Work email (Android Sophos container policy)

With the Work email configuration you define user settings for your Microsoft Exchange Server. These settings are applied to the Sophos Secure Email app if it is installed in the Sophos container.

Note If Sophos Secure Email isn’t installed, users receive a message to install it. When they start the app for the first time, it’s configured automatically.

Main email account



Exchange server

The Exchange server address.

If you use the Sophos Mobile EAS proxy, enter the URL of the EAS proxy server.


The user for this account.

If you enter the variable %_USERNAME_%, the server replaces it with the actual username.

Users must enter the account password on their devices.

Email address

The email address of the account.

If you enter the variable %_EMAILADDRESS_%, the server replaces it with the actual email address.


The domain for this account.

Support contact email

The email address that will be used as the "Contact Support" email address.

Managed accounts

In addition to the main email account, you can add up to two accounts, called Managed accounts, to Sophos Secure Email.

Note the following:

  • When you configure managed accounts, users can’t add accounts manually. They can use accounts that they added before you assigned the policy.
  • If there’s an existing account with the same email address, it’s converted into a managed account.

Email settings



Allow external content

Users can load external mail content like images.

Maximum email size

Email messages that are larger than the size you select (including attachments) are not retrieved from the Exchange server.

Notification details

Select the amount of information that is displayed in email notifications.

This setting also affects event reminders. If you select No notifications, event reminders are turned off. If you select any other value, event reminders are turned on and include time, location and title information.

Default signature

The default email signature.

EWS server

The URL of your Exchange Web Services (EWS) server.

If you leave this field empty, Sophos Secure Email uses the URL you configured in Exchange server.




Synchronize Outlook tasks and notes

Users can view their Outlook tasks and notes in Sophos Secure Email.

By default, users can also create, edit, and delete tasks and notes. To turn this off, select Tasks and notes are read-only.

Tasks and notes are read-only

Users can’t create, edit, or delete Outlook tasks and notes in Sophos Secure Email.

Export contacts to device

Users are allowed to export the Exchange contacts to the local device contacts, so that they can identify company contacts in incoming calls.

Sophos Secure Email keeps the information synchronized.
Note The local contact information is automatically deleted in the following situations:
  • When the Corporate Email configuration is removed from the Sophos container policy (requires a restart of the Secure Email app).
  • When the Sophos container is removed from the device.
  • When the device is unenrolled from Sophos Mobile.

Export company names

The company name is included in the export of company contacts to the local device contacts.

When you turn this setting off, only name and phone number are exported.

Data protection



Deny copy to clipboard

Users cannot copy or cut texts from the Sophos Secure Email app.

Deny screenshots

Users can’t take screenshots that show the Sophos Secure Email app.

Allow viewing/sharing

Users are allowed to view or share email attachments.

View attachments

Select whether attachments can be viewed in all apps or only in the Sophos container apps Sophos Secure Workspace and Sophos Secure Email.

Share attachments

With all apps: Attachments can be shared with all apps that support the file format.

With container apps: Attachments are encrypted with a device key and can only be opened in Sophos Secure Workspace. The sharing action itself is not blocked.




Allow S/MIME encryption

Users can send and receive emails that are encrypted with a S/MIME certificate.

S/MIME certificates must be stored in the root folder of Internal Storage.

This setting doesn’t affect S/MIME signing. Users can sign emails when their S/MIME certificate is available on the device.

OAuth 2.0

With these settings, you set up Sophos Secure Email so that users access their Exchange accounts via your organization’s Office 365 sign-in procedure.



Turn on OAuth 2.0

Turn on Office 365 authentication.

Authorization endpoint

The OAuth authorization endpoint of your application in Microsoft Azure.

Enter the value displayed in the Azure portal under OAuth 2.0 authorization endpoint (v2).

Client ID

The ID of your application in Microsoft Azure.

Enter the value displayed in the Azure portal under Application (client) ID.

Redirect URI

The location that the Office 365 API uses for authentication responses.

Enter the following text:


Token endpoint

The OAuth token endpoint of your application in Microsoft Azure.

Enter the value displayed in the Azure portal under OAuth 2.0 token endpoint (v2).

Extra settings

Only configure these settings if instructed by Sophos Support.