data” section
in the MobileIron Core Device Management Guide for your
device platform.
Default if no key-value is configured: Email+ requests device
users to enter the password.
Dialing
show_dialing_confirmation • true true: Users see a confirmation dialog when they tap on a
• false phone number in an email. Tapping on the phone number in
the dialog, dials the phone number. Tapping the back arrow
cancels the call.
false: Users do not see a confirmation dialog. When a user
taps on a phone number in Email+, the number is
automatically dialed.
Default if no key-value is configured: false.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 33
Additional configurations using key-value pairs
TABLE 1. KEY-VALUE PAIRS FOR CONFIGURING EMAIL+ FOR ANDROID APPCONNECT APP BEHAVIOR
Value: Enter/
Key Select one Description
Show pictures
show_pictures_default • true true: Enables the Show Pictures option. Device users
• false automatically see images when opening an email.
false: Disables the Show Pictures option. Device users must
tap Show Pictures to view images when opening an email.
Device users can override the value you configure by turning
the Show Pictures option on or off.
NOTE: If you change the key’s value, Email+ does not
change the Show Pictures option until Email+ does
a full synchronization. A full synchronization occurs
only when you change certain fundamental key-
value pairs like email_address, or when the device
user uninstalls and reinstalls Email+.
Default if no key-value is configured: false.
Default network timeout
default_network_timeout A positive The value is represented in seconds.
integer
The value overwrites the default connection timeout value for
all requests. You may want to configure the key-value pair to
manage slow connections with the ActiveSync server or for
syncing large folders and emails.
If the value is 0, negative, or non-integer, the default value is
used.
Default if no key-value is configured: 90 seconds.
Troubleshooting
allow_analytics • true true: Enables sending analytics from Email+ to Mixpanel.
• false false: Disables sending analytics from Email+ to Mixpanel.
Default if no key-value is configured: true.
allow_logging • true true: Email+ logs data in the Android logging system.This is
• false useful for problem diagnosis.
Typically, you enter true only when working in a test
environment. Otherwise, enter false.
Default if no key-value is configured: false.
enabled_features http_v2 Enables the latest version of the HttpClient. The new version
of the HttpClient resolves some connectivity issues and sync
delays.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 34
Additional configurations using key-value pairs
App restrictions descriptions for Email+
(Android enterprise)
The app restriction described in the following table are available for Email+ for Android enterprise.
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Email Substitution variable Required. Defines the email address for the email account.
address for email address
Core
Typically, enter $EMAIL$.
You can also enter combinations of these variables, depending on your
ActiveSync server requirements:
$USERID$,
$USER_CUSTOM1$,
$USER_CUSTOM2$,
$USER_CUSTOM3$,
$USER_CUSTOM4$
Cloud
Typically, enter ${userEmailAddress}.
Exchange FQDN of the Required. The fully qualified domain name (FQDN) of the ActiveSync
host ActiveSync server or server or Standalone Sentry.
Standalone Sentry
Example: mySentry.mycompany.com
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 35
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Exchange Substitution variable Required. Defines the username for the email account.
username for username
Core
Typically, use $USERID$. If your ActiveSync server requires a domain,
use
<domain name>\$USERID$.
Example: mydomain\$USERID$.
Depending on your ActiveSync server requirements, you can also use
combinations of these variables:
$EMAIL$,
$USER_CUSTOM1$,
$USER_CUSTOM2$,
$USER_CUSTOM3$,
$USER_CUSTOM4$.
Cloud
Typically, use ${userEmailAddressLocalPart}. If your ActiveSync server
requires a domain, use
<domain name>\${userEmailAddressLocalPart}.
Example: mydomain\${userEmailAddressLocalPart}.
Depending on your ActiveSync server requirements, you can use:
${userEmailAddress}
Email The user’s password If you provide a password, Email+ does not prompt the device user for
password for the ActiveSync the password.
server
NOTE: MobileIron recommends leaving this field blank.
Core only
You can use the variable $PASSWORD$ if you have checked Save
User Password in Settings > Preferences. Core then passes the
user’s password as the value to the device. If you plan to use the
$PASSWORD$ variable, be sure to set Save User Password to Yes
before any device users register. If a device user was registered before
you set Save User Password, Email+ prompts the user to enter the
password manually.
Default if restriction is not configured: User is prompted for ActiveSync
password.
Device ID $DEVICE_UUID_NO Required.
_DASHES$
(Core only)
NOTE: The restriction is no longer available with MobileIron Core
version 9.4.0.0. The value is automatically set to
$DEVICE_SN$.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 36
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
SSL required Check box Select if you want secure communication using https: to the server that
you specified for Exchange host.
Default: Selected.
Trust all Check box Select to allow the app to automatically accepts untrusted certificates.
certificates Typically, you select this option only when working in a test
environment.
Default: Not selected.
Prompt email Check box Select to prompt the user for the email account password when the
password user attempts to launch Email+.
Default: Not selected.
If the restriction is not selected, Email+ provides the password to the
ActiveSync server when Email+ connects with the server. The
ActiveSync server counts the initial connection initiated by Email+ as a
password attempt.
