0

My company is giving out new Android smartphones to employees, and they should be able to manage their e-mail on them. Currently, only access via webmail is enabled, but the mobile webmail client (Zimbra) is awkward and very feature-limited. Therefore, granting access to e-mail clients (mobile apps) seems to be a good move. However, client software would not be controlled by the company in this scenario, so I need to figure out a way to limit e-mail access to client apps installed by the company, on the issued smartphones. What is currently considered best practice for this (in an open-standards-based, non-MS environment)?

I found articles that suggest S/MIME certificates, but they seem to be about much more then just regulating client access (also encryption etc).

Would implementation of S/MIME for mobile/desktop clients require doing the same for webmail sessions (installing certificates in browsers...), or could a standard server be configured in such a way as to require certificate authentication only from mobile/desktop clients but not from browsers?

Ben Opp
  • 247
  • 4
  • 12
  • 1
    Your options may be limited by whatever MDM solution you employ to provision the mail credentials (you *are* putting company phones under company management, so only authorized software can be installed on the device in the first place, right?) – anx Jun 04 '22 at 18:54
  • 1
    This is clearly an organizational problem and not an IT problem. Let all used sign a compliance formular which states that access is only allowed using the provided email client app. BTW: S/Mime is for signing and or encrypting emails, it will not help you to restrict users to a certain mail app. – Robert Jun 04 '22 at 19:31
  • 1
    Are the first steps on your checklists for "smartphone compromised by third party, credentials used elsewhere" and "smartphone compromised by employee, credentials used in alternate app" meaningfully different? Because if not, why not just settle with "We already have monitoring for this, just put in another alert rule for unknown user agent"? – anx Jun 04 '22 at 20:54
  • @anx, yes, the phones are managed with Apptec360 mdm – Ben Opp Jun 04 '22 at 23:18
  • @anx About yr 2nd question, I'd say yes - the employee would be using the e-mail access for intended purposes, but with unvetted, potentially insecure software, while 3rd party would probably use credentials for malicious purpose.(spamming...). Tbh I don't know server settings such as alert rules (someone else manages that). Are you saying clients can be locked out based on user agent? – Ben Opp Jun 04 '22 at 23:28
  • @Robert, the way I understood the s/mine auth process, the server will accept login credentials only from clients that present a valid certificate, hence clients that don't have one installed are unable to login - but I did get the impression that that's not what s/mime is meant for. I also think we wouldn't need to find a technical solution for this, but management is asking for one. Valid point though that it's not necessarily the way to go. – Ben Opp Jun 04 '22 at 23:37

0 Answers0