- 23 Sep 2023
- 4 Minutes to read
Conditional Email Access Pre-Deployment Guide
- Updated on 23 Sep 2023
- 4 Minutes to read
Conditional Email Access can be configured easily, however, for an IT Admin, it is important to know what to expect once CEA is configured. This guide will help you understand how CEA is enforced on users/devices and the options that you have to seamlessly introduce CEA in your organization.
Question 0: How does Conditional Email Access Work?
Answer: An end user can access email via the following means,
- Email apps that use Exchange protocols such as Outlook, Gmail, Mail for iOS & Windows Mail etc..
- Email apps that use POP/IMAP protocol, such as Thunderbird etc.
- Using Web-Browsers like Google Chrome, Microsoft Edge, or Safari
When an Email is accessed via Exchange protocol, then these Email apps generate a unique ID and provide that unique ID to email providers like Microsoft Exchange Online (Office 365), IceWarp or On-Premise Exchange.
When an iOS or Windows device is enrolled in Scalefusion, then it syncs its unique Exchange ID or Device ID, and on Android 7.0 and above devices which are EMM managed, Scalefusion can configure an Exchange ID on the device for the Gmail app.
Since the only time a device is associated with a unique ID is when the Email is being accessed via Exchange protocol, Scalefusion allows you to configure a conditional email access policy that blocks access on all the devices and all protocols (POP/IMAP, OWA, Web etc) and selectively allow access on devices managed by Scalefusion using the unique Exchange ID and supported Email applications.
Question 1: What OS/Platforms support Conditional Email Access (CEA)?
Answer: Conditional Email Access is supported for Android 7.0 & above, Windows 10 & above, & iOS 11 & above. The Android devices should be EMM Managed.
Question 2: Once CEA is configured, how would the end users access Emails?
Answer: This is one of the most important questions and you should understand that once CEA is configured, users can access Emails using only specific Email apps. The table below provides the information,
Question 3: Will configuring CEA impact all our existing Users and their access to Emails?
Answer: We have given the controls that let you control which users come under the purview of CEA. You can choose to either target All users in your organisation or only specific users that are imported/added to Scalefusion.
However, please note that once CEA is configured, the access to Emails is based on the Global Access policy (Quarantined or Allowed) set at the time of CEA configuration. More details on the Global Access policy are available in configured CEA documents.
Question 4: Can we enforce all our users to enroll their current devices from where they are accessing their Emails?
Answer: Yes. You can enforce all users in your organization to enroll their current devices to Scalefusion by configuring the policies to target all users and existing devices.
Question 5: Can we provide a Grace period to our users and encourage them to enroll their devices before blocking their Email access?
Answer: Yes. You can configure a grace period during which the users will receive Email alerts to enroll their devices. During the grace period their access to Email is not blocked. Once the grace period is over, their access to Email is blocked on that device.
Question 6: If a user's access to email is to be blocked, does CEA block the device or block the user to prevent Email access?
Answer: This is the combination of User + Device. Scalefusion detects the access to the Email of a particular user on all the devices and blocks their access on unmanaged devices only. On managed devices, their access is allowed only via the Email apps as listed in Question 2.
Question 7: Does configuring CEA prevent Outlook Web-Access or other Web-based methods to access emails?
Answer: Yes. By default, we block access to OWA or web-based methods. However, if you want, you can allow web-based access to emails, but please note that once OWA is allowed, users can access emails from any unmanaged device as well. Please note certain Email providers do not expose this functionality publicly via APIs and provide the controls in their console.
Question 8: Does configuring CEA prevent access to Emails from Microsoft Outlook client?
Answer: Yes. By default, we block access to emails from Microsoft Outlook clients. However, you can choose to allow the users to access Emails from Outlook client, however, in that case, it would be unmanaged.
Question 9: Does configuring CEA prevent access to Emails via POP/IMAP?
Answer: Yes. For Email providers where we can control the access to email via POP/IMAP, we block the access by default. However, certain Email providers do not expose this functionality publicly via APIs and provide the controls in their console.
Question 10: Does CEA provide options to prevent phishing attacks, ransomware attacks, Email forwarding etc.?
Answer: NO. Conditional Email Access is strictly limited to providing IT Admins with a set of policies that allows the access of Emails on Scalefusion-managed devices using the supported Email apps (as listed in Question 2). Beyond this, Scalefusion offers policies that can be applied at a device or a work-profile level that allows overall security policies to be applied on the device.
Question 11: What are the supported Email Providers where we can configure CEA?
Answer: Currently, we support the following providers. Please click on them to learn the specific steps to configure them.
Question 12: Do we need to Sign In to Scalefusion using Azure Active Directory to configure CEA?
Answer: NO. Conditional Email Access can be configured from any Scalefusion account as long as you have an Enterprise plan. Note that you would still need the licenses from your Email provider and ensure that your users have the Email service enabled.
Question 13: Can we enable access to Emails on selected devices without having to enroll them that have been blocked due to CEA?
Answer: Yes. Scalefusion allows you to explicitly Allow access for devices that have been blocked due to CEA policy. Those devices would be unmanaged and still be allowed.
Please feel free to reach out to our support team at email@example.com for any questions.