Therefore, MobileIron recommends selecting this restriction if the email
server allows only a small number of password attempts.
Email login Core Configure for certificate-based authentication to the ActiveSync server
certificate or to Standalone Sentry.
$CERT_ALIAS:certifi
cate enrollment Core
setting name$
The certificate enrollment setting name is the name you gave to the
Cloud certificate enrollment setting, which is configured in Configurations >
Add New > Certificates or Certificate Enrollment.
Certificate setting
from the dropdown Cloud
list
The certificate setting is configured in Configurations > Add >
Certificate or Identity Certificate.
For certificate-based authentication, the Authorization Mode
restriction must also be set to Certificate-based Authentication.
Email signing Core Specifies the certificate to use for signing S/MIME emails.
certificate
$CERT_ALIAS:certifi Core
cate enrollment
The certificate enrollment setting name is the name you gave to the
setting name$
certificate enrollment setting, which is configured in Configurations >
Cloud Add New > Certificates or Certificate Enrollment.
Certificate setting Cloud
from the dropdown
The certificate setting is configured in Configurations > Add >
list
Certificate or Identity Certificate.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 37
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Email Core Specifies the certificate to use for encrypting S/MIME emails.
encryption
$CERT_ALIAS:certifi Core
certificate
cate enrollment
The certificate enrollment setting name is the name you gave to the
setting name$
certificate enrollment setting, which is configured in Configurations >
Cloud Add New > Certificates or Certificate Enrollment.
Certificate setting Cloud
from the dropdown
The certificate setting is configured in Configurations > Add >
list
Certificate or Identity Certificate.
Email safe Comma-separated Specifies the safe domains.
domains list of safe domains
Example: mycompany.com,mycompany.net,internal.mycompany.com
Ensure that there are no empty spaces before and after the comma.
Email addresses not in the safe domain list are displayed in red color in
Email+. You may want to use this key-value pair if your company has
multiple domains and you want to identify the company domains as
opposed to domains that are not company domains.
To disable this feature, you can set the value to "*"
Default if the restriction is not configured: Only the domain of the user's
email address is considered safe. All other domains will be highlighted
in red.
Allow export Check box Select to allow users to export the contacts in Email+ to the native
contacts contacts app by selecting the Sync to personal profile option in the
settings of the Email+ contacts app. Email+ exports the contacts only
after the device user selects the option.
Exporting contacts allows users to see the caller ID of incoming calls
from phone numbers in the list of corporate contacts. Third-party apps
can also access the corporate contacts. If contacts are not exported,
users see the caller ID only for personal contacts.
The restriction is used only if Show Contacts is selected.
NOTE: When the device is retired or Email+ is retired, the corporate
contacts are removed from both Email+ and the native
contacts app.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 38
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Allow logging Check box Select to allow Email+ to log data in the Android logging system.
If selected, the Send Logs and Download Logs options are available
in Email+ in General Settings in the Mail app. Device users can send
log files via Email+ by the tapping Send Logs option or download logs
by tapping the Download Logs option. The download option is useful if
emails cannot be sent due to sync issues.
Log data is useful for problem diagnosis. Typically, you select this
option in a test environment.
Default: Not selected.
Allow export Check box Select to give device users the option to export contacts to an SD card.
contacts to
The restriction is used only if Show Contacts is selected.
SD Card
Default: Check box is selected.
Allow export Check box Select to give device users the option to export contacts as an
contacts to attachment in an email.
email
The restriction is used only if Show Contacts is selected.
Default: Check box is selected.
Limit contact • name_number name_number: Limits the exported contact information to each
export to • all contact’s name and number information. Use this setting to minimize
the exposure of corporate data.
all: Exports all the contact information.
The restriction is used only if Allow Export Contacts and Show
Contacts is selected.
NOTE: If you enter a value other than all or name_number, Email+
uses the value all.
Default: all.
Sync while • user_choice Configures the Sync While Roaming feature:
roaming • never • user_choice: Device users can turn syncing while roaming on or off
• always in the app. By default, syncing while roaming is on.
• never: Syncing while roaming is off. Device users cannot modify the
setting.
• always: Syncing while roaming is on. Device users cannot modify
the setting.
Default: always.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 39
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Allow detailed Checkbox Select to allow device users see detailed notifications. The details can
notifications include sensitive information such as email subject and body previews,
or event titles and times.
Default: Check box is not selected. Device users see normal
notifications.
Show picture Checkbox Select to allow device users to automatically see images in an email.
by default The setting turns on the Show Pictures option on the device.
Device users can override the configuration in the EMM by turning the
Show Pictures option on or off on the device.
NOTE: If you change the value, Email+ does not change the Show
Pictures option until Email+ does a full synchronization. A full
synchronization occurs only when you change certain
fundamental values like Email address, or when the device
user uninstalls and reinstalls Email+.
Default: Check box is not selected. The Show Pictures option is turned
off.
Default Core: $DEFAULT$ The value entered is the default email signature for all emails. However,
signature the device user can override the default email signature at any time.
