Security settings for Secure Mail (WorkPlace Persona policy)

Use the Security settings to configure security for Secure Mail accounts.

Secure Mail Security settings

You can configure the following security settings in the WorkPlace Persona policy for Secure Mail.

Policy setting	Description
Restrict Attachment Forwarding	Restricts email messages with attachments from being forwarded.
Allow Own Domain	Select Restrict Attachment Forwarding to view this checkbox. This option helps to send email attachments to addresses with the same email domain as the user.
Domain list mode	Select Restrict Attachment Forwarding to view this drop-down. Select whether the domains list is an allowlist or a blocklist. The values are as follows. `Other Allowed Domains` (default) `Blocked Domains`
Domains List	Select Restrict Attachment Forwarding to view this field. Specify the domains to which the forwarding of attachments is either allowed or blocked depending on the selected mode. Users can enter a comma-separated list to add multiple domains.
Allowlist Doc Types	Select Restrict Attachment Forwarding to view this field. Specify the types of attachment that can be mailed externally. Users can enter comma-separated values to specify multiple extension types such as doc, jpg, and xls.
Manage Email Restrictions to External Domains	This option helps to prevent email messages from being sent to non-corporate email domains.
Restriction Type	Select Manage Email Restrictions to External Domains to view this drop-down. Administrators can configure the following restrictions to control emails from external domains. `Restrict User` `Warn User` Important: `Warn User` mode is supported on app versions iOS 3.7 and later, and, Android 6.30 and later.
Domain list mode	Select Manage Email Restrictions to External Domains to view this drop-down. Select whether the domains list is an allowlist or a blocklist. The values are as follows. `Other Allowed Domains` (default) `Blocked Domains`
Domains List	Select Manage Email Restrictions to External Domains to view this field. Specify the domains to which the delivery of emails is either allowed or blocked depending on the selected mode. Users can enter a comma-separated list to add multiple domains.
Validate Server Certificate	Validates the server certificate that is issued during an SSL connection. This validation provides extra protection against man-in-the-middle attacks.
Untrusted Certificates Handling	This option helps administrators to control prompts for untrusted certificates. The options are as follows. `Prompt User` `Silently Accept All` `Reject All` Note: Select Reject All to ensure maximum security protection and to avoid spoofing or man-in-the-middle attacks.
Server Certificate	To add a new server certificate.
Configure trusted URLs for Android	Opens email and calendar invitation URLs in a third-party app (instead of in Secure Browser). Note: The third-party apps that you use must handle the specific URL that is defined in the app manifest. For example, the RSA App supports the following two URLs. http://127.0.0.1/securid/ctf http://127.0.0.1/securid/ctkip You can define these URLs as Trusted URLs. For more information about your apps, contact the app developer or IBM® Support.
Allow External Links to open in Native Browser	This option enables external links in the email message to be opened with a native browser. Intranet sites continue to open their links in the MaaS360® Browser. This setting is available from Android 5.55+.

Mails from external domains

Use the following settings to define the criteria that flags email messages as external.

Policy setting	Description
Prefix used for mails from external domains	The comma-separated list of prefixes that are configured in mail servers to mark external domain email messages. For example, `[External]`.
Prefix location for mails from external domains	The prefix location that is marked in the mail servers to mark external domain email messages. Supported values are `Email subject`, `body`, or `both`.
Warn about attachments in emails from external domains	A security alert is displayed when users attempt to open attachments that originate from external domains. Note: This setting does not prevent attachments from downloading. If the MaaS360 Mail setting Auto download attachments smaller than 100 KB in the MaaS360 for iOS app is enabled, attachments are downloaded locally. When users try to open those attachments, a security alert is displayed.
Manage remote images in emails from external domains	If this setting is enabled, remote images (embedded URLs) in emails from external domains are blocked. If this setting is disabled, remote images from all domains are allowed, regardless of the other settings that are enabled in this policy. In Android, MaaS360 prevents remote images from automatically downloading to the Inbox, Sent, and Draft folders. The remote images in the original message are hidden when the recipient replies to or forwards the email to other recipients. Note: This setting requires that the Prefix used for mails from external domains setting is configured. This setting is supported on primary, secondary, and delegation accounts. Restriction Type Administrators can configure the following restrictions to control remote images in emails from external domains. Block The remote images in emails from external domains are completely blocked. Allow Selectively The remote images are blocked by default, but users can tap the View Images banner at the top of the email to view the images. Note: If a user downloads images in an email from a specific domain, images from that domain are not downloaded automatically in subsequent emails.
Domains List Mode	Select whether the domains list is an allowlist or a blocklist. The values are as follows. `External Domains (Blocked)` `Allowed Domains` (default)
Domains List	Enter a comma-separated list of allowed domains. For example, `ibm.com`. Specify the domains to which the images or attachments for mails sent from these domains is either allowed or blocked depending on the selected mode. Users can enter comma-separated list to add multiple domains.

