Mobile Device Management with Conditional Access

As mobile devices become an essential part of the modern workplace, organizational users increasingly rely on mobile applications to access, share, and store sensitive data. Most organizations also encourage employees to utilize mobile applications which can be accessed from their personal or company provided smartphones to enhance productivity on the go. 

Users access critical and sensitive data on their mobiles using different apps such as Mail, Calendar, CRM, etc. These apps provide gateways to critical resources such as important emails, confidential documents, calendars, and more. However, the convenience of mobile access also introduces risks like unauthorized access, data breaches, and misuse of confidential information. Ensuring the security of this data is as vital as maintaining productivity, and Mobile Device Management (MDM) helps achieve this. 

ManageEngine Mobile Device Management(MDM) helps to manage and secure mobile devices used within an organization. MDM ensures the security of corporate data and applications on mobile devices while also maintaining the privacy and functionality of the user's personal data. Administrators can define conditional access policies and app restrictions to ensure compliance with security standards, prevent unauthorized access, and maintain a secure mobile environment. MDM, through conditional access, restricts users from performing specific actions within their mobile applications to safeguard sensitive data within the organization.

Note:

Only the Super Administrator of the organization can enable and set up MDM for the organization. Enabling MDM for your organization and setting up Android For Work (AFW) and Apple Push Notification Service (APNs) is a one time process and completely hassle-free. 

Table of Contents

Prerequisites to configure MDM for Zoho Mail Apps:

  • Corporate Google account - Android For Work (AFW)
  • Corporate Apple account - Apple Push Notification Service (APNs)
  • APNs certificate generated using a corporate ID.

Note:

  • The corporate accounts used for AFW and APNs should not be used for any other service.
  • The MDM feature is currently available only if you have subscribed to one of the paid plans of Zoho Workplace, Zoho Mail Premium plan, or the Zoho Mail Mix and Match / Flexible plans. Reach out to support@zohomail.com for more details.

Create a group

Creating groups in Admin Console is the first step in setting up MDM with conditional access. Managing the user access to mobile apps requires creating a minimum of three different groups.

Note:

It is up to the administrator of an organization to create groups as per their requirements. However, it is recommended to create one group for each conditional access policy and provide the name as suggested below:

  • Conditional access - device only
  • Conditional access - device or allowed IP range
  • Conditional access - device and allowed IP range

Follow these steps to create a group in Zoho Mail Admin Console:

  1. Log in to Zoho Mail Admin Console and navigate to Groups on the left pane.
  2. Click Create and enter the group name.
  3. Provide the desired group email address and choose who can send emails to the group.

  4. Click Proceed and, on the user addition page, add only the Super Admin of the organization to the group.

    Note:

    • Adding all users to the group applies conditional access policies right away, which can prevent users from enrolling their devices. So, it is recommended to initially add the Super Admin account when creating groups in the Admin Console.
    • The added Super Admin account can be excluded from the conditional access restrictions if necessary in further steps
  5. Follow the same steps for the other two conditional accesses.

You have now successfully created groups for MDM with conditional access.

Create a Zoho Directory account

After creating groups in the Admin Console, the next step in setting up MDM for your organization is to enable a Zoho Directory account if you don't already have one. Follow the steps given in this help page for more details. 

Security policy for conditional access

Once you complete the initial setup of Zoho Directory, you should create security policies and associate each policy with the group you created in the Admin Console. Follow the below steps to create security policy:

  1. Log in to your Zoho Directory account.
  2. Select Admin Panel from the left pane. 
  3. Navigate to the Security section and select Security Policies from the top menu.

  4. Enter a Name for the policy.

    Note:

    Zoho Mail allows four different access restrictions and It is recommended to name each security policy according to its intended function (restriction) which makes it easier to associate groups with the appropriate security policies. Such as,

    • Device only
    • Device or allowed IP range
    • Device and allowed IP range
    • None
  5. Choose the respective group that the policy should be applied for.

  6. In the Exclude Users field, select the Super Admin account if you do not want to apply the security policy.

    Note:

    Exclude the Super Admin account or the user account you added during group creation to prevent them from being affected by conditional access restrictions.

  7. Choose the policy priority as Default Policy and click Add. 

Once you've created a security policy, it will be listed in the Security Policies section. To learn more about security policies, click here.

