Configure CEA for Zimbra Email Service
  • 23 Sep 2023
  • 8 Minutes to read
  • PDF

Configure CEA for Zimbra Email Service

  • PDF

Article summary

Zimbra is a cloud-based collaboration Software and Email Platform that Integrates with Proprietary Business Solutions.

Scalefusion integrates with Zimbra to bring conditional email access. This integration allows consumers of Zimbra email services to ensure that their employees access Zimbra email only from Scalefusion-managed devices.

In this document, we cover the steps required to set up Scalefusion for conditional email access for the Zimbra email service.

Please note that Conditional Exchange Access for Zimbra is supported only on Zimbra 10 Network Edition.


  1. Please read through our CEA Pre-Deployment Guide
  2. Scalefusion Account with Enterprise License
  3. Zimbra 10 Network Edition
    1. Zimbra Administrator Credentials

Now that you have completed all the steps required to configure CEA follow the steps below to set up CEA.

  1. Sign In to the Scalefusion portal, navigate to the Conditional Email Access section and click Configure to open the CEA wizard.
  2. Configure Access: The first step is to configure the access and allow Scalefusion access to your Zimbra account and users. For this, you would need the Zimbra administrator user email and password.
    1. Email Service Type: Select Zimbra
    2. Enter Zimbra Server URL: Enter zimbra server URL. Typically URL is like this: https://your_admin_console_domain_with_port/service/admin/soap
    3. Enter Zimbra Administrator Username: Enter the email id of the Zimbra administrator account
    4. Enter Zimbra Administrator Password: Enter the password of the Zimbra administrator account role
    5. You can either click on Validate to validate the settings or Next to proceed to the next step, in which case the validation would happen while saving the settings.

      Please note that once you click on Validate, it takes about 30 seconds to a minute for the credentials to be validated.
  3. Configure Policy: The settings in this tab allow you to define the policies on the basis of which the conditional email access is enforced. Divided into 4 sections to let you easily understand and configure the desired policy.
    1. Access Policy: This section lets you define the broader access policies that apply to all users/devices.
      1. Default Global Access Policy:
        To achieve CEA, all access to email on new devices from any user in the organization is Allowed.
        Access to email on new devices from any user in the organization is Allowed initially. This means users are allowed to access their emails till the next sync takes place. After syncing, whether the access will be allowed or blocked or a grace period will be offered will be based on the CEA policy set on the Scalefusion Dashboard.
        Note that when the policy is set to Allowed, another setting is available, which is Allow Management of Non-Target Users. If this is toggled On, the non-target users' devices are synced, and their E-mail access information is also available on the CEA Control Panel.
      2. Block Email Access from Outlook: Choose if the users should be allowed to access Emails from Outlook or should be blocked. By default, we suggest blocking it on Android, iOS and Windows, as the CEA policies can be applied on these platforms. If Outlook access is blocked, then:
        1. All users will be blocked from accessing emails using Outlook clients on Android & iOS.
        2. On Windows, only the users that are defined by the Target users in Step v below will not be able to access Email using the Outlook client. Other users can still access it.

          macOS: Since there are no APIs available for macOS, we recommend not blocking access on a Mac

