Security settings for Secure Mail (WorkPlace Persona policy)

Use the Security settings to configure security for Secure Mail accounts.

Secure Mail security settings

You can configure the following security settings in the WorkPlace Persona policy for Secure Mail:

Policy setting Description
Restrict Attachment Forwarding Restricts email messages with attachments from being forwarded.
Manage Email Restrictions to External Domains Prevents email messages from being sent to non-corporate email domains.
Validate Server Certificate Validates the server certificate that is issued by a mail server during an SSL connection. This validation provides extra protection against man-in-the-middle attacks.
Untrusted Certificates Handling

Allows administrators to control prompts for untrusted certificates.

  • Prompt User: Prompts the user to accept or reject the untrusted certificate.
  • Silently Accept All: Accepts all untrusted certificates without any prompt.
  • Reject All: Rejects all untrusted certificates.
Note: Select Reject All to ensure maximum security protection and to avoid spoofing or man-in-the-middle attacks.
Server Certificate Adds a new server certificate.
Configure trusted URLs for Android Opens email and calendar invitation URLs in a third-party app (instead of in Secure Browser).
Note: The third-party apps that you use must handle the specific URL that is defined in the app manifest. For example, the RSA App supports the following two URLs:

You can define these URLs as Trusted URLs. For more information about your apps, contact the app developer or IBM® Support.

Allow External Links to open in Native Browser Allows external links in the email message to be opened with a native browser. Intranet sites continue to open their links in the MaaS360® Browser. This setting is available from Android 5.55+.

Email messages from external domains

Use the following settings to define the criteria that flags email messages as external:

Policy setting Description
Prefix used for mails from external domains The comma-separated list of prefixes that are configured in mail servers to mark external domain email messages. For example: [External]
Prefix location for mails from external domains The prefix location that is marked in the mail servers to mark external domain email messages. Supported values: Email subject, body, or both.
Allowed mail domains Provides a comma-separated list of allowed domains. For example: ibm.com

If this policy is enabled, remote images or attachments in email messages that are received from allowed domains are automatically displayed. If mail servers flag an email message as external, remote images are still displayed if that domain is part of the allowed domains. If allowed domains are not configured, remote images from all domains are blocked except for the user's domain.

Manage remote images in emails from external domains If this setting is enabled, remote images (embedded URLs) in emails from external domains are blocked. If this setting is disabled, remote images from all domains are allowed, regardless of the other settings that are enabled in this policy. In Android, MaaS360 prevents remote images from automatically downloading to the Inbox, Sent, and Draft folders. The remote images in the original message are hidden when the recipient replies to or forwards the email to other recipients.
Note:
  • This setting requires that the Prefix used for mails from external domains setting is configured.
  • This setting is supported on primary, secondary, and delegation accounts.

Restriction Type

Administrators can configure the following restrictions to control remote images in emails from external domains:
  • Block: The remote images in emails from external domains are completely blocked.
  • Allow Selectively: The remote images are blocked by default, but users can tap the View Images banner at the top of the email to view the images.
    View All banner
Note: If a user downloads images in an email from a specific domain, images from that domain are not downloaded automatically in subsequent emails.
Warn about attachments in emails from external domains A security alert is displayed when users attempt to open attachments that originate from external domains.
External email attachment
Note: This setting does not prevent attachments from downloading. If the MaaS360 Mail setting Auto download attachments smaller than 100 KB in the MaaS360 for iOS app is enabled, attachments are downloaded locally. When users try to open those attachments, a security alert is displayed.

Secure Mail Contacts settings

You can configure the following Contacts settings for Secure Mail:

Policy setting Description
Restrict Personal Exchange Contacts to be Copied to Device Contacts Restricts the user from copying contacts from the corporate directory to a device.
Allow editing of Personal Exchange Contacts in native Contacts App Allows a user to edit corporate contacts in a native application. If this setting is enabled, contacts are copied over to the primary Google account on the device under a Group named Exported Corporate Contacts. Once the group is copied over, you can edit the contacts in the native Contacts app.
Note:
  • Any changes to contacts are local and not synced with the user's Exchange account.
  • Any changes to contacts on the Exchange server overwrite local changes.
  • You cannot remove exported contacts with the Selective Wipe action.
Allow use of Personal contacts in Secure Mail If this setting is enabled, users can select personal contacts on the device for sending email messages and calendar invites.

Report Phishing settings

You can configure the following Report Phishing settings for Secure Mail:

Policy setting Description
Report Phishing Allows users to report suspicious email messages to administrators. If an email message is identified as suspicious or phishing, use the Report Phishing option in the Email options to report that email message.
Note:
  • The reported email messages are deleted from the mailbox.
  • The email messages that are reported from the Deleted Items folder are deleted permanently.
  • IBM Traveler does not support smart forward, so reported email messages are always sent as an .eml attachment.
  • The Report Phishing option takes priority over Restrict Forwarding Mail/Attachment to different domain policies.
  • The email message attachments that are not part of the MIME download are not part of the .eml file. As a result, the size of the .eml file is shown as 0 KB and these files are inaccessible.
  • The reported email messages are not deleted for users with the read-only delegate permission.
  • The Report Phishing option is not available for the Sent, Drafts, and Outbox folders.
Report Phishing Settings Configure the following phishing settings:
  • Forward option: Configure how you want to receive the suspicious email messages reported by users.
    • Smart forward: The suspicious email message is forwarded as is to the email address provided in the Email Address field.
    • As an attachment: The suspicious email message is downloaded and then sent to the email address provided in the Email Address field in the form of an .eml attachment.
  • Email addresses: The email addresses where suspicious email messages are forwarded. Enter a list of comma-separated email addresses to provide more than one email address.

S/MIME settings

You can configure the following S/MIME settings for Secure Mail:

Note: Contact IBM Support to enable this feature.
Policy setting Description
SMIME Certificate Source Enable this setting if the certificate source is an email message or Cloud Extender®.
Trusted Certificate Adds a new trusted certificate.
Apply Triple wrapping of message Enables signing, encryption, and signing again for each email message.
Always sign outgoing mails All email messages that are sent through Secure Mail are signed by the sender's signing certificate.
Allow user to customize SMIME controls per message Users can encrypt or sign outgoing email messages.
Do not allow unencrypted messages to specified domains Does not allow unencrypted email messages to specific domains.
SMIME Public Cert Refresh Days Refreshes the local copy at the selected frequency.
Configure LDAP for SMIME Certificate Lookup Enables settings to configure LDAP for S/MIME Certificate Lookup.
Note: Depending on the services that are enabled in the MaaS360 Portal, some of these options might not be available.