Mobile Device Management with Conditional Access
Most organizations encourage employees to utilize mobile applications which can be accessed from their personal or company provided smartphones to enhance productivity on the go. Users access critical and sensitive data on their mobiles using different apps such as Mail, Calendar, CRM, etc. Data security is as important as productivity and Mobile Device Management (MDM) helps achieve this. Zoho Mail uses ManageEngine's Mobile Device Management to protect your organization's email data.
ManageEngine Mobile Device Management(MDM) helps to manage and secure mobile devices used within an organization. MDM ensures the security of corporate data and applications on mobile devices while also maintaining the privacy and functionality of the user's personal data. Administrators can define policies and restrictions to ensure compliance with security standards, prevent unauthorized access, and maintain a secure mobile environment. MDM, through conditional access, restricts users from performing specific actions within their mobile applications to safeguard sensitive data within the organization.
Only the Super Administrator of the organization can enable and set up MDM for the organization. Enabling MDM for your organization and setting up Android For Work (AFW) and Apple Push Notification Service (APNs) is a one time process and completely hassle-free.
Table of Contents
Prerequisites to configure MDM for Zoho Mail Apps:
- Corporate Google account - Android For Work (AFW)
- Corporate Apple account - Apple Push Notification Service (APNs)
- APNs certificate generated using a corporate ID.
Note:
- The corporate accounts used for AFW and APNs should not be used for any other service.
- The MDM feature is currently available only if you have subscribed to one of the paid plans of Zoho Workplace, Zoho Mail Premium plan, or the Zoho Mail Mix and Match / Flexible plans. Reach out to support@zohomail.com for more details.
Create a group
Creating groups in Admin Console is the first step in setting up MDM with conditional access. Managing the user access to mobile apps requires creating a minimum of three different groups.
Note:
It is up to the administrator of an organization to create groups as per their requirements. However, it is recommended to create one group for each conditional access policy and provide the name as suggested below:
- Conditional access - device only
- Conditional access - device or allowed IP range
- Conditional access - device and allowed IP range
Follow these steps to create a group in Zoho Mail Admin Console:
- Log in to Zoho Mail Admin Console and navigate to Groups on the left pane.
- Click Create and enter the group name.
- Provide the desired group email address and choose who can send emails to the group.
Click Proceed and, on the user addition page, add only the Super Admin of the organization to the group.
Note:
- Adding all users to the group applies conditional access policies right away, which can prevent users from enrolling their devices.
- So, it is recommended to initially add the Super Admin account when creating groups in the Admin Console.
- The added Super Admin account can be excluded from the conditional access restrictions if necessary in further steps
- Follow the same steps for the other two conditional accesses.
You have now successfully created groups for MDM with conditional access.
Create a Zoho Directory account
After creating groups in the Admin Console, the next step in setting up MDM for your organization is to enable a Zoho Directory account if you don't already have one. Follow the steps given in this help page for more details.
Security policy for conditional access
Once you complete the initial setup of Zoho Directory, you should create security policies and associate each policy with the group you created in the Admin Console. Follow the below steps to create security policy:
- Log in to your Zoho Directory account.
- Select Admin Panel from the left pane.
- Navigate to the Security section and select Security Policies from the top menu.
Enter a Name for the policy.
Note:
Zoho Mail allows four different access restrictions and It is recommended to name each security policy according to its intended function (restriction) which makes it easier to associate groups with the appropriate security policies. Such as,
- Device only
- Device or allowed IP range
- Device and allowed IP range
- None
- Choose the respective group that the policy should be applied for.
In the Exclude Users field, select the Super Admin account if you do not want to apply the security policy.
Note:
Exclude the user Super Admin you added during group creation to prevent the super admin from being affected by conditional access restrictions.
- Choose the policy priority as Default Policy and click Add.
Once you've created a security policy, it will be listed in the Security Policies section. To learn more about security policies, click here.
