0

My company is giving out new Android smartphones to employees, and they should be able to manage their e-mail on them. Currently, only access via webmail is enabled, but the mobile webmail client (Zimbra) is awkward and very feature-limited. Therefore, granting access to e-mail clients (mobile apps) seems to be a good move. However, client software would not be controlled by the company in this scenario, so I need to figure out a way to limit e-mail access to client apps installed by the company, on the issued smartphones. What is currently considered best practice for this (in an open-standards-based, non-MS environment)?

I found articles that suggest S/MIME certificates, but they seem to be about much more then just regulating client access (also encryption etc).

Would implementation of S/MIME for mobile/desktop clients require doing the same for webmail sessions (installing certificates in browsers...), or could a standard server be configured in such a way as to require certificate authentication only from mobile/desktop clients but not from browsers?

Improve this question
6
  • 1
    Your options may be limited by whatever MDM solution you employ to provision the mail credentials (you are putting company phones under company management, so only authorized software can be installed on the device in the first place, right?)
    – anx
    Jun 4, 2022 at 18:54
  • 1
    This is clearly an organizational problem and not an IT problem. Let all used sign a compliance formular which states that access is only allowed using the provided email client app. BTW: S/Mime is for signing and or encrypting emails, it will not help you to restrict users to a certain mail app.
    – Robert
    Jun 4, 2022 at 19:31
  • 1
    Are the first steps on your checklists for "smartphone compromised by third party, credentials used elsewhere" and "smartphone compromised by employee, credentials used in alternate app" meaningfully different? Because if not, why not just settle with "We already have monitoring for this, just put in another alert rule for unknown user agent"?
    – anx
    Jun 4, 2022 at 20:54
  • @anx, yes, the phones are managed with Apptec360 mdm
    – Ben Opp
    Jun 4, 2022 at 23:18
  • @anx About yr 2nd question, I'd say yes - the employee would be using the e-mail access for intended purposes, but with unvetted, potentially insecure software, while 3rd party would probably use credentials for malicious purpose.(spamming...). Tbh I don't know server settings such as alert rules (someone else manages that). Are you saying clients can be locked out based on user agent?
    – Ben Opp
    Jun 4, 2022 at 23:28

0

Reset to default

You must log in to answer this question.