Security considerations

This article discusses Secure Mail security considerations and specific settings you can enable to help increase data security.

Microsoft IRM support

Secure Mail for Android and iOS support messages protected with Microsoft Information Rights Management (IRM) and the cloud based Azure Information Protection (AIP) solution, subject to the configured IRM policy.

This feature allows organizations use IRM to apply persistent protection to messaging content and allows mobile device users to be able to create and consume IRM-protected content. By default IRM support is Off. To enable IRM support, set the Information Rights Management policy to On.


Secure Mail supports Azure Information Protection with Exchange Server 2016.

Secure Mail supports the following template attributes:


Attachments are not included in IRM support.

Attribute Label in Secure Mail Description
ContentExpiryDate No expiration or the expiration date Allows you to purge the body and attachments of the email message when the ContentExpiryDate has passed. Additionally, Secure Mail provides the ability to fetch the content again from the server.
EditAllowed Edit Content Specifies whether the user can modify the email message when the user forwards, replies, or replies all to the message.
ExportAllowed   Specifies whether the user can remove the IRM protection on the email message.
ExtractAllowed Copy Content Specifies whether the user can copy content out of the email messages.
ForwardAllowed Forward Specifies whether the user is allowed to forward the email message.
ModifyRecipientsAllowed Modify Recipients Specifies whether the user can modify the recipient list when the user forwards or replies to the email message.
ProgrammaticAccessAllowed Send to Other Apps Specifies whether the contents of the email message can be accessed programmatically by third-party applications.
ReplyAllAllowed Reply All Specifies whether the user can reply to all of the recipients of the original email message.
ReplyAllowed Reply Specifies whether the user is allowed to reply to the email message.

Users see the following Restrictions screen.

Secure Mail IRM Restrictions screen

Some organizations may require strict adherence to their IRM policy. Users with access to Secure Mail may attempt to bypass the IRM policy by tampering with Secure Mail, the operating system, or even the hardware platform.

Although Endpoint Management can detect certain attacks, you may want to consider the following precautionary measures to increase security:

  • Review the security guidance supplied by the device vendor.
  • Configure devices accordingly, using Endpoint Management capabilities or otherwise.
  • Provide guidance to your users for the appropriate use of IRM features, including Secure Mail.
  • Deploy additional third-party security software to resist this type of attack.

Email security classifications

Secure Mail for iOS and Android supports email classification markings, enabling users to specify security (SEC) and dissemination limiting markers (DLM) when sending emails. SEC markings include Protected, Confidential, and Secret. DLM includes Sensitive, Legal or Personal. When composing an email, a Secure Mail user can select a marking to indicate the classification level of the email, as shown in the following images.

Security classification link in Secure Mail

Security classification list in Secure Mail

Recipients can view the classification marking in the email subject. For example:

  • Subject: Planning [SEC = PROTECTED, DLM = Sensitive]
  • Subject: Planning [DLM = Sensitive]
  • Subject: Planning [SEC = UNCLASSIFIED]

Email headers include classification markings as an Internet Message Header Extension, shown in bold in this example:

Date: Fri, 01 May 2015 12:34:50 +530

Subject: Planning [SEC = PROTECTED, DLM = Sensitive]

Priority: normal

X-Priority: normal X-Protective-Marking: VER-2012.3,,SEC = PROTECTED, DLM = Sensitive,


To: Team <>

MIME-Version: 1.0 Content-Type: multipart/alternative;boundary="_com.example.email_6428E5E4-9DB3-4133-9F48-155913E39A980"

Secure Mail only displays classification markings. The app does not take any actions based on those markings.

When a user replies to or forwards an email that has classification markings, the SEC and DLM values default to those of the original email. The user can choose a different marking. Secure Mail does not validate such changes in relation to the original email.

You configure email classification markings through the following MDX policies.

  • Email classification: If On, Secure Mail supports email classification markings for SEC and DLM. Classification markings appear in email headers as “X-Protective-Marking” values. Be sure to configure the related email classification policies. Default value is Off.

  • Email classification namespace: Specifies the classification namespace that is required in the email header by the classification standard used. For example, the namespace “” appears in the header as “”. Default value is empty.

  • Email classification version: Specifies the classification version that is required in the email header by the classification standard used. For example, the version “2012.3” appears in the header as “VER=2012.3”. Default value is empty.

  • Default email classification: Specifies the protective marking that Secure Mail applies to an email if a user does not choose a marking. This value must be in the list for the Email classification markings policy. Default value is UNOFFICIAL.