Setting up Access Restrictions
Once you create and associate security policies with the respective groups, administrators should configure IP restrictions to prevent unauthorized access to mobile applications. Since each security policy has different functionalities, for security policies that require IP restrictions, administrators should enable these restrictions in Zoho Directory. Follow the steps below to understand the security policies and configure IP restrictions within security policies:
- Device only - Access restricted to Zoho Mail app on enrolled mobile devices.
Users associated with this security policy group are required to access their Zoho Mail accounts solely through the Zoho Mail app installed on their enrolled mobile devices, ensuring sensitive data remains within the organization's controlled environment and limiting access to company-issued mobile devices.
- Device or Allowed IP addresses - Access allowed from enrolled devices or specified IP ranges.
Users under this security policy have the flexibility to access their accounts either from their enrolled device or from a location within the Allowed IP range specified by administrators, ensuring secure access from trusted locations such as company-issued and personal devices within the organization's premises or designated IP range.
To set up IP restrictions for users associated with this policy, navigate to Zoho Directory, click on the created security policy(Device or Allowed IP addresses), and go to the Allowed IPs section and set up IP restrictions according to your preferences. These IP restrictions will be applied to users associated with this security policy.
- Device and Allowed IP addresses - Access limited to enrolled devices within specified IP ranges.
Under this policy, specified users are mandated to access the mobile app solely from their enrolled device, and their IP address must fall within the allowed IP range specified by administrators, thus permitting access only from company-issued devices within the organization's premises or designated IP range to minimize the risk of unauthorized access
To set up IP restrictions for users associated with this policy, navigate to Zoho Directory, click on the created security policy(Device and Allowed IP addresses), and go to the Allowed IPs section and set up IP restrictions according to your preferences. These IP restrictions will be applied to users associated with this security policy.
- None - No access restrictions; users can access from any device or location.
Users associated with this security policy face no restrictions when using their mobile devices to access their accounts, allowing them to access their Zoho Mail accounts from any device and location without any specific restrictions, thus providing greater flexibility for remote work and collaboration.
Note:
- Ensure each security policy is associated with the respective groups.
- Make sure to whitelist your IP addresses in the Allowed IP section of security policies so that users can only access their accounts from approved IP addresses. Learn more.
- Once you assign security policies to each group and set up IP restrictions, reach out to support@zohomail.com to enable the conditional policy access for your organization.
Accessing MDM in Zoho Mail Admin Console
Once the conditional access policies are enabled for your organization, you can view the Get Started button in the Mobile Device Management (MDM) section under Security & Compliance in Admin Console.
Follow these steps to configure MDM for your organization users:
- Log in to Zoho Mail Admin Console and navigate to Security & Compliance.
- Select Mobile Device Management and click Get Started.
- Below are the steps involved to enable MDM:
Configure MDM for Android device
After selecting Get Started on the Mobile Device Management page of Admin Console, follow these instructions to configure AFW:
- Click the Configure button in the Android For Work page. Google Play accounts enterprise page appears in a new window/tab.
Sign in with your existing admin credentials to create a new admin account for your organization.
Note:
- Ensure you have a unique Corporate Google account without any previously created organizations.
- If you have an existing organization associated with your Google account. Refer to this document for managing Google Play accounts enterprises.
- Under the Sign up for Android only option, click Sign up on the login page.
- Sign in to your Google account using your account credentials in the Bring Android to Work page that appears.
- The steps that follow are applicable if you are enrolling in AFW for the first time:
- Add the Name, Email and Phone number of your organization's Data Protection Officer.
- Add details of your Representative based on your country.
- Select the terms and conditions checkbox and click Confirm. The Setup is now complete.
- Click Re-enroll in the google play page that appears. You'll be redirected to Zoho Mail Admin Console MDM configuration page.
- Click Complete Registration. AFW is successfully configured for your organization.
- Select Proceed to iOS Configuration page to continue setting up Apple push notification service.
Configure MDM for iOS
Prerequisites
- Ensure you have a unique corporate Apple account for your organization.