Setting up Access Restrictions

Once you create and associate security policies with the respective groups, administrators should configure IP restrictions to prevent unauthorized access to mobile applications. Since each security policy has different functionalities, for security policies that require IP restrictions, administrators should enable these restrictions in Zoho Directory. Follow the steps below to understand the security policies and configure IP restrictions within security policies:

  • Device only - Access restricted to Zoho Mail app on enrolled mobile devices.

Users associated with this security policy group are required to access their Zoho Mail accounts solely through the Zoho Mail app installed on their enrolled mobile devices, ensuring sensitive data remains within the organization's controlled environment and limiting access to company-issued mobile devices.

  • Device or Allowed IP addresses - Access allowed from enrolled devices or specified IP ranges.

 Users under this security policy have the flexibility to access their accounts either from their enrolled device or from a location within the Allowed IP range specified by administrators, ensuring secure access from trusted locations such as company-issued and personal devices within the organization's premises or designated IP range. 

To set up IP restrictions for users associated with this policy, navigate to Zoho Directory, click on the created security policy(Device or Allowed IP addresses), and go to the Allowed IPs section and set up IP restrictions according to your preferences. These IP restrictions will be applied to users associated with this security policy. 

  • Device and Allowed IP addresses - Access limited to enrolled devices within specified IP ranges.

Under this policy, specified users are mandated to access the mobile app solely from their enrolled device, and their IP address must fall within the allowed IP range specified by administrators, thus permitting access only from company-issued devices within the organization's premises or designated IP range to minimize the risk of unauthorized access

To set up IP restrictions for users associated with this policy, navigate to Zoho Directory, click on the created security policy(Device and Allowed IP addresses), and go to the Allowed IPs section and set up IP restrictions according to your preferences. These IP restrictions will be applied to users associated with this security policy. 

  • None - No access restrictions; users can access from any device or location.

Users associated with this security policy face no restrictions when using their mobile devices to access their accounts, allowing them to access their Zoho Mail accounts from any device and location without any specific restrictions, thus providing greater flexibility for remote work and collaboration.

Note:

  • Ensure each security policy is associated with the respective groups.
  • Make sure to whitelist your IP addresses in the Allowed IP section of security policies, so that users can only access their accounts from approved IP addresses. Learn more
  • Once you assign security policies to each group and set up IP restrictions, reach out to support@zohomail.com to enable the conditional policy access for your organization.

Accessing MDM in Zoho Mail Admin Console

Once the conditional access policies are enabled for your organization, you can view the Get Started button in the Mobile Device Management (MDM) section under Security & Compliance in Admin Console.

Follow these steps to configure MDM for your organization users:

  1. Log in to Zoho Mail Admin Console  and navigate to Security & Compliance.
  2. Select Mobile Device Management and click Get Started.
  3. Below are the steps involved to enable MDM:
    1. Configure MDM for Android devices
    2. Configure MDM for iOS devices
    3. App configurations
    4. Self-enrolment by mobile app users

Configure MDM for Android device

After selecting Get Started on the Mobile Device Management page of Admin Console, follow these instructions to configure AFW:

  1. Click the Configure button in the Android For Work page. Google Play accounts enterprise page appears in a new window/tab.

  2. Sign in with your existing corporate google account admin credentials.

    Note:

    • Ensure you use a unique corporate Google account that is not linked to any previously created organizations.
    • If you do not have an existing corporate Google account, you can create a new one during this process.
    • If your corporate Google account is already associated with an existing organization, refer to this document for managing Google Play accounts enterprises.
  3. Under the Sign up for Android only option, click Sign up on the login page.
  4. Then click Get Started. If you have not already signed in, sign in to your corporate Google account on the Bring Android to Work page that appears.
  5. The steps that follow are applicable if you are enrolling in AFW for the first time:
    1. Fill out the Business details and click Next.
    2. Add the Name, Email and Phone number of your organization's Data Protection Officer.
    3. Add details of your Representative based on your country.
    4. Select the terms and conditions checkbox and click Confirm, and then Click Complete Registration. The Setup is now complete. AFW is successfully configured for your organization.
  6. Select Proceed to iOS Configuration page to continue setting up Apple push notification service.

Configure MDM for iOS

Prerequisites

  • Ensure you have a unique corporate Apple account for your organization.
  • A valid Apple Push Notification Service (APNs) certificate is mandatory for your organization.
  • VendorCSR file to be downloaded from Admin Console before continuing with the configuration steps.

