Recently I had a XenMobile customer where all users could enroll the phone, install applications and everything seemed to work fine. Except for a few users which could start Secure Mail, but after entering Exchange credentials we got this little bugger:

Secure Mail could not access company network

Error message: Secure Mail. Access to your company network is not currently available.

This error gave no sense since we could use other XenMobile applications, including Secure Web. We also had several other users using Secure Mail perfectly.

To make a long story short. Our problem was found at the user object in Active Directory. When we compared the permissions on the user objects in AD we could see that users experiencing this problem was not given certain permissions.

As you can see from these two user objects, for User A the group Exchange Enterprise Servers has several more permissions than the same group for User B.
To see the Security tab, you have to enable  “Advanced Features” in the View menu in Active Directory Users and Computers.

User A PropertiesUser B properties

You can also see that User A has inherited the permissions, while User B has explicit permissions.

We made an easy solution to this problem by configuring inherited permissions for User B. He then got the correct permissions and could successfully log on to Secure Mail. You can configure inherited permissions by clicking on the Advanced button and click Restore Defaults.

Reset permissions

In our case we could reset the permissions on the user object without any issues. You could also change the permissions one by one until you find the correct settings. Be aware that you might mess up something if you have other systems or applications using different permissions on the user object. Use this at your own risk.