Conditional Email Access Pre-Deployment Guide
Conditional Email Access can be configured easily, however for an IT Admin it is important to know what to expect once CEA is configured. This guide will help you understand how CEA is enforced on users/devices and the options that you have to seamlessly introduce CEA in your organisation.
Question 0: How does Conditional Email Access Work?
Answer: An end user can access email via the following means,
- Email apps which use Exchange protocol such as Outlook, GMail, Mail for iOS & Windows Mail etc..
- Email apps which use POP/IMAP protocol such as Thunderbird etc..
- Using Web-Browsers like Google Chrome or Microsoft Edge or Safari
When an Email is accessed via Exchange protocol, then these Email apps generate a unique ID and provide that unique ID to email providers like Microsoft Exchange Online (Office 365) or IceWarp.
When an iOS or Windows device is enrolled in Scalefusion then it syncs its unique Exchange ID or Device ID and on Android 7.0 and above devices which are EMM managed, Scalefusion can configure an Exchange ID on the device for the Gmail app.
Since the only time a device is associated with a unique ID is when the Email is being accessed via Exchange protocol, Scalefusion allows you to configure a conditional email access policy, that blocks access on all the devices and all protocols (POP/IMAP, OWA, Web etc) and selectively allow access on devices managed by Scalefusion using the unique Exchange ID and supported Email applications.
Question 1: What OS/Platforms support Conditional Email Access (CEA)?
Answer: Conditional Email Access is supported for Android 7.0 & above, Windows 10 & above, & iOS 11 & above.
Question 2: Once CEA is configured, how would the end users access Emails?
Answer: This is one of the most important questions and you should understand that once CEA is configured, users can access Emails using only specific Email apps. The table below provides the information,
Question 3: Will configuring CEA impact all our existing Users and their access to Emails?
Answer: We have given the controls that let you control which users come under the purview of CEA. You can choose to either target All users in your organisation or only specific users that are imported/added to Scalefusion.
However please note that once CEA is configured, each new device that tries to access email irrespective of the user will by default be Quarantined for a certain period of time. This is to perform the checks required on that device and determine whether the user accessing the email is to be managed or not and the device from where the email is managed or not.
Once the user and the device are deemed fit to access the Emails on this particular device and the Email App, then they are removed from the quarantined list. For these changes to take effect it takes around 2 hours.
Question 4: Can we enforce all our users to enroll their current devices from where they are accessing their Emails?
Answer: Yes. You can enforce all users in your organisation to enroll their current devices to Scalefusion by configuring the policies to target all users and existing devices.
Question 5: Can we provide a Grace period to our users and encourage them to enroll their devices before blocking their Email access?
Answer: Yes. You can configure a grace period during which the users will receive Email alerts to enroll their devices. During the grace period their access to Email is not blocked. Once the grace period is over their access to Email is blocked on that device.
Question 6: If a user's access to email is to be blocked, does CEA block the device or block the user to prevent Email access?
Answer: This is combination of User + Device. Scalefusion detects the access to Email of a particular user on all the devices and blocks their access on unmanaged devices only. On managed devices, their access is allowed only via the Email apps as listed in Question 2.
Question 7: Does configuring CEA prevent Outlook Web-Access or other Web based methods to access emails?
Answer: Yes. By default we block access to OWA or web based methods. However if you want you can allow web based access to emails, but please note that once OWA is allowed users can access emails from any unmanaged device as well. Please note certain Email providers do not expose this functionality publicly via APIs and provide the controls in their console.
Question 8: Does configuring CEA prevent access to Emails from Microsoft Outlook client?
Answer: Yes. By default we block access to emails from Microsoft Outlook client. However you can choose to allow the users to access Emails from Outlook client, however in that case it would be unmanaged.
Question 9: Does configuring CEA prevent access to Emails via POP/IMAP?
Answer: Yes. For Email providers where we can control the access to email via POP/IMAP we block the access by default. However certain Email providers do not expose this functionality publicly via APIs and provide the controls in their console.
Question 10: Does CEA provide options to prevent phishing attacks, ransomware attacks or prevent Email forwarding etc?
Answer: NO. Conditional Email Access is strictly limited to provide IT Admins with a set of policies that allows the access of Emails on Scalefusion managed devices using the supported Email apps (as listed in Question 2). Beyond this Scalefusion offers policies that can be applied at a device or a work-profile level that allows overall security policies to be applied on device.
Question 11: What are the supported Email Providers where we can configure CEA?
Answer: Currently we support the following providers, please click on them to learn the specific steps to configure them.
Question 12: Do we need to Sign In to Scalefusion using Azure Active Directory to configure CEA?
Answer: NO. Conditional Email Access can be configured from any Scalefusion account as long as you have an Enterprise plan. Note that you would still need the licenses from your Email provider and ensure that your users have the Email service enabled.
Question 13: Can we enable access to Emails on selected devices without having to enroll them that have been blocked due to CEA?
Answer: Yes. Scalefusion allows you to explicitly Allow access for devices that have been blocked due to CEA policy. Those devices would be unmanaged and still be allowed.
Please feel free to reach out to our support team at firstname.lastname@example.org for any questions.