Cloud: The default
After the device user defines the default email signature, Email+ does
email signature
not use the value entered in this field, even if the value is updated.
For Core, with $DEFAULT$, the system default is used. If $DEFAULT$
is not configured, a signature is not provided.
Default if the restriction is not configured (system default): Sent by
Email+ secured by MobileIron.
GAL search A number The minimum number of characters for Email+ to use for automatic
minimum Global Address List (GAL) lookup in Mail and Contacts.
characters
When entering a name, after the specified number of characters,
Email+ starts searching the GAL and presents the matches that it finds.
WARNING: On your Exchange server, set the minimum number of
characters for GAL search to the same value you set for
this key. If you do not, GAL search will not work properly
in Email+.
Default: 4.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 40
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Max A number Specifies the maximum size in megabytes of an email that Email+ will
attachment send without a warning to the device user. The maximum size includes
size (Mb) the body of the email plus its attachments.
Allowed values are integers starting with 1.
NOTE: If the Exchange server has an email size limit that is less than
the maximum size entered, the Exchange server does not
deliver the email.
Default: 10 MB.
Default sync • 1 Specifies the default period for which emails are downloaded:
period • 2
1: emails received over the last one day.
• 3
2: emails received over the last three days.
• 4
• 5 3: emails received over the last seven days.
4: emails received over the last two weeks.
5: emails received over the last one month.
If configured, all options will be available in Email+. Device users can
change the default value. If the Max sync period restriction is also
configured, options greater than sync period specified in the restriction
will not be available on the device.
Default: 2.
Max sync • 0 Specifies the maximum number of days for which emails are
period • 1 downloaded:
• 2 0: all emails.
• 3
1: emails received over the last one day.
• 4
2: emails received over the last three days.
• 5
3: emails received over the last seven days.
4: emails received over the last two weeks.
5: emails received over the last one month.
Default: 0.
Allow Checkbox Select to require Email+ to check the SSL certificate against a
certificate certificate revocation list (CRL).
revocation
SSL required must be selected.
check
Default: Selected.
Allow Usage Checkbox Enables sending analytics from Email+ to Mixpanel.
Statistics
Default: Selected.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 41
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Allow Checkbox Select to enables local caching. Deselect to disable local caching.
contacts
Enabling local caching allows Email+ to bring up a shortlist of
caching
suggested contacts as the user types a name in the To field.
Default: Selected.
Optional • http_v2 http_v2: Enables the latest version of HttpClient. The new version of the
Features • block_external_gal HttpClient class resolves some connectivity issues and sync delays.
• lotus block_external_gal: Disables global address lookup (GAL) of Email+
contacts in the native Contacts app. The value is applied only if the
Show Contacts app restriction is disabled and the native Contacts app
is being used. Configure the value only if the Google account
configured for Android enterprise supports GAL.
lotus: Enable if you are using IBM Lotus Notes Traveler.
Default A positive integer The value is represented in seconds.
Network
The value overwrites the default connection timeout value for all
Timeout
requests. You may want to configure the key-value pair to manage slow
connections with the ActiveSync server or for syncing large folders and
emails.
If the value is 0, negative, or non-integer, the default value is used.
Default: 90 seconds.
Authorization • Basic Defines the authentication method to the Exchange ActiveSync service.
Mode Authorization • Basic Authorization: user name and password
• Certificate-based
• Certificate-Based Authentication: identity certificates
Authentication
For certificate-based authentication, the Email login certificate
restriction must also be configured.
If you have configured Certificate-Based Authentication and there are
errors in your configuration, the authentication method defaults to
basic.
Default: Basic Authorization.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 42
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Show Checkbox Select to enable the Email+ Contacts app. Deselect to disable the
Contacts Email+ Contacts app.
If the Email+ Contacts app is disabled, the native contacts app is used
to synchronize contacts. If the native contacts app is used, contacts
from all subfolders are synced. However, GAL search results cannot be
viewed and contacts marked as favorite in the native contact app will
not be synced as VIP contacts.
The restrictions Allow export contacts, Limit contact export to,
Allow export contacts to SD card, and Allow export contacts to
email app restrictions work only if the restriction Show Contacts is
enabled.
When show contacts option is disabled, user can select the contacts
folder that will get synced in native contacts app in Mail > Settings >
Folders.
Default: Not selected. The native contacts app is used to sync contacts.
Alert unsafe Checkbox Select to alert Email+ users if the recipients in an email or calendar
domains invite include addresses that are not in a safe domain.
If the restriction is configured, but safe domains (Email safe domains)
are not configured, only the domain of the user's email address is
considered safe. Device users have the option to either proceed or
cancel sending the email.
Default: Not selected. An alert is not displayed for addresses not in a
safe domain.
Show dialing Checkbox Select to present a confirmation dialog when users tap on a phone
confirmation number in an email. Tapping on the phone number in the dialog, dials
the phone number. Tapping the back arrow cancels the call.
Default if no key-value is configured: Not selected. Users do not see a
confirmation dialog. When a user taps on a phone number in Email+,
the number is automatically dialed.
