Create an iOS/iPadOS Apple Mail Policy

This policy configures the native mail app on managed iOS devices so that corporate email accounts are consistently and securely set up for users. This policy lets administrators centrally define account details, server settings, and security options, which improves data protection while reducing setup time for end users. Standardizing Mail settings also helps minimize misconfigurations and support overhead across the organization.

Prerequisites:

• iOS/iPadOS devices must be enrolled in Apple MDM with the following enrollment type:
  • Automated Device Enrollment (ADE) - These devices are owned and enrolled by the corporation through ADE.
  • Device Enrollment - These devices are owned by the corporation, and enrolled by the admin or by the user.
  • User Enrollment - These are personal devices used for work where the user enrolls the device to securely access corporate data while maintaining personal privacy.
    For more information, see Choose an MDM Enrollment Method to learn more.

• Target devices must be running iOS/iPadOS 4 or later.

Creating the Policy

To create the policy:

1. Log in to the JumpCloud Admin Portal.

2. Go to Device Management > Policy Management and click (+).
3. On the New Policy panel, select the iOS tab.
4. Search and select Apple Mail from the list, then click configure.
5. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
6. (Optional) In the Policy Notes field, enter details such as creation date of the policy, and information on testing and deployment of the policy.

Configuring Apple Mail Policy Settings

In the Settings section, configure the following:

• In the Account Information section, configure the basic account details that will be applied to the Mail app:
  • Email Account Description - Enter a short label for the account as it appears in Mail (for example, Company Mail).
  • Email Account Name - Specify the display name that appears to recipients (for example, the user’s full name).
  • Email Account Type (Required) - Choose the appropriate account type (for example, IMAP, POP, or Exchange) based on your mail infrastructure.
  • Email Address - Provide the email address format used for users in your organization (for example, a directory attribute-based value or a fixed pattern).
    
• In the Incoming Mail Server Settings section, define the server used to receive mail:
  • Incoming Mail Server Host Name (Required) - Enter the fully qualified domain name of the incoming mail server.
  • Incoming Mail Server Port Number - Specify the port number that matches your mail server configuration (for example, 993 for secure IMAP).
  • Incoming Mail Server Use SSL - Enable this option to enforce encrypted connections to the incoming server.
  • Incoming Mail Server Username - Provide the username format required by your mail system.
  • Incoming Password - Enter the incoming mail password as a sensitive field so it is stored and handled securely.
  • Incoming Mail Server Authentication - Select the required authentication method (for example, password-based authentication).
  • Incoming Mail Server IMAP Path Prefix - If your IMAP deployment requires a specific path prefix, configure it here.
    
• In the Outgoing Mail Server Settings section, configure the server that sends mail:
  • Outgoing Mail Server Host Name - Enter the outgoing (SMTP) server hostname.
  • Outgoing Mail Server Port Number - Specify the SMTP port number (for example, 587 or 465 as appropriate).
  • Use SSL for Outgoing Mail Server - Select this setting to ensure your outgoing mail server connection is encrypted and secure.
  • Outgoing Mail Server Username - Provide the username used to authenticate to the outgoing server.
  • Use Same Password for Outgoing Mail - Select this setting to simplify your configuration by using the same username and password for both incoming and outgoing servers.
  • Outgoing Mail Server Authentication - Select the authentication method for the outgoing server.
    
• In the Security & Authentication section, configure S/MIME options to control message signing and encryption:
  • Enable S/MIME - Select this to turn on advanced email security features; all dependent options become available when this is enabled.
  • Enable S/MIME Signing - Select this to enable digital signing for outgoing messages.
  • S/MIME Signing Certificate UUID - Specify the certificate identifier used to sign messages.
  • Enable S/MIME Encryption - Select this to enable  S/MIME encryption for this account.
  • S/MIME Encryption Certificate UUID - Specify the certificate identifier used for encryption.
  • Enable S/MIME Encryption - Enable encryption for messages where a valid recipient certificate exists.
  • Enable S/MIME Encrypt by Default - Select this to choose whether messages should be encrypted by default when possible.
  • Enable S/MIME Encryption Per Message Switch - Allow users to toggle encryption on a per-message basis where supported.
  • Allow User to Override S/MIME Signing - Select this to allow the user to override the S/MIME signing setting.
  • Allow User to Override S/MIME Signing Certificate - Select this to allow the user to override the S/MIME signing certificate.
  • Allow User to Override S/MIME Encrypt by Default - Select this to Allow user control over the default encryption behavior.
  • Allow User to Override S/MIME Encrypt by Default - Select this to Allow the user to override the S/MIME encrypt by default setting.
  • Allow User to Override S/MIME Encryption Certificate - Select this to Allow the user to override the S/MIME encryption certificate.
    
• In the Restrictions section, define how users can interact with Mail and its data:
  • Preventing Moving Messages - Select this to prevent users from moving messages out of the managed Mail account into other accounts or apps.
  • Prevent App Sheet - Select this to Restrict the use of standard iOS share or open-in sheets from Mail, limiting data exfiltration paths.
  • Disable Mail Recents Syncing - Select this to Disable syncing of recent email addresses across devices to reduce data exposure.
  • Allow Mail Drop - Select this to Allow the use of Mail Drop for large attachments based on organizational policy.
    
• In the VPN section, associate the Mail account with a managed VPN configuration when required:
  • VPN UUID - Specify the UUID of a managed VPN configuration so Mail traffic for this account uses the designated VPN profile, enhancing security for remote or untrusted networks. This is available in iOS 14 and later.

Assigning and Applying the policy

1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
3. Click Save. If prompted, click Save again. The policy configuration settings are applied automatically and do not require a system restart.