Skip to content

Work email (iOS Sophos container policy)

The Work email configuration lets you configure Sophos Secure Email.


Managing Sophos Secure Email with Sophos Mobile is only available for Sophos Central accounts created before October 1, 2022 and for accounts migrated from an on-premise installation of Sophos Mobile.

Main email account

Setting Description
Server name For Exchange Online, enter

For Exchange Server, enter your server URL.

Note that applies to the worldwide Microsoft 365 cloud. If you’re using a different Microsoft 365 cloud, such as Office 365 Germany, see the Microsoft document Office 365 URLs and IP address ranges.

When you use Exchange Server with the Sophos Mobile EAS proxy, enter its URL instead.

User The user's sign-in name.

For Exchange Online, this is usually the email address. Enter %_EMAILADDRESS_% to use the email address of the user assigned to the device.

For Exchange Server, enter %_USERNAME_% to use the name of the user assigned to the device.

Users must enter the account password on their devices.

Email address The email address of the account.

If you enter the variable %_EMAILADDRESS_%, the server replaces it with the actual email address.

Domain For Exchange Online, leave this field empty.

For Exchange Server, enter the domain of the user account.

Support contact email The email address that will be used as the "Contact Support" email address.

Managed accounts

In addition to the main email account, you can add up to two accounts, called Managed accounts, to Sophos Secure Email.

Note the following:

  • When you configure managed accounts, users can’t add accounts manually. They can use accounts that they added before you assigned the policy.
  • If there’s an existing account with the same email address, it’s converted into a managed account.

Email settings

Setting Description
Use secure text fields The content of input fields is secured. Auto-complete and auto-correction are disabled within the Sophos Secure Email app to prevent sensitive words to be saved in the memory of the device.
Allow external content Users can load external mail content like images.
Maximum email size Email messages that are larger than the size you select (including attachments) are not retrieved from the Exchange server.
Notifications The notification type for new email:
  • System: Notifications are managed by iOS. They don’t include details like Sender or Subject.
  • App: Notifications are managed by the Sophos Secure Email app. When the app is not running, no notifications are displayed.
  • None: No notifications are displayed.

This setting also affects event reminders:

  • System, None: Event reminders only include time information.
  • App: Event reminders include time, location and title information.
Content The type of information that is displayed in a notification.

This setting is only available if you’ve selected App in Notifications.

Default signature The default email signature.
EWS server The URL of your Exchange Web Services (EWS) server.

If you leave this field empty, Sophos Secure Email uses the URL you configured in Server name.


Setting Description
Synchronize Outlook tasks and notes Users can view their Outlook tasks and notes in Sophos Secure Email.

By default, users can also create, edit, and delete tasks and notes. To turn this off, select Tasks and notes are read-only.

Tasks and notes are read-only Users can’t create, edit, or delete Outlook tasks and notes in Sophos Secure Email.
Call identification Contact information from Sophos Secure Email can be used to identify company contacts in incoming calls, without the need to export Sophos Secure Email contacts to the device contacts.

To use this, users must turn on the following device settings:

  • In the Settings app: Phone > Call Blocking & Identification > Email
  • In the Sophos Secure Email app: Settings > Contacts > Call Identification
Export contacts to device Users can export Exchange contacts to the device.

Sophos Secure Email keeps the information synchronized.

Sophos Secure Email automatically deletes local contact information in the following situations:

  • When you remove the Work email configuration from the policy (requires a restart of Sophos Secure Email).
  • When the Sophos container is removed from the device.
  • When the device is unenrolled from Sophos Mobile.

Data protection

Setting Description
Deny copy to clipboard Users cannot copy or cut texts from the Sophos Secure Email app.
Open attachments In all apps: Attachments can be opened in all apps that support the file format.

In container apps: Attachments are encrypted with a device key and can only be opened in Sophos Secure Workspace. The Open in action itself is not blocked.


Setting Description
Use system CA list For incoming encrypted emails, Sophos Secure Email uses the certificate authority (CA) list provided by iOS or iPadOS to validate the certificate’s chain of trust.

If you clear this setting, all certificates of the chain of trust must be available on the device.

Encrypt by default If the recipient’s S/MIME certificate is available, emails are sent encrypted.
Sign by default Outgoing emails are signed by default with a user’s S/MIME certificate.

Users can change the default in the Sophos Secure Email settings or can send individual messages unsigned.

Allow S/MIME encryption Users can send and receive emails that are encrypted with a S/MIME certificate.
Allow S/MIME signing Users can sign emails if their S/MIME certificate is available on the device.

OAuth 2.0

With these settings, you set up Sophos Secure Email so that users access their Exchange accounts via your organization’s Microsoft 365 sign-in procedure. See Set up modern authentication for Sophos Secure Email.

Setting Description
Turn on OAuth 2.0 Turn on Microsoft 365 authentication.
Authorization endpoint The OAuth authorization endpoint of your application in Microsoft Azure.

Enter the value displayed in the Azure portal under OAuth 2.0 authorization endpoint (v2).

Client ID The ID of your application in Microsoft Azure.

Enter the value displayed in the Azure portal under Application (client) ID.

Redirect URI The location that the Microsoft 365 API uses for authentication responses.

Enter the following text:


Token endpoint The OAuth token endpoint of your application in Microsoft Azure.

Enter the value displayed in the Azure portal under OAuth 2.0 token endpoint (v2).

Extra settings

Only configure these settings if instructed by Sophos Support.