Display Order • first_last Sets the default display order for contact names in search results.
• last_first Device users can change the display order in Email+ in Settings >
Contacts.
first_last: Contact names in search results are displayed with first name
followed by the last name.
last_first: Contact names in search results are displayed with last name
followed by the first name.
Default: first_last.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 43
Additional configurations using key-value pairs
TABLE 2. APP RESTRICTION DESCRIPTION FOR EMAIL+ (ANDROID ENTERPRISE)
Value: Enter/Select
Restriction one Description
Use Display • true true: Enables Display Name in Email+ Settings > Contacts by default.
Name • false false: Disables Display Name in Email+ Settings > Contacts by default.
Default: true
Feedback • This field is empty Sending logs from Email+ for Android Enterprise app General settings
email by default. > Send Logs the To field is populated with the email address that is set
for 'Feedback email' restriction.
S/MIME support in Email+ for Android for identity and
encryption
Email+ for Android supports S/MIME (Secure/Multipurpose Internet Mail Extensions). S/MIME allows device users
to do the following:
• Digitally sign emails so that the email can be verified by the recipient.
• Verify digitally signed emails.
• Send encrypted emails using the recipient's S/MIME encryption certificate.
• Decrypt S/MIME encrypted emails using a configured S/MIME encryption certificate.
Using these S/MIME features requires that device users import an S/MIME certificate into Email+. You can use one
of the following methods to import the S/MIME certificates:
• Importing certificates to Email+ for Android using app-specific configuration.
• Importing certificates using email attachments.
The following describes S/MIME behavior in Email+
• S/MIME behavior in Email+
Importing certificates to Email+ for Android using app-specific configuration
For the best user experience, use app-specific configuration to make Email+ automatically import a signing
certificate and encryption certificate. This method does not require user action.
• Configuring S/MIME certificates for Android AppConnect (Core)
• Configuring S/MIME certificates for Android AppConnect (Cloud)
• Configuring S/MIME certificates for Email+ for Android enterprise (Core and Cloud)
Configuring S/MIME certificates for Android AppConnect (Core)
The following describes the configuration in MobileIron Core.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 44
Additional configurations using key-value pairs
Procedure
1. In the Core Admin Portal, go to Policy & Configs > Configurations.
2. Select the AppConnect app configuration for Email+ for Android, and click Edit.
3. In App-specific Configurations, add the following key-value pairs:
- email_signing_certificate: From the dropdown list, select the certificate enrollment setting you want to use
to sign the email.
- email_encryption_certificate: From the dropdown list, select the identity certificate setting you want to use
to encrypt the email.
4. Click Save.
Related topics
The key-value pairs are described in “Key-value pairs for configuring Email+ for Android AppConnect app
behavior” on page 22.
Configuring S/MIME certificates for Android AppConnect (Cloud)
The following describes the configuration in MobileIron Cloud.
Procedure
1. In MobileIron Cloud, go to Apps > App Catalog and click on Email+ for Android (AppConnect).
2. Go to App Configurations > Email+ Configuration.
3. Click on the Email+ configuration you want to edit, and click Edit.
4. In AppConnect Certificate Configuration, add the following key-value pairs:
- email_signing_certificate: From the dropdown list, select the identity certificate setting you want to use to
sign the email.
- email_encryption_certificate: From the dropdown list, select the identity certificate setting you want to use
to encrypt the email.
5. Click Update to save the settings.
Related topics
The key-value pairs are described in “Key-value pairs for configuring Email+ for Android AppConnect app
behavior” on page 22.
Configuring S/MIME certificates for Email+ for Android enterprise (Core and Cloud)
The following describes the configuration for Android enterprise. The procedure is applicable in MobileIron Core
and MobileIron Cloud.
Procedure
1. Edit the Email+ for Android for Work configuration.
2. Configure the Email signing certificate and Email encryption certificate restrictions.
3. Save the settings.
Related topics
• “Email+ for Android enterprise app configuration and distribution” on page 19.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 45
Additional configurations using key-value pairs
• “App restrictions descriptions for Email+ (Android enterprise)” on page 35.
Importing certificates using email attachments
Using app-specific configuration you can set up Email+ to automatically import a signing certificate and encryption
certificate. Alternatively, users can send themselves the certificate in an email. This section describes how users
can email the certificates and import the certificate into the keystore.
Procedure
1. From a computer, users can an email themselves, as an attachment, the certificate that they use for S/MIME on
their computers. This certificate must be a PFX file.
2. Users open the email using Email+ on the device, and tapsto open the attachment.
3. Email+ prompts users for the certificate’s password.
4. Users enter the certificate’s password.
5. Email+ imports the certificate into its keystore.
Related topics
“Importing certificates to Email+ for Android using app-specific configuration” on page 44.
S/MIME behavior in Email+
Email+ does the following with the S/MIME encryption key it receives:
• Imports the key into the keystore.
• Selects the certificate as the encryption certificate.
If you change the certificate, Email+ imports the new certificate into the keystore and selects the new certificate as
the encryption certificate. It leaves the previous certificate in the keystore.