  • Email classification markings: Specifies the classification markings to be made available to users. If the list is empty, Secure Mail does not include a list of protective markings. The markings list contains value pairs that are separated by semicolons. Each pair includes the list value that appears in Secure Mail and the marking value that is the text appended to the email subject and header in Secure Mail. For example, in the marking pair “UNOFFICIAL,SEC=UNOFFICIAL;”, the list value is “UNOFFICIAL” and the marking value is “SEC=UNOFFICIAL”.

Default value is a list of classification markings that you can modify. The following markings are provided with Secure Mail.

  • For Official Use Only,DLM=For-Official-Use-Only
  • Sensitive,DLM=Sensitive
  • Sensitive:Legal,DLM=Sensitive:Legal
  • Sensitive:Personal,DLM=Sensitive:Personal
  • PROTECTED+Sensitive:Legal,SEC=PROTECTED DLM=Sensitive:Legal
  • PROTECTED+Sensitive:Personal,SEC=PROTECTED DLM=Sensitive:Personal
  • PROTECTED+Sensitive:Cabinet,SEC=PROTECTED,DLM=Sensitive:Cabinet
  • CONFIDENTIAL+Sensitive:Legal,SEC=CONFIDENTIAL DLM=Sensitive:Legal
  • CONFIDENTIAL+Sensitive:Personal,SEC=CONFIDENTIAL,DLM=Sensitive:Personal
  • CONFIDENTIAL+Sensitive:Cabinet,SEC=CONFIDENTIAL DLM=Sensitive:Cabinet
  • SECRET+Sensitive,SEC=SECRET,DLM=Sensitive
  • SECRET+Sensitive:Legal,SEC=SECRET,DLM=Sensitive:Legal
  • SECRET+Sensitive:Personal,SEC=SECRET,DLM=Sensitive:Personal
  • SECRET+Sensitive:Cabinet,SEC=SECRET,DLM=Sensitive:Cabinet
  • TOP-SECRET+Sensitive,SEC=TOP-SECRET,DLM=Sensitive
  • TOP-SECRET+Sensitive:Legal,SEC=TOP-SECRET DLM=Sensitive:Legal
  • TOP-SECRET+Sensitive:Personal,SEC=TOP-SECRET DLM=Sensitive:Personal
  • TOP-SECRET+Sensitive:Cabinet,SEC=TOP-SECRET DLM=Sensitive:Cabinet

iOS Data Protection

Enterprises who must meet Australian Signals Directorate (ASD) data protection requirements can use the Enable iOS data protection policies for Secure Mail and Secure Web. By default the policies are Off.

When Enable iOS data protection is On for Secure Web, Secure Web uses Class A protection level for all files in the sandbox. For details about Secure Mail data protection, see Australian Signals Directorate Data Protection. If you enable this policy, the highest data protection class is used so there is no need to also specify the Minimum data protection class policy.

To change the Enable iOS data protection policy

  1. Use the Endpoint Management console to load the Secure Web and Secure Mail MDX files to Endpoint Management: For a new app, navigate to Configure > Apps > Add and then click MDX. For an upgrade, see Upgrade MDX or enterprise apps.

  2. For Secure Mail, browse to the App settings, locate the Enable iOS data protection policy and set it to On. Devices running older operating system versions are not affected when this policy is enabled.

  3. For Secure Web, browse to the App settings, locate the Enable iOS data protection policy and set it to On. Devices running older operating system versions are not affected when this policy is enabled.

  4. Configure the app policies as usual and save your settings to deploy the app to the Endpoint Management app store.

Australian Signals Directorate Data Protection

Secure Mail supports Australian Signals Directorate (ASD) data protection for those enterprises that must meet ASD computer security requirements. By default, the Enable iOS data protection policy is Off and Secure Mail provides Class C data protection or uses the data protection set in the provisioning profile.

If the policy is On, Secure Mail specifies the protection level when creating and opening files in the app sandbox. Secure Mail sets Class A data protection on:

  • Outbox items
  • Photos from the camera or camera roll
  • Images pasted from other apps
  • Downloaded file attachments

Secure Mail sets Class B data protection on:

  • Stored mail
  • Calendar items
  • Contacts
  • ActiveSync policy files

Class B protection enables a locked device to sync and enables downloads to complete if a device is locked after the download starts.

With data protection enabled, queued outbox items are not sent when a device is locked because the files cannot be opened. And, if the device terminates and then restarts Secure Mail when a device is locked, Secure Mail is unable to sync until the device is unlocked and Secure Mail starts.

Citrix recommends that, if you enable this policy, you enable Secure Mail logging only when needed to avoid the creation of log files with Class C data protection.