Okay, the situation. We have a Dovecot+Postfix based mail server with the SOGo groupware providing calendaring and contacts.
All three provide TLS-based services to the public Internet. A few of us have been able to configure our devices to support accessing our emails and calendars from our phones. Most of us are running some version of Android. My phone is Android 4.1 (yes, ZTE live in the stone age, but that's another topic), others are v5.0 or above. There are a few iOS devices also.
We would like to enforce (from the server end) that the user has a secure lockscreen so that if their phone goes AWOL, they don't give away the keys to the kingdom.
I've seen lots about how some Microsoft Exchange sites somehow enforce this, and lots of people asking how to defeat it. Also lots on other services like Android Pay that enforce this.
I'm asking the opposite question, how does it enforce this from the server? What do I need to tell Dovecot/Postfix in order for this to be requested by the client device when the user configures their device's mail client with our IMAP/SMTP server settings?
Note: A couple have suggested I install applications on the device. I already know how to manually set up a secure lockscreen using a pin-code, password or pattern, however the user is then free to turn that back off again. Clearly Microsoft Exchange is able to transmit something in that initial handshake between Android email client and server that tells the phone that it must use a secure lockscreen. I wish to replicate that same hand-shake using the Dovecot/Postfix/SOGo mail stack.
If I have to install anything on the device, then that is the wrong solution.