To enable MDM to manage your Apple account, a Vendor CSR file must be downloaded from the Admin Console. Subsequently, the downloaded file needs to be uploaded to your Apple Push Certificates Portal to generate an APNs certificate. This certificate allows the MDM server to securely send push notifications to enrolled iOS devices, thereby enabling remote management and control of various aspects of those devices. Therefore, obtaining the APNs certificate is crucial for seamless and secure mobile device management of iOS devices. 

Follow the instructions below to generate the APNs certificate and configure MDM for iOS:

  1. On the Admin Console's iOS CONFIGURATION page, download the VendorCSR file.
  2. If you do not have a corporate Apple account for your organization, click Create an Apple ID.
  3. If you already have an existing corporate Apple account, click Sign in to log in to the Apple Push Certificates Portal with your Corporate Apple ID.
  4. If configuring MDM for the first time, click Create a Certificate.
  5. Click Choose file and select the VendorCSR file downloaded and click Upload. The APNs certificate gets created successfully.
  6. Click Download to save the APNs certificate or click the Manage Certificates button to Renew or Revoke the existing certificates.
  7. Navigate back to Zoho Mail Admin Console, click Choose file and attach the APNs certificate from your computer.
  8. Enter the Corporate Apple ID used to create the APNs.
  9. Add the admin email address to whom you wish to receive APN certificate expiry notification.
  10. Click Upload.

Note:

The APNs certificate must be renewed every year. If it's not renewed, iOS devices cannot be managed, and users will need to re-enroll. Click here for more details.

Configure App restrictions

Configuration of AFW and APNs is now complete. The APP RESTRICTIONS page appears, allowing you to enable or disable apps and configure app restrictions. These restrictions will be applied to all devices enrolled in your organization.

Note:

  • Please note that once an application has been enabled and distributed to the organization’s users, it cannot be disabled or removed from their access. Administrators must carefully evaluate and configure app settings before distributing the app to the organization’s users.
  • For more details or if you need assistance regarding app restrictions, please reach out to support@zohomail.com
  • Once the MDM configuration and app restrictions are set, you can view all enrolled devices in the Admin Console. By default, the actual names of iOS devices won't be displayed, and instead, they will show as iPhone. To ensure the actual device names are visible, follow the steps provided here. It's important to configure these settings in the MDM console before proceeding with the app restriction configurations in the Zoho Mail Admin Console, as you won't be able to make these changes once the configuration is complete.

Follow these steps to configure the restrictions: 

  1. Select the preferred app from the listing and click the toggle button next to a restriction to the ON position to enable them for your organization's users.
  2. After making the changes, click the Publish button.
  3. Click the Finish setup button to complete MDM setup. You have now completed the MDM configuration for your organization. 

Once you've completed these steps, the MDM settings page will be displayed. Copy the enrollment URL and share it with your organization’s users to enroll their devices. For more detailed information on each restriction, click here.

Note:

  • Along with Zoho apps, you can distribute external apps like Google Slides, Google Docs, Google Files, Google Gallery, and Google Sheets to all enrolled devices. Once enabled, users can install them from the MDM app catalog. No restrictions can be applied. Administrators can only enable or disable them for users.
  • Certain app restrictions can only be applied to a specific mobile platform (Android or iOS). Restrictions specific to each platform will be indicated with respective icons. If no icons are displayed, the restriction applies to both Android and iOS devices.
  • The list of apps and their respective restrictions will be displayed for you to access based on your subscription plan.

App restrictions

App restrictions are settings set by administrators through an organization's Mobile Device Management (MDM) system to control and secure the use of mobile apps. While mobile apps improve productivity by providing easy access to important resources, they also pose risks like unauthorized access, data leaks, and mishandling of sensitive information.

To tackle these risks, administrators use app restrictions to ensure mobile apps operate securely and efficiently. By limiting actions like file downloads, copying content, or sharing data with external platforms, organizations can safeguard confidential information and reduce the impact of lost or compromised devices.

How App Restrictions Work ?