If you remove the restriction, Email+ leaves the certificate in the keystore. It changes its settings to specify that no
certificate is selected as the encryption certificate.
Using the Email+ user interface, the device user can:
• change the encryption certificate by manually importing one and selecting it for use.
• encrypt all emails with the certificate or encrypt a specific email with the certificate. Note that Email+
automatically encrypts emails if the emails in the thread are encrypted.
NOTE THE FOLLOWING:
• To send an encrypted email, a user needs the recipient’s public key. If you provide users’ public keys in the
Active Directory, Email+ uses global address lookup to retrieve a public key as needed.
Another way for a user to have the public key of another user is possible, but more limiting. Specifically, if a
user receives a signed email, and the signing certificate is the same as the encryption certificate, Email+ now
has the sender’s public key. The user can now send an encrypted email to the user who sent the signed email.
• Make sure users’ encryption certificates are the same on all devices.
A user needs his private key and certificate to read encrypted emails. The encryption key and certificate must
be the same on all email clients using S/MIME, including desktop email clients.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 46
Additional configurations using key-value pairs
• When an encryption key/certificate is renewed, the existing email on a device cannot be decrypted unless the
original key certificate is available. Keep a backup copy of the encryption key and certificate or consider using
a third-party escrow service.
• To restore an encryption key and certificate from a backup, the user can send himself the key/certificate as an
email attachment, as described in the following section.
Email attachment download to secure SD card folder
Email+ for Android allows the device user to download email attachments to a secure folder. The stored attachment
is encrypted. The device user can view the attachment later using a secure app such as Docs@Work. Only secure
apps can view the attachment; apps that are not AppConnect-enabled cannot access the attachment.
Email+ automatically removes emails older than the number of days that the device user specifies in the Email+
settings from the device. This feature allows the device user to securely save and view the attachment even after
the email has been removed.
When the device user downloads an email attachment, it is saved in the following folder:
sdcard/EmailPlus-Attachments
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 47
5
Secondary account on Email+ (Core only)
The following describe how to set up a secondary account on Email+:
• About configuring a secondary account on Email+
• Configuring a secondary account on Email+ for Android AppConnect (Core and Standalone Sentry)
• Configuring a secondary account on Email+ for Android enterprise (Core and Standalone Sentry)
• Mapping the custom attributes created in AD to LDAP settings
• Syncing with LDAP
• Creating new label
• Creating a new AppConnect app configuration for Email+ for Android Appconnect
• Applying the new AppConnect app configuration to a label
• Applying device user to label
• Creating a new app configuration for Email+ for Android enterprise
• Configuring a secondary account on Email+ for Android AppConnect (Core without Standalone Sentry)
• Configuring a secondary account on Email+ for Android enterprise (Core without Standalone Sentry)
• Key-value pairs for the secondary account (Android AppConnect)
About configuring a secondary account on Email+
As an administrator, you can add a second account to Email+ for Android. The second email account is the
secondary account. You may want to add a secondary email account if the device user requires access to another
user’s account for emails, calendar, tasks, or contacts.
The secondary email account can be limited to synchronize only emails, contacts, calendar items, or tasks. For
example, an administrative assistant may need access to just the calendar and contacts.
You will need to modify the ExtensionAttributes for the device user in Active Directory to configure the secondary
account.
On Email+ for Android AppConnect, the secondary account is configured using key-value pairs. A second set of
key-value pairs, similar to the key-value pairs required for configuring the primary account, are required for
configuring the secondary email account. The key-value pairs for the secondary account have the prefix acc2_.
Example of a key with prefix for the secondary account: acc2_email_safe_domains.
On Email+ for Android enterprise, the secondary account is configured by configuring the app restrictions in the
Additional accounts section in the Email+ app configuration.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 48
Secondary account on Email+ (Core only)
The following sections provide information on configuring a secondary account:
• Configuring a secondary account on Email+ for Android AppConnect (Core and Standalone Sentry)
• Configuring a secondary account on Email+ for Android enterprise (Core and Standalone Sentry)
• Configuring a secondary account on Email+ for Android AppConnect (Core without Standalone Sentry)
• Configuring a secondary account on Email+ for Android enterprise (Core without Standalone Sentry)
• Key-value pairs for the secondary account (Android AppConnect)
Configuring a secondary account on Email+ for
Android AppConnect (Core and Standalone Sentry)
Create a new Email+ configuration and apply the configuration to a label that contains devices to which you want to
push the secondary account. If an Email+ configuration is already applied to a device, remove the device from
labels that contain the original Email+ configuration and apply the device to a new label to which you will apply the
new Email+ configuration.
IMPORTANT: Ensure that only one Email+ configuration is applied to a device.
Before you begin
Manually modify the ExtensionAttributes for the device user in Active Directory. For extensionAttribute1 enter the
username of additional email account, and for extensionAttribute2 enter the email address of the additional email
account.
For detailed instructions see the How to Add Multiple EAS Accounts to a Single Device knowledge base article in
the MobileIron Support site at https://community.mobileiron.com/docs/DOC-1975.
