Email Security Policy

Through our Digital Strategy, the University has committed to putting ‘Digital’ at the core of everything we do; providing the digital resources and tools needed to innovate, operate and collaborate effectively across and beyond organisational boundaries and structures.

To achieve this safely, in the context of globally-increasing cyber security threats and the forthcoming General Data Protection Regulations (which places increased obligations on the handling of personal data, with substantial financial penalties for non-compliance) improvements must be made to both IT security and information security throughout the University.

Some methods of accessing email such as programs which use IMAP or the Outlook desktop program download (or cache) the mailbox to local storage. This can lead to University information being stored on devices which the University does not control and about which we do not have the IT security assurance necessary to be certain the information will itself be safe.

We must now place limits on how staff may access, and to which devices they can download University email. Some of these require supporting technical changes to be made, and are being phased in as the capabilities become available. Only where technical mechanisms are not yet available will policy and guidance be used.

These limits do not apply to taught undergraduate or postgraduate students, or to postgraduate research students.

Connecting to and accessing University email

How you can connect to and access your email depends on whether you are using a University-owned or non-University owned device e.g. personal mobile phone, or laptop and desktop computer:

  • University-owned computers connecting to the University’s email service must also use an email program which does not cache or store email locally, unless;
    • They are part of one of the assured services which has appropriate controls in place e.g. Windows 7 managed service, fully-assured Mac or Linux services; or
    • Authorisation has been granted on the basis of a valid requirement, where appropriate controls are in place e.g. encryption of local storage.
  • Non University-owned computers connecting to the University’s email service must use an email program which;
    • Does not cache or store email locally; or
    • Has the capability for the University to remotely delete data, should it become necessary e.g. lost or stolen devices.
  • All mobile devices (e.g. iPhones, iPads, Android phones/tablets) must use a way of accessing University email which allows it to be remotely deleted if the device is lost, stolen or where a serious investigation involving fraud or misconduct may be underway.

Because the IMAP protocol does not support remote deletion of email content, it is no longer available by default to all staff. This is to reduce the risks of information security breaches which could otherwise occur. IMAP will only be available in circumstances where there is no viable alternative.

Accessing email from University-owned computers

If you are using a University-owned computer, the email program you use depends on whether it is a Windows, Mac or Linux computer on one of the assured services. These services assure the University that any email information downloaded (or cached) on the computers is appropriately protected.

  • If you are using a Windows computer, we support the use of the Outlook desktop program.
  • If you are using a Mac, we support use of either of the Outlook for Mac or Mac Mail programs.
  • If you are using a Linux computer then provided it is on the fully-assured Linux service or has been manually assured, access to IMAP is available upon request.
    • By default IMAP will be available on campus only. However for Linux laptops users it will be available off-campus as well.

If you are given access to connect to the University email service via IMAP, you must commit to using IMAP only as permitted and not for any unrelated reasons e.g. as a mechanism to bypass other security controls on email; and to comply with all relevant Information Security policies when doing so.

Accessing email from Non University-owned computers

If you need to access your email from a Non University-owned computer (such as a PC at home) then you should use Outlook on the Web.

Whilst it is possible under the terms of the University’s Microsoft license to install and use Outlook on e.g. a personally owned computer, this will store a local copy of your email account without any means for the University to control or remotely delete this data should it become necessary.

Other email programs are available which work in the same or similar ways (such as Mac Mail, or IMAP) and these also have the same limitation.

Because of this, we can no longer permit the use of these email programs to connect to the University email service from Non University-owned computers.

  • The use of IMAP to connect to University email from personally owned computers has been withdrawn and is no longer be permitted.
  • If you are using Outlook (or an equivalent program) to connect from a Non University-owned computer you must remove your account from it.

Access to IMAP is blocked technically (and only available to approved users for use on University-owned computers.). Preventing the use of Outlook (or equivalent programs) to connect will be enforced as soon as the technical capability becomes available, which is expected in late 2017/2018.

Access to IMAP is given upon application by completing the IMAP Access Agreement form.

Accessing email from Mobile Devices

To access your University email on a mobile device you should use the Outlook app or a ‘mail’ app as per the connect email on your mobile device (that uses Exchange ActiveSync).

Either of these routes ensures that the University retains control of the emails and can remotely delete them if the device is lost or stolen (or in other serious circumstances.)

  • If you are using a personally owned device, we strongly recommend that you use the Outlook App to connect your smartphone or tablet to your University email. This will enable a feature that allows a ‘remote wipe’ of only University data. Alternatively you can use the ‘mail’ app on your personal device, however this requires that that you agree to allow a ‘remote wipe’ of everything on your phone, including personal content such as music and photos, as well as University data.
  • The use of IMAP to connect mobile devices (bypassing this control) is strictly prohibited, even where access to IMAP has been permitted for other purposes.

Alternatively, you can also use Outlook on the Web using a web browser through a mobile device.

Using email for other purposes

You may use email as part of running a system or process which sends or receives messages automatically to support research, teaching or administrative activity.

If you need access to IMAP to run such a system, then it will be provided upon request by completing the IMAP Access Agreement form.

If you are given access to IMAP for this purpose, you must commit to using it only for this and not for any unrelated reasons e.g. as a mechanism to bypass other security controls on email; and to comply with all relevant Information Security policies when doing so.

Share this page:

Need IT Help?

IT Service Desk

Report an issue or make a request

Online:

In person:

Opening hours:
Mon - Fri 8.30am - 5.00pm

Phone:
0116 252 2253
Chat:

 

Teaching room help

Instant help:
0116 252 2919
Borrow: