Forum Discussion
Why is "Activate device admin app" displaying when setting up Outlook on Android?
Hi Everyone,
I'm not very experienced with the Intune product set and within my tenant I don't have admin access to manage any settings related to mobile access management.
From the beginning of this week, I'm receiving reports from people installing the Outlook for Android app and connecting to our tenant that they are seeing an additional "Activate device admin app" screen that we were not expecting to see.
The screen is that which is displayed at the following URL https://support.office.com/en-us/article/set-up-email-in-the-outlook-for-android-app-886db551-8dfa-4fd5-b835-f8e532091872
None of the admins have reported making any changes at tenant level.
Are there any reasons why this message will have started appearing at this stage?
Could Microsoft have made a change to the configuration settings? (perhaps one that has been announced already)
Thanks everyone.
Counie i believe that is going from Exchange. Could you check if there are any MDM or EAS settings applied?
Alexander Vanyurikhin I dont' have visibility over admin settings. i just have to take other peoples word for it 🙂
Is there a resource that I could direct our admin to so that they would know what to check?
is it a case of googling EAS and MDM policy settings for Exchange Online..
I'll give it a shot.
Hi All,
What happened here is that a policy had been applied all along.. and we didn't notice it on the front end because everyone who tested the installation process did so on a mobile device that met the minimum requirements of the policy (mostly they were IT staff)
It's not clear to me who actually set the policy originally , or if in fact anyone in our team manually configured this policy at all .
However, when non-IT end users started to install Outlook .. in all cases it was on the Android platform .. we started to notice the "Outlook Device Policy" screens appearing.
Eventually we determined that it was because their devices (these are all unmanaged personal devices) DID NOT meet the minimum standard of the policy. So the approach now is that if they don't meet the minimum standard.. they don't get to connect the app to our tenant.
What bothered me was the msg that states (" DELETE ALL DATA") "Erase the phones data without warning by performing a factory data reset" .. what the???
So I was very cautious to that info and just clicked "cancel"
Has anybody agreed to the terms and conditions and experienced anything negative ?
Meral321 I'll prefer not to setup outlook on my personal device which say (" DELETE ALL DATA").
It is difficult to explain why Android presents that possibility to the user that their personal data will be wiped, but it actually won't be. So don't worry. Outlook doesn't contain a specific policy "OS call" that would trigger such a thing. It's an app-level wipe, not a phone wide wipe. It could remove all Outlook app data that's synced from the work servers if too many incorrect password attempts occur at the lock screen.
These are the four policies enacted when a user grants device admin privileges to Outlook.
1. Encrypted-storage
2. Force-lock
3. Limit-password
4. Watch-login
The three policies that can wipe your device are setMaximumFailedPasswordsForWipe and two wipeData methods. All three of these require the USES_POLICY_WIPE_DATA Policy, which the Outlook app does not request.
- Has the limitation on erasing data been confirmed? This is a rather alarming message to receive on a personal device.
- it is from the exchange online mobile policies. disable it if use intune.
- This doesn't seem puzzling at all. Microsoft Exchange (the technology that powers Outlook.com for consumers and Microsoft 365 email) has a feature that lets you remotely wipe (erase) a mobile device. The user can typically do this through Outlook on the web by going into settings > General > Mobile devices.
In order for the remote wipe to work, the Outlook app or native email app must have device admin rights to erase the entire phone or tablet.
In an enterprise, admins can also set policies to require a complex passcode, require encryption, and so forth. This lets them have some degree of security over enterprise data that may be in the email, calendar, contacts, etc. apps. The policies are enforced by using this device admin privilege.