Procedure
1. Map the custom attributes created in AD to LDAP settings.
2. Sync with LDAP.
3. Create new label.
4. Create a new AppConnect app configuration for Email+ for Android Appconnect.
5. Apply the new AppConnect app configuration to a label.
6. Apply device user to label.
Related topics
• Mapping the custom attributes created in AD to LDAP settings.
• Syncing with LDAP.
• Creating new label.
• Creating a new AppConnect app configuration for Email+ for Android Appconnect.
• Applying the new AppConnect app configuration to a label.
• Applying device user to label.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 49
Secondary account on Email+ (Core only)
Configuring a secondary account on Email+ for
Android enterprise (Core and Standalone Sentry)
Create a new Email+ configuration and apply the configuration to a label that contains devices to which you want to
push the secondary account. If an Email+ configuration is already applied to a device, remove the device from
labels that contain the original Email+ configuration and apply the device to a new label to which you will apply the
new Email+ configuration.
IMPORTANT: Ensure that only one Email+ configuration is applied to a device.
Before you begin
Manually modify the ExtensionAttributes for the device user in Active Directory. For extensionAttribute1 enter the
username of additional email account, and for extensionAttribute2 enter the email address of the additional email
account.
For detailed instructions see the How to Add Multiple EAS Accounts to a Single Device knowledge base article in
the MobileIron Support site at https://community.mobileiron.com/docs/DOC-1975.
Procedure
1. Map the custom attributes created in AD to LDAP settings.
2. Sync with LDAP.
3. Create new label.
4. Create a new app configuration for Email+ for Android enterprise.
5. Apply device user to label.
Related topics
• Mapping the custom attributes created in AD to LDAP settings.
• Syncing with LDAP.
• Creating new label.
• Creating a new app configuration for Email+ for Android enterprise.
• Applying device user to label.
Mapping the custom attributes created in AD to LDAP
settings
Map the custom attributes created in Active Directory to the LDAP settings in MobileIron Core.
Procedure
1. In the Admin Portal, go to Settings > LDAP.
2. Select the LDAP setting and click the edit icon.
3. For Custom 1, enter extensionAttribute1. For Custom 2, enter extensionAttribute2.
4. Save the edited LDAP setting.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 50
Secondary account on Email+ (Core only)
Syncing with LDAP
Sync MobileIron Core with LDAP for updates.
Procedure
1. In the Admin Portal, go to Users & Devices > Users.
2. Click Resync With LDAP.
Wait for the LDAP sync to complete.
3. To verify, click on the System Manager link.
4. In the system manger, go to Troubleshooting > Service Diagnostic > LDAP Sync History.
Creating new label
Create a new label for the secondary account.
Procedure
1. In the Admin Portal go to Users & Devices > Labels.
2. Click Add Label.
3. Enter the information requested.
4. Click Save.
Creating a new AppConnect app configuration for Email+
for Android Appconnect
Perform this step only if you are configuring the secondary account on Email+ for Android AppConnect. Create a
new AppConnect app configuration to add the secondary account and to ensure that only one AppConnect app
configuration for Email+ is pushed to the device.
Procedure
1. In the Admin Portal, go to Policy & Configs > Configurations.
2. Click Add New > AppConnect > App Configuration.
3. Enter a name and description for the configuration.
4. For Application, select Email+.
5. In App-specific Configurations:
a. Configure the required key-value pairs for the primary account.
b. Configure the required key-value pairs for the secondary account.
For acc2_email_exchange_username, enter $USER_CUSTOM1$.
For acc2_email_address, enter $USER_CUSTOM2$.
c. Configure any additional key-value pairs for the primary and secondary accounts.
6. Click Save.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 51
Secondary account on Email+ (Core only)
Related topics
• See “Configuring an AppConnect app configuration for Email+ in MobileIron Core” on page 12 for information
on creating an Email+ for Android AppConnect configuration in MobileIron Core.
• See “Additional configurations using key-value pairs” on page 21 for the list of required key-value pairs for the
primary account.
• See “Key-value pairs for the secondary account (Android AppConnect)” on page 54 for required as well as
custom key-value pairs.
Applying the new AppConnect app configuration to a
label
Perform this step only if you are configuring the secondary account on Email+ for Android AppConnect. Apply the
newly created AppConnect app configuration to the label created for the secondary account.
Procedure
1. In the Admin Portal go to Policies & Configs > Configurations.
2. Select the new AppConnect app configuration for Email+.
3. Click Actions > Apply to Label.
4. In the Apply To Label dialog, select the label you created.
5. Click Apply.
Applying device user to label
Apply the device user for the primary account to the label created for the secondary account.
Procedure
1. In the Admin Portal, go to Users & Devices > Devices.
2. Select the device to which the email account will be added.
3. Click Actions > Apply to Label.
4. In the Apply To Label dialog, select the label you created.
5. Click Apply.
The email account is pushed to the device when it syncs.
No actions are required by the device user.