      3. Block Outlook Web Access: Choose if users should be allowed to access Emails using Outlook web access from browsers like Google Chrome, Microsoft Edge Safari etc. By default, we suggest disabling this, and with this, all users are blocked from accessing emails using browsers.
      4. Block POP/IMAP Access to Email: Blocks access to email via POP/IMAP. This is to prevent unapproved clients from accessing email.
      5. Select Target Users: This is one of the most important settings that defines which users are targeted by the CEA and which users are exempted. The options are,
        1. All Users: Select this to target all users in your organization and apply CEA policies.
        2. Imported Users: Select this to target only the users that you either Import/Add using User management or add their email IDs to custom properties/fields.
          Please note that any access to emails from existing users on new devices will, by default, be quarantined. Based on the target users set, they will be either allowed to access without enrolling their devices to Scalefusion or enforced to enroll their devices in Scalefusion.
    2. Grace Period: This section lets you define a grace period for the users during which they are allowed to access emails. Beyond the grace period, their access will be blocked, and they will be forced to enroll their devices.
      1. Configure Grace period for Users: Select a suitable grace period for users.
      2. Apply Grace Period To: For the Target users defined as per the access policy above, choose if the grace period should be applied to their existing devices and/or when they access emails on new devices. Unchecking an option means they would not be allowed a grace on the devices and would be forced to enroll their devices.
    3. Enrollment Settings: This section lets you choose the default enrollment profile for BYOD devices.
      1. Default Enrollment Configuration for User Enrolled Devices: From the dropdown, select a BYOD/Personal QR Code configuration that will be used to enroll the users.
      2. Apply these settings for all Corporate Owned Devices: This is a marker set, and by default, we would be applying these settings to all Corporate Owned devices. Please note that though it is applied for all CO devices, the settings will be pushed to devices that have an email ID set as a custom property.
    4. Configure Email Templates & Reminders: The last section lets you define the email content that will be sent to the users informing them to enroll their devices and set the reminder frequency.
      1. Configure Reminder Email Template: Click on the input area to configure the email content. The placeholders like %device_model% or %device_os%, or %days_left% will be updated dynamically based on the device. We also append the required enrollment instructions based on the device type, like the QR Code to scan or the enrollment URL to use.
      2. Reminder Email Frequency: Select how often the users should be reminded to enroll their devices.
  4. Exchange Server Settings: The next section lets you define the exchange settings that will be used to configure exchange on the Scalefusion-managed devices.
    1. Exchange Server Settings: Enter your Zimbra Exchange server settings.
    2. User Sign In Settings: This section lets you define which fields should be used as the email and username when pushing an exchange configuration to the enrolled devices.
      1. User-Initiated Enrollments: For BYOD devices, Scalefusion automatically uses the imported/added user email as the sign-in email.
      2. Corporate Owned Enrollments: Choose which custom field should be used as the email ID & username that will be used to push the exchange configuration.
        All email IDs assigned to the custom fields will be considered target users, and the CEA policies will be applied.
    3. Sync Settings: This section lets you configure the email and calendar sync settings.
  5. Review & Save: The final step is to review the settings, and if everything looks good, click on CREATE.
  6. If the credentials are validated, then you will see the screen below as a confirmation,
    The Sync usually takes around 30 minutes of time, during which the CEA section is disabled to ensure consistency.
  7. Once the initial sync is successful, you will start seeing the information updated as shown below,

Step 5: Update the Device Profiles

Once CEA is configured, you would have to update the device profiles so that users can get access to the applications that they are required to Sign in and access emails. These applications are based on the platforms,

  1. Android: In all the Corporate Owned (Kiosk) profiles and BYOD profiles that you had selected as Default Enrollment profiles, enable GMail and Google Chrome applications.
  2. iOS: If you are managing Supervised/DEP devices, then allow Safari and Mail applications on the device profile.
  3. Windows: There are no specific changes required, but please note that in Windows, CEA or in general, Exchange configurations can be published only to the admin/enrolled accounts. Exchange configuration will not work for standard accounts or restricted accounts.

Now that you have configured CEA go through our document on the CEA Control Panel to learn about the information that is displayed here, various states of devices and how to manage them.

Frequently Asked Questions

Question: Why do we see an exclamation (!) mark once we have configured the CEA?

Answer: This can happen for the following two reasons,

  1. No Imported/Added Users: If you have not imported any users and are trying to configure CEA. Please contact our support to remove the CEA and start afresh.
  2. Invalid Powershell Administrator credentials: If the administrator credentials have been changed, post the configuration. Please edit the configuration and update the credentials.

Question: Why do all users see a Quarantine message once they access email on new devices even though they are not part of target users or are imported to Scalefusion?

Answer: To achieve CEA, by default, the global access policy is set to Quarantine, which means that all users attempting to access emails on new devices, irrespective of being imported/added to Scalefusion, will be quarantined.

Once Scalefusion detects these users and their new devices based on the periodic sync, it applies the policies and allows the users access to emails if allowed by policy.

For a user not targeted by policy, on average, it takes about 3 hours to allow email access on a new device.

Question: Why are the options to Edit, Delete and Sync disabled?

Answer: This is by design. During a sync operation, we disable the options to avoid any conflicts.

Question: What is the default Sync duration, or how often does Scalefusion detect changes?

Answer: Scalefusion detects changes every 2 hours.

Question: What would happen if you delete the CEA configuration?

Answer: Scalefusion would do the following,

  1. Revert the Global Policy from Quarantine to Allowed
  2. Stop managing email access on new and existing devices.
  3. Delete all the data related to users and their devices.

Was this article helpful?