App restrictions define how apps can function on users' devices by limiting access and functionality to enhance security and control over sensitive data. Administrators can specify which apps are allowed on users' devices, ensuring that only approved apps are installed and used, thereby minimizing the risk of untrusted applications accessing corporate data. Additionally, apps can be restricted from accessing certain types of data or functionalities, such as copying and sharing information outside the MDM environment. To further enhance control, administrators can enforce specific configurations for apps, such as disabling file downloads or printing, which helps manage how data is handled and reduces the risk of misuse.
    
These restrictions are applied in conjunction with conditional access policies, to control application access based on specific conditions. This ensures that only trusted devices and users can access critical data, even when using mobile applications. The list of app restrictions available in Zoho Mail Admin Console are as follows:

Apps & Restrictions
Description
Mail
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Restrict printing of emailsRestricts users from printing emails from the Mail app.
Restrict copying of texts, files, and images ( Android only )Prevents users from copying text, files, and images from emails within the Mail app.
Restrict addition of multiple accounts to the same deviceRestricts addition of multiple email accounts on one device. 
Restrict downloading of files to the deviceBlocks downloading attachments or files from the emails to the device.
Restrict disabling of passcodeRestricts users from disabling the passcode on their Mail app.
Mail Admin
Restrict login with different email accounts Ensures login is restricted to authorized email accounts only.
Restrict addition of multiple accounts to the same device ( Android only )Restricts addition of multiple accounts on one device. 
Restrict copying of texts, files, and imagesPrevents users from copying text, files, and images within the Mail Admin app.
Restrict pasting of content into external appsRestricts users from pasting content copied from the Mail Admin app into external apps.
Restrict disabling of passcodeRestricts users from disabling the passcode on their Mail Admin app
Cliq
Restrict login with different email accounts Ensures login is restricted to authorized email accounts only.
Restrict copying of texts, files, and imagesPrevents users from copying text, files, and images within the cliq app.
Restrict pasting of content into external apps Restricts users from pasting content copied from the Cliq app into external apps.
Restrict file sharingRestricts users from sharing files within the Cliq app or with any external apps.
Restrict downloading of files to the devicePrevents downloading files from the Cliq app to the device.
Restrict camera access within the appDisables the camera access within the Cliq app
Calendar
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Restrict data sharing with other usersPrevents sharing of calendar data both within the calendar app and externally. Users will also be restricted from inviting external participants when scheduling events.
Restrict copying of texts, files, and imagesPrevents users from copying text, files, and images within the Calendar app.
Restrict pasting of content into external appsRestricts users from pasting content copied from the Calendar app into external apps.
Restrict camera access within the appDisables the camera access within the Calendar app
Restrict access to location ( iOS only )Restricts the app from accessing your device location.
Restrict disabling of passcodeRestricts users from disabling the passcode on their Calendar app.
OneAuth
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
WorkDrive
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Restrict copying of texts, files, and imagesPrevents users from copying text, files, and images within the WorkDrive app.
Restrict pasting of content into external appsRestricts users from pasting content copied from the WorkDrive app into external apps.
Restrict file sharingRestricts users from sharing files within the WorkDrive app or with any external apps
Restrict printing of filesRestricts users from printing files from the WorkDrive app.
Restrict downloading of files to the devicePrevents downloading files from the WorkDrive app to the device.
Restrict camera access within the appDisables the camera access within the Workdrive app
Restrict disabling of passcodeRestricts users from disabling the passcode on their WorkDrive app.
Meeting
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Workplace
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Connect
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Show
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Restrict camera access within the appDisables camera use within the app.
Restrict copying of texts, files, and imagesPrevents users from copying text, files, and images within the show app.
Restrict pasting of content into external appsRestricts users from pasting content copied from the Show app into external apps.
Restrict file sharingRestricts users from sharing files within the Show app or with any external apps.
Restrict downloading of files to the devicePrevents downloading files from the Show app to the device.
Restrict printing of files ( iOS only )Blocks printing within the app.
Restrict disabling of passcodeEnsures the device passcode cannot be disabled.
Sheet
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Restrict camera access within the appDisables camera use within the app.
Restrict pasting of content into external appsRestricts users from pasting content copied from the Sheet app into external apps.
Restrict file sharingRestricts users from sharing files within the Sheet app or with any external apps.
Restrict downloading of files to the devicePrevents downloading files from the Sheet app to the device.
Restrict addition of multiple accounts to the same deviceRestricts addition of multiple accounts on one device.
Restrict printing of filesBlocks printing of files within the  Sheet app.
Restrict disabling of passcodeEnsures the device passcode cannot be disabled.
Writer
Restrict login with different email accountsEnsures login is restricted to authorized email accounts only.
Other Apps
Administrators can distribute external apps, such as Google Slides, Google Docs, Google Files, Google Gallery, and Google Sheets, to all enrolled devices. These apps serve as helper apps, allowing users to view or open files within the MDM environment. Once enabled, users can install these external apps from the MDM app catalog, ensuring they have access to necessary tools while maintaining security.No restrictions can be applied to these external apps. Administrators can only choose to enable or disable them for users.