Secure Mail Contact settings

You can configure the following Contacts settings for Secure Mail.

Policy setting	Description
Restrict Personal Exchange Contacts to be Copied to Device Contacts	Restricts the user from copying contacts from the corporate directory to a device.
Allow editing of Personal Exchange Contacts in native Contacts App	Allows a user to edit corporate contacts in a native application. If this setting is enabled, contacts are copied over to the primary Google account on the device under a Group named `Exported Corporate Contacts`. Once the group is copied over, you can edit the contacts in the native Contacts app. Note: Any changes to contacts are local and not synced with the user's Exchange account. Any changes to contacts on the Exchange server overwrite local changes. You cannot remove exported contacts with the Selective Wipe action.
Allow use of Personal contacts in Secure Mail	If this setting is enabled, users can select personal contacts on the device for sending email messages and calendar invites.

Report Phishing settings

You can configure the following Report Phishing settings for Secure Mail.

Policy setting	Description
Report Phishing	Allows users to report suspicious email messages to administrators. If an email message is identified as suspicious or phishing, use the Report Phishing option in the Email options to report that email message. Note: The reported email messages are deleted from the mailbox. The email messages that are reported from the Deleted Items folder are deleted permanently. HCL Traveler does not support smart forward, so reported email messages are always sent as an .eml attachment. The Report Phishing option takes priority over Restrict Forwarding Mail/Attachment to different domain policies. The email message attachments that are not part of the MIME download are not part of the .eml file. As a result, the size of the .eml file is shown as 0 KB and these files are inaccessible. The reported email messages are not deleted for users with the read-only delegate permission. The Report Phishing option is not available for the Sent, Drafts, and Outbox folders.
Report Phishing Settings	Configure the following phishing settings. Forward option Configure how you want to receive the suspicious email messages reported by users. Smart forward The suspicious email message is forwarded as is to the email address provided in the Email Address field. As an attachment The suspicious email message is downloaded and then sent to the email address provided in the Email Address field in the form of an .eml attachment. Email addresses The email addresses where suspicious email messages are forwarded. Enter a list of comma-separated email addresses to provide more than one email address.

Policy setting

Description

Report Phishing

Allows users to report suspicious email messages to administrators. If an email message is identified as suspicious or phishing, use the Report Phishing option in the Email options to report that email message.

Note:

The reported email messages are deleted from the mailbox.
The email messages that are reported from the Deleted Items folder are deleted permanently.
HCL Traveler does not support smart forward, so reported email messages are always sent as an .eml attachment.
The Report Phishing option takes priority over Restrict Forwarding Mail/Attachment to different domain policies.
The email message attachments that are not part of the MIME download are not part of the .eml file. As a result, the size of the .eml file is shown as 0 KB and these files are inaccessible.
The reported email messages are not deleted for users with the read-only delegate permission.
The Report Phishing option is not available for the Sent, Drafts, and Outbox folders.

Report Phishing Settings

Configure the following phishing settings.

Forward option

Configure how you want to receive the suspicious email messages reported by users.
- Smart forward
  
  The suspicious email message is forwarded as is to the email address provided in the Email Address field.
- As an attachment
  
  The suspicious email message is downloaded and then sent to the email address provided in the Email Address field in the form of an .eml attachment.
Email addresses

The email addresses where suspicious email messages are forwarded. Enter a list of comma-separated email addresses to provide more than one email address.

S/MIME settings

You can configure the following S/MIME settings for Secure Mail.

Note: Contact IBM Support to enable this feature.

Policy setting	Description
SMIME Certificate Source	Enable this setting if the certificate source is an email message or Cloud Extender®.
Trusted Certificate	Adds a new trusted certificate.
Apply Triple wrapping of message	Enables signing, encryption, and signing again for each email message.
Always sign outgoing mails	All email messages that are sent through Secure Mail are signed by the sender's signing certificate.
Allow user to customize SMIME controls per message	Users can encrypt or sign outgoing email messages.
Do not allow unencrypted messages to specified domains	Does not allow unencrypted email messages to specific domains.
SMIME Public Cert Refresh Days	Refreshes the local copy at the selected frequency.
Configure LDAP for SMIME Certificate Lookup	Enables settings to configure LDAP for S/MIME Certificate Lookup.

Note: Depending on the services that are enabled in the MaaS360 Portal, some of these options might not be available.