Configure CEA for IceWarp Email Service

IceWarp is a business email and team collaboration software that combines the need of traditional email with the power of modern communication tools to provide a comprehensive team communication suite.

Scalefusion integrates with IceWarp APIs to bring conditional email access. This integration allows consumers of IceWarp email services to ensure that their employees access IceWarp email only from Scalefusion-managed devices.

In this document, we cover the steps required to set up Scalefusion for conditional email access for the IceWarp email service.

Prerequisites

1. Please read through our CEA Pre-Deployment Guide
2. Scalefusion Account with Enterprise License
3. IceWarp Administrator Credentials

Step 1: Enable API Access for your IceWarp Instance

The first step is to work with IceWarp support to enable the APIs required for Conditional Email Access. Once the APIs are enabled please obtain the IceWarp API URL (typically https://yourdomain.icewarpcloud.in/icewarpapi/) and then proceed to Step 2.

Step 2: Set Global Policy

The next step is to set global policy for new devices. This would help in making sure that access to emails on devices is by default Quarantined or allowed, and then based on the CEA policies configured in Scalefusion, each access would be reviewed and either allowed or enforced to enroll to Scalefusion. Please perform the steps below,

1. Launch DeepCastle - IceWarp server administration utility and connect to your IceWarp domain.
2. Once logged in, navigate to the management section, click on the Devices tab and from the New devices in this domain, select Quarantine or Allow
3. Click Save to save the settings.

Step 3: Block Web Email Access & POP/IMAP

Once CEA is enforced, users are allowed to use only the approved clients to access Emails. Scalefusion supports only GMail for Android, native Mail app for iOS and Windows Mail client to access emails on managed devices. Since IceWarp APIs do not allow for blocking Web Email access & POP/IMAP, please work with IceWarp support to block the Web Email access and access via POP/IMAP.

Step 4: Configuring Conditional Email Access in Scalefusion

Now that you have completed all the steps required to configure CEA follow the steps below to set up CEA.

1. Sign In to the Scalefusion portal, navigate to the Conditional Email Access section and click Configure to open the CEA wizard.
2. Configure Access: The first step is to configure the access and allow Scalefusion access to your IceWarp account and users. For this, you would need the IceWarp administrator user email and password.
   1. Email Service Type: Select IceWarp Cloud
   2. Enter IceWarp Server URL: Ensure that the APIs are enabled for your account and enter your IceWarp API server URL as obtained in Step 1. Typically the API URL is of the format https://yourdomain.icewarpcloud.in/icewarpapi/
      
      
      The / at the end of the URL is mandatory.
   3. Enter IceWarp Administrator Username: Enter the email id of the IceWarp administrator account
   4. Enter IceWarp  Administrator Password: Enter the password of the IceWarp administrator account role
   5. You can either click on Validate to validate the settings or Next to proceed to the next step, in which case the validation would happen while saving the settings.
      
      
      Please note that once you click on Validate, it takes about 30 seconds to a minute for the credentials to be validated.
3. Configure Policy: The settings in this tab allow you to define the policies on the basis of which the conditional email access is enforced. Divided into 4 sections to let you easily understand and configure the desired policy.
   1. Access Policy: This section lets you define the broader access policies that apply to all users/devices.
      1. Default Global Access Policy: To achieve CEA, all access to email on new devices from any user in the organization is Quarantined or Allowed. Please refer to Step 2: Set Global Policy. If allowed, access to email on new devices from any user in the organization is Allowed initially. This means users are allowed to access their emails till the next sync takes place. After syncing, whether the access will be allowed or blocked or the grace period being offered will be based on the CEA policy set on the Scalefusion Dashboard.

         If quarantined, then any user trying to access email will first be quarantined and validated against the CEA policy set. If they are supposed to be allowed without their devices being enrolled in Scalefusion or are supposed to be offered a grace period, then they are removed from quarantine state.

         Please note once the users are removed from the Quarantine state, it takes around 3 hours for the changes to take effect on the device. This is the average turnaround time for Microsoft Exchange.
      2. Block POP/IMAP Access to Email: Please contact the IceWarp support team to have this option blocked.
      3. Block Web Access to Email: Please contact the IceWarp support team to have this option blocked to prevent users from accessing emails using browsers like Google Chrome, Microsoft Edge Safari etc.
      4. Select Target Users: This is one of the most important settings that defines which users are targeted by the CEA and which users are exempted. The options are,
         1. All Users: Select this to target all users in your organization and apply CEA policies.
         2. Imported Users: Select this to target only the users that you either Import/Add using User management or add their email IDs to custom properties/fields.
            
