With the recent vulnerabilities to Native Mail announced back in April, organisations have been looking for a mail client that can provide ease of use for users whilst securely protecting their email services, whether that be O365, Lotus Notes, or Exchange.

VMware Boxer, an award-winning enterprise email client provides access to email, calendar, and contacts across corporately owned or bring your own devices (BYOD). Not only is Boxer focusing on providing a great user experience, but it is also offering enterprise-grade security in the form of AES 256-bit encryption, with the ability to separate business data from personal data.

With Covid-19 and the introduction of home working for users who weren’t necessarily set up for this way of working. I’ve seen Boxer be used in standalone mode to offer out email to a number of mobile workers allowing them to have a glimpse of normality and continue to work.

In this article, I thought I’d outline some of the key features and ease of deployment for Boxer.

There are three different deployment methods for Boxer when it comes to iOS.

  • We have the ability to distribute the application via the Volume Purchase Program via Apple Business Manager.
  • Utilise the public App Store and push to users via Workspace ONE UEM’s Public App section.
  • Or have the user download directly from the App Store using their own AppleID and we manage just Boxer. (BYOD)

Within the UEM console, the boxer assignment page has had a big revamp with a lot of settings added in at a GUI level rather than having to use App Config, however App Config is still fully supported.


iOS Boxer supports– G Suite, 2010, 2013, 2016, Office 365, IBM Notes Traveler version 9.0.1 and is supported on iOS 11 + devices.

To start you need to add Boxer into your UEM console either via VPP or the Public store. In this instance, I’ll show the Public App store method.

Navigate to Apps and Books, Applications, Public, and select Add Application.

Using the filters, select Apple iOS, Search App Store and search for the name VMware Boxer

It will return the below, allowing you to select Boxer on the right-hand side.

Please note distributing Applications this way will require the user to use an AppleID to download the app from the store. For a better user experience consider using VPP.

Once successfully added, you’ll be able to hit the Assign button.

Assignment and configuration


On the first page, we have the ability to set the Distribution name. This is the name for this assignment. You can have multiple different assignments for Boxer via the same single application, this makes it really easy to have a corporately owned and a BYO configuration without having to have multiple versions of the app.

You can then allocate the configuration to an assignment group or Smart Group. This could be a select few users, a whole AD User Group or every device. There is a lot of flexibility and granularity to how you can distribute any application via WS1 UEM.

Here we also have the ability to set the delivery to Auto or On-Demand.

  • Auto will automatically push the application down to the device on enrolment or to already enrolled devices.
  • On-Demand will allow it to reside in the Hub Catalog for the user to download when they are ready.


With the Restrictions tab, we have the ability to set a few options.

  • Managed Access – Only allows enrolled devices to receive the policies set within this assignment.
  • Remove On Uneroll – Will allow the application to be removed upon an Enterprise Wipe.
  • Prevent App Backup – Will prevent data backing up to iCloud, However, the application can still back up to iCloud.
  • Make App MDM managed – This was a feature that came in iOS9 and allows MDMs to manage an application if it has already been installed before the user has enrolled.

Tunnel and Other Attributes

Should there be a requirement to tunnel through to an internal resource, you have the ability to wrap a Per App VPN profile around any application. With the combination of the UAG and VMware Tunnel on a Per App basis, we can tunnel applications through to a certain endpoint. Not too relevant with Boxer as most organisations will either be using O365 which is cloud-hosted or if there is an On-Premise Exchange, protect EAS with a Secure Email Gateway (SEG).

Application Configuration

The ability to set Configuration Keys, Value Types, and Config Values based upon App Config profiles. There is also the ability to Upload XML should you have a copy to hand to save manually populating the fields.

Email Settings

Firstly we have the email settings required to contact Exchange. This could be pointing directly to an EAS/EWS endpoint or to a SEG hostname as previously mentioned.

There are multiple lookup values that can be configured for items such as the Domain, User, and Email Address. This will allow you to easily set up the configuration for the user when they go to use the application for the first time. If you were to be using a SEG or a Powershell delivery method you could set a MEM config in the Email Management section.

The second part of the Email Settings payload is the ability to decide how the user experience will be.

  • The ability to enable Modern Authentication or certificate-based authentication for access.
  • How far back do we go to sync mail and calendars
  • Leverage real-time notifications with the introduction of ENS. A cloud-hosted or on-premise service that has the ability to send notifications to users as they receive them.
  • Spam and Phishing reporting, allowing users to notify a central resource should they feel that they’ve received suspicious mail.
  • You can allow S/MIME certificates, used for signing, encrypting, or both.
  • Introduce Mobile Flows to your users, having the ability to integrate seamlessly into other apps. For example, if you are a manager and you receive a travel expense. Rather than opening up your expense application or browsing to a URL to approve, you can approve directly from within Boxer resulting in higher productivity and truly taking advantage of those micro-moments.
  • Set Email Classifications

Email Classifications

More and more I see a dependency on labeling emails with some form of classification, whether that’s Confidential, Unclassified, or Restricted. Within VMware’s boxer client we have the capability to support this function.

Previously we had to take advantage of App Config and set the values ourself, however recently the functionality was brought into the GUI to make it easier to configure.

App Policies

The final part of deploying Boxer is to configure the vast amount of policies that protect our corporate mail. I shall not list them all as I’d be here all day, however, to give you a flavour.

  • The ability to set an application level passcode, enable biometrics, or set a complex passcode to open the app. Great for BYO and Corporate deployments.
  • DLP settings which include preventing copy and paste, personal mail accounts, opening URLs into non trusted browsers, managed open in, and more.
  • The ability to set short cuts for users with hand gesture movements, making it extremely easy to delete, archive or move emails around.
  • Introduce IT Support details to the user should they require to contact anyone due to an issue or set logging for troubleshooting.
  • Prevent users from uploading photos from their personal phone gallery or forwarding on attachments.

Parting thoughts

As a user of Boxer, I honestly can’t complain. It is simple to use and easy to pick up.

I have the ability to view my colleague’s calendars and create meeting invites directly out of emails with the added feature of sending availability. Any attachments that I receive are securely stored in the file section, giving me an easy place to go and find that spreadsheet I need to double-check for 100th time. I can perform simple tasks like setting my Out Of Office or email signature and even set VIP contacts for when I receive emails from people I just can’t miss.

I would love to hear your thoughts on your experiences with Boxer.

Spread the love