Self-enrolment by Users

Once MDM is configured in the Zoho Mail Admin Console, it is essential for organization users to complete their user self-enrollment process. This ensures that all the restrictions set within the MDM configuration and Zoho Directory are enforced and applied to each user effectively. By completing the self-enrollment process, users enable themselves to adhere to the organization's security policies, thereby safeguarding sensitive data and maintaining compliance with security protocols. Administrators should share the Enrollment URL provided in the Admin Console with users who will be using the Zoho Mail app on their mobile devices for enrollment.

Follow these steps to share the enrolment URL:

  1. Log in to Zoho Mail Admin Console and select Security & Compliance on the left pane.
  2. Navigate to Settings under Mobile Device Management section. The General tab appears by default.
  3. Copy the Enrolment Link and share it with the users.

Note:

Once all users have completed their self-enrollment, administrators can add them to their respective groups in the Admin console. This completes the entire MDM setup and enables the enforcement of access and app restrictions as configured.

Managing MDM Configuration

In the Mobile Device Management section of the Admin Console's left menu, administrators have a range of options to efficiently manage and oversee all the configuration within MDM. Administrators can manage and update the app restrictions, view enrolled devices, or share the enrollment link with users from this section. This section includes the following options:

Apps  

This section displays the list of applications enabled or disabled for your organization's users. Hover over an application in the list and click Configure restrictions. Here, you can modify your app restrictions using the toggle button for each restriction.

Enrolled Devices 

Here, you can view the list of devices that are enrolled by your organization's users. Click Refresh to view the newly enrolled list of devices.  The Filter option in the top menu allows you to sort the devices based on their platform (Android or iOS). You can also use the Search bar in the top pane to filter and view devices by device name, IMEI, serial number, and user email address. 

By selecting a device from the list, you can view detailed information such as:

  • Device ID : The unique identifier for the device.
  • Name : The name of the user.
  • Model : The model of the device.
  • Platform : Whether the device is Android or iOS.
  • OS Version : The operating system version running on the device.
  • Serial Number : The device’s serial number.
  • IMEI : The International Mobile Equipment Identity number for the device.
  • Internal Storage : The total internal storage of the device.

Viewing Distinct iOS Device Names

By default, iOS devices are listed as "iPhone" in the Name field. To display the distinct device names for iOS devices, follow the below steps:

  1. Go to https://mdm.manageengine.com/.
  2. In the MDM Console, go to the Admin menu.
  3. Under Device Privacy, click on Modify (located at the top-right).
  4. Change the value to "Collect and display" for all available options.
  5. Set the Privacy Policy to "Display to users".
  6. Select all options under Applicable device.
  7. Click Save to apply the changes.
  8. Close the MDM Console.

After completing these steps, the distinct device names of enrolled iOS devices will be displayed instead of just iPhone in Zoho Mail Admin Console. Make sure to configure these settings in the MDM Console before finalizing the MDM setup, as you won't be able to make these changes afterward.

Settings 

The General, Notifications, Android Configuration and iOS Configuration tabs allows you to manage the MDM settings of your organization.

  • General - Share the Enrollment link with users and specify a Device Limit ranging from 1 to 10 for each user. A user cannot enroll more devices than the specified limit. If no limit is set, users can enroll an unlimited number of devices.
  • Notifications - Add or remove admin email addresses to whom new enrolment notification emails must be sent.
  • Android Configuration - Displays your organization's AFW registration details.
  • iOS Configuration - Displays your organization's APNs certificate details. The generated APNs certificate will expire after one year.  Add or remove admin email addresses to receive expiry notifications. A notification will be sent to the added users three months prior to the expiration date for renewal.

Related Pages

MDM Self-Enrollment by Users 

Still can't find what you're looking for?

Write to us: support@zohomail.com