IMPORTANT: Support for blocking sensitive data in notifications with Outlook for iOS has been delayed due to a dependency on notification encryption. To ensure the best customer experience, we are pausing the roll out of notification encryption for O365 tenants, which which is required to support to blocking sensitive data in notifications for Outlook for iOS. We expect to have notification encryption enabled for tenants by the end of May 2020. Limiting sensitive data in notifications is now available for commercial tenants using Outlook for iOS as of May 20, 2020.
Mobile app notifications are critical in alerting users of new content or reminding them to act. Users interact with these notifications via the lock screen and in the operating system’s notification center. Notifications often include detailed information, which can be sensitive in nature. This information, unfortunately, can inadvertently be leaked to casual observers.
As you can imagine, the notifications that are acted on the most by enterprise users are messaging and calendaring notifications. Outlook for iOS and Android has designed their notifications to enable users to triage email and alert users to upcoming meetings, including incorporating Time to Leave suggestions. Mail notifications include the sender’s address, the subject of the message, and a short message preview of the message body. Calendar reminders include the subject, location, and start time of the meeting.
Recognizing that these notifications may include sensitive data, in December Intune will roll out support for limiting sensitive data in notifications and Outlook for iOS and Android is the first app (on both platforms) to take advantage of this new functionality!
This functionality is being delivered as a new App Protection Policy (APP) setting, Org Data Notifications. As this is an APP setting, it will apply on all devices (phones, tablets, and wearables) for the user for the apps that support the setting. When the APP Org Data Notifications is set to Block Org Data, this is how mail and calendar notifications from Outlook for iOS and Android will appear:
In addition, Outlook for iOS and Android is introducing a new data protection App Configuration Policy (ACP) setting that provides additional flexibility with calendar notifications – you can block sensitive information in mail notifications, while allowing sensitive information in calendar notifications. After all, your users might just need to know where they are going and when they should leave, at a glance. When Calendar Notifications is set to Allowed, the notifications will appear as follows:
The following table outlines the notification experience in Outlook for iOS and Android based on the combination of the APP and ACP settings:
APP setting value | ACP Calendar setting value | Outlook notification behavior |
Allow (default) | Not Configured (default) | Default client behavior where sensitive data is exposed in mail and calendar notifications |
Block | Not Configured | Sensitive data is exposed in mail and calendar notifications as Outlook ignores the block setting |
Block Org Data | Not Configured | Sensitive data is not available in mail or calendar notifications |
Block Org Data | Allowed |
Sensitive data is not available in mail notifications Calendar notifications expose sensitive data |
As a result of these improvements, Outlook for iOS and Android is removing support for several data protection app configuration keys that were previously used to manage notifications on the iOS platform:
- microsoft.outlook.Mail.NotificationsEnabled
- microsoft.outlook.Mail.NotificationsEnabled.UserChangeAllowed
- microsoft.outlook.Calendar.NotificationsEnabled
- microsoft.outlook.Calendar.NotificationsEnabled.UserChangeAllowed
These keys will be removed starting the week of December 16th, 2019.
We hope you will enable this new APP setting in your deployments once it releases in December. If you have any questions, please let us know.
Ross Smith IV
Principal Program Manager
Customer Experience Engineering