            Please note that any access to emails from existing users on new devices will, by default, be quarantined. Based on the target users set, they will be either allowed to access without enrolling their devices to Scalefusion or enforced to enroll their devices in Scalefusion.
   2. Grace Period: This section lets you define a grace period for the users during which they are allowed to access emails. Beyond the grace period, their access will be blocked, and they will be forced to enroll their devices.
      1. Configure Grace period for Users: Select a suitable grace period for users.
      2. Apply Grace Period To: For the Target users defined as per the access policy above, choose if the grace period should be applied to their existing devices and/or when they access emails on new devices. Unchecking an option means they would not be allowed a grace on the devices and would be forced to enroll their devices.
   3. Enrollment Settings: This section lets you choose the default enrollment profile for BYOD devices.
      1. Default Enrollment Configuration for User Enrolled Devices: From the dropdown, select a BYOD/Personal QR Code configuration that will be used to enroll the users.
      2. Apply these settings for all Corporate Owned Devices: This is a marker set, and by default, we would be applying these settings to all Corporate Owned devices. Please note that though it is applied for all CO devices, the settings will be pushed to devices that have an email ID set as a custom property.
   4. Configure Email Templates & Reminders: The last section lets you define the email content that will be sent to the users informing them to enroll their devices and set the reminder frequency.
      1. Configure Reminder Email Template: Click on the input area to configure the email content. The placeholders like %device_model% %device_os%, or %days_left% will be updated dynamically based on the device. We also append the required enrollment instructions based on the device type, like the QR Code to scan or the enrollment URL to use.
      2. Reminder Email Frequency: Select how often the users should be reminded to enroll their devices.
      3. Quarantine Email Content: Please contact IceWarp support to configure quarantine email content.
4. Exchange Server Settings: The next section lets you define the exchange settings that will be used to configure exchange on the Scalefusion-managed devices.
   1. Exchange Server Settings: Enter your IceWarp Exchange server settings.
   2. User Sign-In Settings: This section lets you define which fields should be used as the email and username when pushing an exchange configuration to the enrolled devices.
      1. User-Initiated Enrollments: For BYOD devices, Scalefusion automatically uses the imported/added user email as the sign-in email.
      2. Corporate Owned Enrollments: Choose which custom field should be used as the email ID & username that will be used to push the exchange configuration.
         
         All email IDs assigned to the custom fields will be considered target users, and the CEA policies will be applied.
   3. Sync Settings: This section lets you configure the email and calendar sync settings.
5. Review & Save: The final step is to review the settings, and if everything looks good, click on CREATE.
6. If the credentials are validated, then you will see the screen below as a confirmation,
   The Sync usually takes around 30 minutes of time, during which the CEA section is disabled to ensure consistency.
7. Once the initial sync is successful, you will start seeing the information updated as shown below,

Step 5: Update the Device Profiles

Once CEA is configured, you would have to update the device profiles so that users can get access to the applications that they are required to Sign in and access emails. These applications are based on the platforms,

1. Android: In all the Corporate Owned (Kiosk) profiles and BYOD profiles that you had selected as Default Enrollment profiles, enable GMail and Google Chrome applications.
2. iOS: If you are managing Supervised/DEP devices then allow Safari and Mail application on the device profile.
3. Windows: There are no specific changes required, but please note that in Windows, CEA or in general, Exchange configurations can be published only to the admin/enrolled accounts. Exchange configuration will not work for standard accounts or restricted accounts.

Now that you have configured CEA go through our document on the CEA Control Panel to learn about the information that is displayed here, various states of devices and how to manage them.

Frequently Asked Questions

Question: Why do we see an exclamation (!) mark once we have configured the CEA?

Answer: This can happen for the following two reasons,

1. No Imported/Added Users: If you have not imported any users and are trying to configure CEA. Please contact our support to remove the CEA and start afresh.
2. Invalid Powershell Administrator credentials: If the administrator credentials have been changed, post the configuration. Please edit the configuration and update the credentials.

Question: Why do all users see a Quarantine message once they access email on new devices even though they are not part of target users or are imported to Scalefusion?

Answer: To achieve CEA, by default, the global access policy is set to Quarantine, which means that all users attempting to access emails on new devices, irrespective of being imported/added to Scalefusion, will be quarantined.

Once Scalefusion detects these users and their new devices based on the periodic sync, it applies the policies and allows the users access to emails if allowed by policy.

Question: Why are the options to Edit, Delete and Sync disabled?

Answer: This is by design. During a sync operation, we disable the options to avoid any conflicts.

Question: What is the default Sync duration, or how often does Scalefusion detect changes?

Answer: Scalefusion detects changes every 2 hours.

Question: What would happen if you delete the CEA configuration?

Answer: Scalefusion would do the following,

1. Revert the Global Policy from Quarantine to Allowed
2. Stop managing email access on new and existing devices.
3. Delete all the data related to users and their devices.