Score:0

How to permit only certain e-mail clients for IMAP access

im flag

My company is giving out new Android smartphones to employees, and they should be able to manage their e-mail on them. Currently, only access via webmail is enabled, but the mobile webmail client (Zimbra) is awkward and very feature-limited. Therefore, granting access to e-mail clients (mobile apps) seems to be a good move. However, client software would not be controlled by the company in this scenario, so I need to figure out a way to limit e-mail access to client apps installed by the company, on the issued smartphones. What is currently considered best practice for this (in an open-standards-based, non-MS environment)?

I found articles that suggest S/MIME certificates, but they seem to be about much more then just regulating client access (also encryption etc).

Would implementation of S/MIME for mobile/desktop clients require doing the same for webmail sessions (installing certificates in browsers...), or could a standard server be configured in such a way as to require certificate authentication only from mobile/desktop clients but not from browsers?

anx avatar
fr flag
anx
Your options may be limited by whatever MDM solution you employ to provision the mail credentials (you *are* putting company phones under company management, so only authorized software can be installed on the device in the first place, right?)
in flag
This is clearly an organizational problem and not an IT problem. Let all used sign a compliance formular which states that access is only allowed using the provided email client app. BTW: S/Mime is for signing and or encrypting emails, it will not help you to restrict users to a certain mail app.
anx avatar
fr flag
anx
Are the first steps on your checklists for "smartphone compromised by third party, credentials used elsewhere" and "smartphone compromised by employee, credentials used in alternate app" meaningfully different? Because if not, why not just settle with "We already have monitoring for this, just put in another alert rule for unknown user agent"?
Ben Opp avatar
im flag
@anx, yes, the phones are managed with Apptec360 mdm
Ben Opp avatar
im flag
@anx About yr 2nd question, I'd say yes - the employee would be using the e-mail access for intended purposes, but with unvetted, potentially insecure software, while 3rd party would probably use credentials for malicious purpose.(spamming...). Tbh I don't know server settings such as alert rules (someone else manages that). Are you saying clients can be locked out based on user agent?
Ben Opp avatar
im flag
@Robert, the way I understood the s/mine auth process, the server will accept login credentials only from clients that present a valid certificate, hence clients that don't have one installed are unable to login - but I did get the impression that that's not what s/mime is meant for. I also think we wouldn't need to find a technical solution for this, but management is asking for one. Valid point though that it's not necessarily the way to go.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.