Creating a new app configuration for Email+ for Android
enterprise
Perform this step only if you are configuring the secondary account on Email+ for Android enterprise. Apply the
new configuration to the label you created for the secondary account. Ensure that the correct priority is set for the
configuration.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 52
Secondary account on Email+ (Core only)
Procedure
1. In the MobileIron Core Admin Portal, go to Apps > App Catalog.
2. Click the Email+ app for Android enterprise and click Edit.
3. In the Configuration Choices section, click Add+ to add a new configuration.
4. Enter a name for the new configuration.
5. Click Configuration for Email+.
Additional fields for configuring Email+ are displayed.
6. Configure the required app restrictions and any additional configurations for the primary account.
7. In the Additional accounts section, configure the required app restrictions and any additional configuration for
the secondary account.
8. In the Apply Labels To This App Config section, select the label you created for the secondary account.
9. Click Add
10. Assign priority to a configuration by moving the configuration up or down the list.
The configuration is applied to the selected labels. If a configuration is not applied to a device, the default
configuration is applied.
11. Click Save.
Related topics
• See “App restrictions descriptions for Email+ (Android enterprise)” on page 35 for a description of the fields,
and the required restrictions.
• See Email+ for Android enterprise app configuration and distribution for information on configuring and
distributing Email+ for Android enterprise on MobileIron Core.
Configuring a secondary account on Email+ for
Android AppConnect (Core without Standalone Sentry)
Create a new Email+ configuration and apply the configuration to a label that contains devices to which you want to
push the secondary account. If an Email+ configuration is already applied to a device, remove the device from
labels that contain the original Email+ configuration and apply the device to a new label to which you will apply the
new Email+ configuration.
IMPORTANT: Ensure that only one Email+ configuration is applied to a device.
Procedure
1. In the Admin Portal, go to Policy & Configs > Configurations.
2. Click Add New > AppConnect > App Configuration.
3. Enter a name and description for the configuration.
4. For Application, select Email+.
5. In App-specific Configurations:
a. Configure the required key-value pairs for the primary account.
b. Configure the required key-value pairs for the secondary account.
c. Configure any additional key-value pairs for the primary and secondary accounts.
6. Click Save.
7. Select the new AppConnect app configuration for Email+.
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 53
Secondary account on Email+ (Core only)
8. Select Actions > Apply To Label.
9. Select the labels to which you want to apply the AppConnect app configuration for Email+.
The label contains the devices to which you want to push the secondary account.
10. Click Apply.
Related topics
• See “Configuring an AppConnect app configuration for Email+ in MobileIron Core” on page 12 for information
on creating an Email+ for Android AppConnect configuration in MobileIron Core.
• See “Additional configurations using key-value pairs” on page 21 for the list of required key-value pairs for the
primary account.
• See “Key-value pairs for the secondary account (Android AppConnect)” on page 54 for required as well as
custom key-value pairs.
Configuring a secondary account on Email+ for
Android enterprise (Core without Standalone Sentry)
Follow the steps in Creating a new app configuration for Email+ for Android enterprise to add a secondary account
to Email+ for Android enterprise in a deployment that does not use Standalone Sentry.
Key-value pairs for the secondary account
(Android AppConnect)
Similar to the primary account, a secondary account is configured and customized using key-value pairs. To add
and customize the secondary email account, add the prefix acc2_ to a key. The prefix acc2_ indicates that the key-
value pair is applied only to the secondary account. Key-value pairs that do not need to be specifically configured
for the secondary account are generally applicable to both the primary and secondary accounts.
For a description and the values of the keys for the secondary account see the corresponding key-value pair
(without the prefix _acct2) in the key-value pair table for Android AppConnect, “Additional configurations using key-
value pairs” on page 21.
• Required keys for configuring the secondary account
• Key-value pair for disabling the secondary account
• Keys for customizing the secondary account
Required keys for configuring the secondary account
Required key for configuring the secondary account:
• acc2_email_address
• acc2_email_device_id
• acc2_email_exchange_host
• acc2_email_exchange_username
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 54
Secondary account on Email+ (Core only)
• enabled_features
For value, enter multiple_accounts.
If a value is already configured, add the value to the configured values separated by a comma.
Example: httpv2,multiple_accounts.
Key-value pair for disabling the secondary account
Use this key-value pair to disable syncing the secondary account in Email+ or limit the what is synced for the
secondary account. For example, if you disable email and tasks, only contacts and calendar items will be synced.
TABLE 1. KEY-VALUE PAIR FOR DISABLING THE SECONDARY ACCOUNT
Value:
Key Enter Description
acc2_disable_sync • email • email: emails for the secondary account are no longer synced.
• contacts • contacts: contacts for the secondary account are no longer synced.
• calendar • calendar: calendar for the secondary account is no longer synced.
• tasks • tasks: tasks for the secondary account are no longer synced.
Applied only to the secondary email account configured on Email+. The
Email, Contacts, Calendar, or Tasks app for the secondary account is
disabled when the device syncs. The disabled apps will no longer be
visible in Email+ settings, and users cannot switch to the second
account in the app.
