Forum Discussion
Andrew Matthews
Oct 11, 2018Iron Contributor
Office Mobile App Config Policies
I noticed new documentation for App Configuration policies for the Outlook mobile app recently. The settings prompt my curiosity so I ran an experiment. I applied the IntuneMAMAllowedAccountsOnly...
SRoach
Nov 12, 2018Brass Contributor
Hi Andrew,
I've been trying to use this functionality to prevent users from adding their personal cloud services to Word, etc and thus leak data but I haven't found them to be effective.
Were you able to block additional services/locations from being added to Word, etc after rolling this out?
- Andrew MatthewsNov 12, 2018Iron Contributor
The behaviour is a bit odd when you add other accounts. I could add other accounts but then got a huge error and the account got deleted.
If you want to block data loss in mobile apps then App Protection policies are the gold standard. You can add as many accounts as you like but data does not leak from the protected corporate account to another account, even within the same App.
- SRoachNov 12, 2018Brass Contributor
Thanks Andrew.
Good point about the app protection policies for doing the bulk of the work in reducing the likelihood of data leakage. In my case, I have app protection policies configured but was looking at how the app config policies could be used to further lock down COBO devices and thus make over-zealous security folk sleep at night. :-)
I've found the behaviour to be a bit hit or miss, especially on devices already running Word, etc and configured with personal accounts. Outlook, on the other hand, works perfectly; it removed all other accounts I had configured but the other apps retained the private accounts. Hopefully, the functionality improves over the coming weeks.
- Peter LayNov 12, 2018Brass Contributor
OneDrive and Skype for Business on Android don't seem to support the Key Value Pairs of the other office clients for mobile. Another thing I noticed is Outlook app doesn't work with the Key Value Pair of IntuneMAMAllowedAccountsOnly enabled when using Exchange on-premises. That option is assuming Exchange Online mailbox is being used from what I can tell. Would be good to fix that for Exchange on-premises, so that we can lock Outlook down to just the organization provided mailbox.