- A valid Apple Push Notification Service (APNs) certificate is mandatory for your organization.
- VendorCSR file to be downloaded from Admin Console before continuing with the configuration steps.
After completing the Android configuration, you can proceed to iOS configuration. To enable MDM to manage your Apple account, a Vendor CSR file must be downloaded from the Admin Console. Subsequently, the downloaded file needs to be uploaded to your Apple Push Certificates Portal to generate an APNs certificate. This certificate allows the MDM server to securely send push notifications to enrolled iOS devices, thereby enabling remote management and control of various aspects of those devices. Therefore, obtaining the APNs certificate is crucial for seamless and secure mobile device management of iOS devices. Follow the instructions below to generate the APNs certificate and configure MDM for iOS:
- On the Admin Console's iOS CONFIGURATION page, download the VendorCSR file.
- Log in to your Apple account using your Corporate Apple ID. The Apple Push Certificates Portal appears.
- If configuring MDM for the first time, click Create a Certificate.
- Click Choose file and select the VendorCSR file downloaded and click Upload. The APNs certificate gets created successfully.
- Click Download to save the APNs certificate or click the Manage Certificates button to Renew or Revoke the existing certificates.
- Navigate back to Zoho Mail Admin Console, click Choose file and attach the APNs certificate from your computer.
- Enter the Corporate Apple ID used to create the APNs.
- Add the admin email address to whom you wish to receive APN certificate expiry notification.
- Click Upload.
Note:
The APNs certificate must be renewed every year.
Configure App restrictions
Configuration of AFW and APNs is now complete. The APP RESTRICTIONS page appears which allows you to enable or disable app restrictions. Follow these steps to configure the restrictions:
- Select the preferred app from the listing and click the toggle button next to each restriction to the ON position to enable them for your organization's users.
- Once done, click the Publish button to complete MDM setup.
You have now completed the MDM configuration for your organization.
Self-enrolment by Users
Once MDM is configured in the Zoho Mail Admin Console, it is essential for organization users to complete their user self-enrollment process. This ensures that all the restrictions set within the MDM configuration and Zoho Directory are enforced and applied to each user effectively. By completing the self-enrollment process, users enable themselves to adhere to the organization's security policies, thereby safeguarding sensitive data and maintaining compliance with security protocols. Administrators should share the Enrollment URL provided in the Admin Console with users who will be using the Zoho Mail app on their mobile devices for enrollment.
Follow these steps to share the enrolment URL:
- Log in to Zoho Mail Admin Console and select Security & Compliance on the left pane.
- Navigate to Settings under Mobile Device Management section. The General tab appears by default.
- Copy the Enrolment Link and share it with the users.
Note:
Once all users have completed their self-enrollment, administrators can add them to their respective groups in the Admin console. This completes the entire MDM setup and enables the enforcement of access and app restrictions as configured.
Managing MDM Configuration
In the Mobile Device Management section of the Admin Console's left menu, administrators have a range of options to efficiently manage and oversee all the configuration within MDM. Administrators can manage and update the app restrictions, view enrolled devices, or share the enrollment link with users from this section. This section includes the following options:
- Apps - Displays the list of applications enabled or disabled for your organization's users. Hover over an application in the list and click Configure restrictions. Here, you can modify your app restrictions using the toggle button for each restriction.
- Enrolled Devices - Displays the list of devices that are enrolled by your organization's users. You can also use the Filter option in the top menu to sort devices based on the platform (Android/iOS). Click Refresh to view the newly enrolled list of devices.
- Settings - The General, Notifications, Android Configuration and iOS Configuration tabs allows you to manage the MDM settings of your organization.
- General - Share the Enrolment Link to users, and define the Device Limit for each user.
- Notifications - Add or remove admin email addresses to whom new enrolment notification emails must be sent.
- Android Configuration - Displays your organization's AFW registration details.
- iOS Configuration - Displays your organization's APNs certificate details. You can also manage the expiry notification email address from this tab.