You can enter multiple values as a comma separated list. Ensure that
there are no spaces before and after the comma.
Example: email,tasks
Keys for customizing the secondary account
Additional keys for customizing the secondary account:
• acc2_allow_detailed_notifications
• acc2_email_login_certificate
• acc2_email_trust_all_certificates
• acc2_email_encryption_certificate
• acc2_eas_min_allowed_auth_mode
• acc2_email_signing_certificate
• acc2_email_safe_domains
• acc2_email_max_sync_period
• acc2_email_default_sync_period
• acc2_sync_while_roaming
• acc2_email_max_attachment
• acc2_email_default_signature
• acc2_email_enable_lotus
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 55
Secondary account on Email+ (Core only)
• acc2_email_ssl_required
• acc2_prompt_email_password
• acc2_email_password
MobileIron Email+ 2.11.0.0 for Android Guide for Administrators | 56
You might also like
- DocsAtWorkAndroidReleaseNotes Rev9Mar2018No ratings yetDocsAtWorkAndroidReleaseNotes Rev9Mar201815 pages
- Setting Up Email and Text Alerts For Watlow's F4T ControllerNo ratings yetSetting Up Email and Text Alerts For Watlow's F4T Controller6 pages
- Your Company Is Undergoing A Regulatory Compliance AuditNo ratings yetYour Company Is Undergoing A Regulatory Compliance Audit12 pages
- Setting Up External Mail Servers For G Suite: Part ThreeNo ratings yetSetting Up External Mail Servers For G Suite: Part Three14 pages
- How To Configure Zimbra MailNGX Id As Activesync in AndroidNo ratings yetHow To Configure Zimbra MailNGX Id As Activesync in Android7 pages
- G Suite Data Protection Implementation GuideNo ratings yetG Suite Data Protection Implementation Guide31 pages
- Google Apps Migration For Microsoft Exchange: Administration GuideNo ratings yetGoogle Apps Migration For Microsoft Exchange: Administration Guide74 pages
- Check Point Harmony Email and Collaboration Admin GuideNo ratings yetCheck Point Harmony Email and Collaboration Admin Guide669 pages
- CP Harmony Email Collaboration Admin GuideNo ratings yetCP Harmony Email Collaboration Admin Guide640 pages
- Configuring Netact Monitor For The Use of An E-Mail Server: Mail Mail Configur MailNo ratings yetConfiguring Netact Monitor For The Use of An E-Mail Server: Mail Mail Configur Mail2 pages
- MobileIron-Access - Datasheet - EN - US - v2.1No ratings yetMobileIron-Access - Datasheet - EN - US - v2.12 pages
- Enable Sending - Receiving Emails in ServiceNow PDINo ratings yetEnable Sending - Receiving Emails in ServiceNow PDI10 pages
- CP Harmony Email Collaboration Admin GuideNo ratings yetCP Harmony Email Collaboration Admin Guide619 pages
- Metallic Exchange Online Custom ConfigurationNo ratings yetMetallic Exchange Online Custom Configuration7 pages
- Quickoffice For Android OS: User Help GuideNo ratings yetQuickoffice For Android OS: User Help Guide53 pages
- Gsmme Admin Guide: G Suite Migration For Microsoft ExchangeNo ratings yetGsmme Admin Guide: G Suite Migration For Microsoft Exchange54 pages
- Create A New Google Account: Your Google Account Is More Than Just GmailNo ratings yetCreate A New Google Account: Your Google Account Is More Than Just Gmail2 pages
- CP Harmony Email Collaboration Admin GuideNo ratings yetCP Harmony Email Collaboration Admin Guide538 pages
- ViperTouch: Advanced Climate & Production ControlNo ratings yetViperTouch: Advanced Climate & Production Control12 pages
- AltaLink-B8045 B8055 B8065 B8075 B8090-IAD-V1.1No ratings yetAltaLink-B8045 B8055 B8065 B8075 B8090-IAD-V1.156 pages
- Investigating A Virtual Queueing System For Durban University of Technology A Comprehensive Review Approach To Improve EfficiencyNo ratings yetInvestigating A Virtual Queueing System For Durban University of Technology A Comprehensive Review Approach To Improve Efficiency6 pages
- Collaborative Fall Detection Using A Wearable Device and A Companion RobotNo ratings yetCollaborative Fall Detection Using A Wearable Device and A Companion Robot7 pages
- User Guide For Cloning - 3 - 198 17-CNZ 222 76 Rev - JNo ratings yetUser Guide For Cloning - 3 - 198 17-CNZ 222 76 Rev - J29 pages
- Web Designing Using - HTML: Let Us Learn The Basics of HTMLNo ratings yetWeb Designing Using - HTML: Let Us Learn The Basics of HTML14 pages
- Kit Instructions: Enhanced Keypad Key TipsNo ratings yetKit Instructions: Enhanced Keypad Key Tips5 pages
- Designing Xilinx Zynq-Based Systems Using SdsocNo ratings yetDesigning Xilinx Zynq-Based Systems Using Sdsoc8 pages
