When we think about the evolution of mobile email and remote work, we can see that expectations are shifting. One of those crucial areas is around delegation and an elevated level of management. Today, we focus on a few key areas that are crucial for business users: (1) email and calendar delegation and (2) support for multiple managed accounts. These great features have recently been added to Workspace ONE Boxer making it a strong ally to an evolving workforce.
A Standard Account Vs. Delegation in Microsoft Exchange
Before we go into the Boxer side of the house, it’s important to cover what makes delegation different than your typical account. A standard account you can think of is an account you own and can be authenticated to. This eliminates the following:
- Shared Mailboxes
- Distribution Lists
- Office Groups
- Disabled Accounts
The list goes on and on, but you get the idea. Let’s cover delegation in more depth.
What is Delegation Exactly?
A Delegate is basically someone who is acting on your behalf. It could be an administrative assistant, a member of your team, your boss, etc. In the Microsoft Exchange world, we empower these delegates through granting permissions to a specific folder.
As you can see in MFCMapi, our Mailbox has a number of folders:
You may run into a situation where you want to give someone access to your Inbox, a subfolder, Calendar, Contacts etc. It’s important to call out that people get easily confused around this stuff. This is not for send as permissions or full mailbox access, but specifically to grant delegate access to a particular folder.
Folder permissions are comprised of “Access Rights” and as of Exchange Online “Sharing Permission Flags”, which we will discuss below.
Access Rights for Delegation
With access rights, we have a few options that are worth mentioning. The others are listed here:
- Reviewer (Grants read access to the items and lets you see the folder)
- Editor (Let’s you create, delete, edit, and view items)
- Contributor (Let’s you create items and see the folder)
You can set individual permissions but roles are the right way to go unless you need to do something specific.
Sharing Permission Flags
Sharing permission flags are new in Exchange Online. They DO require that the user have Editor access rights, but once they do you can use the flags to set them as a delegate along with the ability to view private items.
How to Apply Delegation
Users can easily do this themselves by switching Outlook to folder view and use the share button, which only works for calendars.
The more common way is using PowerShell to assign permissions. An example of a common command can be seen below:
Add-MailboxFolderPermission -Identity email@example.com:\Calendar -User firstname.lastname@example.org -AccessRights Editor -SharingPermissionFlags Delegate,CanViewPrivateItems
It’s always good to point out that when migrating to Exchange Online that you need to typically reapply folder permissions in Exchange Hybrid, but overall it’s a pretty easy thing to achieve.
Delegation in Workspace ONE Boxer
The one caveat with delegation in Boxer is that users must do it manually. The good news is they have done a nice job simplifying the workflow for delegation. We will show you a nice little demo on how it works. Let’s cover the requirements real quick:
- Supports Basic, Modern, and Certificate-Based Authentication
- EWS must be enabled on your Exchange/SEG (Secure Email Gateway) which I cover here.
- If you are using SEG or On-Premise, you have to specify the EWS URL in your Boxer Config
- Both users must exists in the same Active Directory
- EWS and ActiveSync must use the same authentication because obviously
- Exchange ActiveSync 2013+
- Delegate permissions must have already been applied and must be applied via PowerShell
Boxer does have a few limitations that we should call out also:
- Only supports delegation of email and calendar
- Attachments cannot be modified in an exception of a recurring event
- Maximum of 5 delegates
Multiple Managed Accounts in Workspace ONE Boxer
Multiple Managed Accounts in Boxer is a bit confusing, which is why I wrote this article. The VMware article is here. Let’s cover the requirements first:
- Workspace ONE Boxer 5.21+
- WS1 UEM 2008+
- SSO must be enabled in the SDK/Default Settings (Does not require you to enable Authentication, phew!)
The features they support are:
- All Mail, Calendar, and Contacts functions
- S/MIME/Azure Information Protection, CBA, spam, and phishing
- ENSv2 Notifications
- Email signature and synchronization
- Escrow Gateway support
- Health Checks
The gaps to mention:
- Only covers two accounts
- No Mobile Flows support for secondary accounts
- No Derived Credentials support for secondary accounts
- CBA requires accounts with different domains with the same UPN
- Unsupported on iOS standalone enrollments
Configuring Multiple Managed Accounts
Before we watch the video tutorial, I want to hammer home the idea that we should use technology the right way. When configuring the MMAs, you need to build some sort of “lookup” that translates the email address/username (only the email address in Office 365) for the secondary accounts.
The default should be creating custom lookup values like I show in the video:
The custom lookups are great and you can use them to return “part” of any of your existing lookup values or to “re-write” the current lookup values into something that is helpful to you. If you need help writing the regular expressions, let me know.
Workspace ONE Boxer Multiple Managed Account Demo
Now that we have covered everything, let’s enjoy a nice demo of the great user experience delivered inside of Workspace ONE Boxer.
Thanks for taking a short journey with me on Workspace ONE Boxer Managed Accounts. Features like this make me yearn for the Microsoft Graph integration on Boxer. It’s a great competitive advantage feature, but I just keep wishing Boxer had the full Office 365 experience so I could recommend it to more clients.
We can say one thing confidently when it comes to Boxer: “They do more to innovate and elevate this mail client than anyone else.” It’s easy being Microsoft and having the Intune SDK to play with, but Boxer has continued to evolve. If ONLY they had full Office 365 support inside of Boxer , it wouldn’t even be a conversation for the best-in-class solution in UEM.