How to restrict end-users to configure email settings on personal profile?
No MDM policy can be imposed on personal profile in BYOD. That is exactly the expected behavior for BYOD by definition.
Can we do a workaround or alternative way on the scenario?
If your corporate email server supports required security features (such as AD/LDAP authentication, certificates, etc.), you can push the required certificate for use by the email client within the work profile. Any email client installed by the end-user in the personal profile should not be able to access his/her corporate email account content due to the lack of the required certificate.
Thanks Raymond. I'd like to clarify, where in MobiControl can we set this up? Is this applicable for both Android and iOS?
Certificate payload in either Android or iOS profiles is used for certificate deployment.
However, the more crucial part is the actual configuration of your e-mail server, which has basically nothing to do with MoibControl.
If your email server has been set up to use AD/LDAP to authenticate your email end-user on non-shared mobile devices, you might also set up AD/LDAP integration in the Servers tab of MobiControl.
If we push certificates onto devices, how can we separate certificates on personal-email-client and work-email-client? If we deploy certificates via Mobicontrol or Mail server, can this certificate be only used on Work-email-client? I'm new to stuffs regarding certificates.
When you mentioned BYOD, I assumed that you are using containerization (Android Enterprise device-owner mode, Samsung Knox, etc.). So certificate payload only targets email client app in the container, which is a totally separate memory space not accessible by personal apps in the personal profile (i.e. outside the container).
Have you tried configuring the email application yet in your BYOD environment on these devices? If so, are you having difficulty theoretically in how this would be applied or have you already tested in the Enterprise work spaces and have found the containerization does allow for them to install the work profile in the personal space using the certificates that have been deployed VIA MobiControl.
I would like to think the intention of separate work spaces has has always been to have the separation you require by default and to allow the admin to configure corporate settings to only be accessible in that container.
Let me know if you are having a different experience.
I am including a link for both iOS, Android and Android Enterprise e-mail setup for anyone else that may be looking for configuration info below.
Technical Support | SOTI Inc. |1.905.624.9828 | firstname.lastname@example.org | soti.net |
Technical Support | SOTI Inc. |1.905.624.9828 | email@example.com | www.soti.net |