Home
Microsoft

At Microsoft Ignite, Outlook for iOS and Android announced support for deploying managed device general app configuration settings for Office 365 mailboxes and on-premises mailboxes leveraging hybrid modern authentication. This capability leverages either the Managed App Configuration for iOS or the Android managed configurations to enable MDM solutions to push configuration settings. 

 

Today, we are announcing the availability of new functionality within Intune that enables admins to easily deploy general app configuration to Outlook for iOS and Android via App configuration policies. This new functionality allows IT admins to configure the default behavior for several settings within Outlook for iOS and Android, such as Focused Inbox.

 

Note: For Outlook for iOS and Android to apply these settings, the app needs to be installed and managed by the Company Portal.

Image1.PNG

Figure 1: App Configuration Policy for Outlook for iOS on enrolled iOS devices from https://devicemanagement.microsoft.com. If you're in https://portal.azure.com, then you'll go to Intune -> Client apps -> App configuration policies and add a configuration policy. 

General App Configuration details

With this new policy experience, administrators can simply configure certain Outlook app settings’ default behavior and deploy them to their user’s enrolled mobile devices. For this first release, Outlook is supporting the following settings for configuration:

 

Setting

Default app behavior

Notes

Focused Inbox

On

 

Require Biometrics to access the app

Off

This setting is only available for Outlook for iOS.

 

If using App Protection Policies, Microsoft recommends disabling this setting to prevent dual access prompts.

Save Contacts

Off

User must grant access to the native Contacts app for contact sync to occur.

External Recipients MailTip

On

 

Block external images

Off

 

 

As you may have noticed, settings that are security-related in nature have an additional option, Allow user to change setting. For these settings (Save Contacts, External recipients MailTip, Block external images, and Require Biometrics to access the app), administrators can prevent the user from changing the app’s configuration; in other words, the administrator’s configuration cannot be overridden. Allow user to change setting does not change the app behavior. For example, if the admin enables Block external images and prevents user change, then by default external images will not be downloaded in messages; however, the user can manually download the images for that message body.

 

Note: The Allow user to change setting for Require Biometrics to access the app is currently only available as a configuration key. This will be addressed in a future Intune portal update. For more information regarding the configuration key, please see Deploy app config settings.

The following conditions apply with respect to Outlook’s behavior when implementing app configuration:

  • If the admin configures a setting with its default value, and the app is configured with the default, then the admin’s configuration doesn't have any effect. For example, if the admin sets External recipients MailTip=on, the default value is also on, so Outlook’s configuration doesn't change.
  • If the admin configures a setting with the non-default value and the app is configured with the default, then the admin’s configuration is applied. For example, the admin sets Focused Inbox=off, but app default is on, so Outlook’s configuration for Focused Inbox is off.
  • If the user has configured non-default value, but the admin has configured a default value and allows user choice, then we retain the user’s configured value. For example, the user has enabled contact sync, but the admin sets Save Contacts=off and allows user choice, so Outlook keeps contact sync on and does not break caller-ID for user.
  • If the admin disables user choice, then Outlook always enforces the admin defined configuration, regardless of the user's configuration or default app config. For example, the user has enabled contact sync, but the admin sets Save Contacts=off and disables user choice, so contact sync gets disabled and the user is prevented from enabling it.
  • If after the MDM configuration is applied, if the user changes the setting value to not match the admin desired value (and user choice is allowed), then the user’s configuration is retained. For example, block external images is off by default, admin set Block external images=on, but afterwards, user changes block external images back to off; in this scenario, block external images remains off the next time the policy is applied.

Users are alerted to configuration changes via a notification toast in the app:

Image2.png

Figure 2: Outlook for iOS and Android app config notification toast

 

This notification toast will automatically dismiss after 10 seconds. There are two scenarios where this notification toast will not appear:

  • If the app has previously shown the notification in the last hour.
  • If the app has been installed in less than 24 hours.

Save Contacts

The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user interaction – the user needs to grant Outlook permissions to access the native Contacts app and the data stored within. If the user does not grant access, then contact sync cannot be enabled.

 

Note: With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile; for more information on how to assign permissions, please see Add app configuration policies for managed Android devices. When assigning default permissions it is important to understand which Android Enterprise deployment models are in use, as the permissions may grant access to personal data.

The workflow for enabling Save Contacts is the same for new accounts and existing accounts.

  1. The user is notified that the administrator has enabled contact sync. In Outlook for iOS, the notification occurs within the app, whereas, in Outlook for Android, a persistent notification is delivered via the Android notification center.

    Image3.png

    Figure 3: User notification regarding contact sync

  2. If the user taps on the notification, the user is prompted to grant access:

    Image4.png

    Figure 4: User is prompted to grant access to native Contacts app

  3. If the user allows Outlook to access the native Contacts app, access is granted and contact sync will be enabled. If the user denies Outlook access to the native Contacts app, then the user is prompted to go into the OS settings and enable contact sync:

    Image5.png

    Figure 5: User is prompted to enable contact sync in OS settings

  4. In the event the user denies Outlook access to the native Contacts app and dismisses the previous prompt, the user may later enable access by navigating to the account configuration within Outlook and tapping Open Settings:

    Image5.png

    Figure 6: User can re-enable contact sync access in OS settings

Summary

We hope you enjoy this new policy experience available within the Intune portal for Outlook for iOS and Android. We'll continue to update the list of settings that can be managed via the MDM OS channel.

 

For more information on general app config with Outlook for iOS and Android, see Deploy app config settings. Up next is general app configuration for the without enrollment scenario. Stay tuned!

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

 

Common questions

Q: What versions of Outlook for iOS and Android support general app configuration on enrolled devices?

Outlook for iOS 3.15.0 and Outlook for Android 3.0.34 and later support this functionality.

 

Q: Can I deploy general app config to Outlook for iOS and Android if the device is not enrolled?

Not at this time, but in the future we plan to support this scenario for accounts that have an Intune App Protection Policy applied.

 

Q: What if I had already deployed the configuration keys manually in an App Configuration Policy; do I need to do anything?

No! The keys will be automatically consumed in the new policy experience.

 

Q: How do I create an App Configuration Policy for Outlook for iOS or Outlook for Android?

We’ll be updating Deploy app config settings to include the new policy experience, but you can also review Add app configuration policies for managed iOS devices and Add app configuration policies for managed Android devices.

 

Q: What if we are not using Intune to manage device enrollment, but instead are leveraging a third-party MDM solution?

Not to fear, we have you covered. These settings can be delivered via any MDM provider. For more information on the configuration keys you need to use, see Deploy app config settings.

 

Q: I need to configure IntuneMAMUPN to manage data transfer between iOS apps. Why is it that when I manually add IntuneMAMUPN in the Additional Configuration grid, it disappears from the policy?

This is a side effect of “Allow only work or school accounts” as that setting configures IntuneMAMUPN automatically behind the scenes for the policy. A configuration key cannot be configured automatically and exposed manually in the Additional Configuration grid. However, even though IntuneMAMUPN appears to disappear after saving the policy, your manual configuration is preserved.  You can verify using MobileAppConfiguration PowerShell module. For example:

 

App Configuration Policy: Outlook iOS App Config

…/…

createdDateTime           : 2019-04-02 T15:46:58.1363479Z

description               :

lastModifiedDateTime      : 2019-04-02T15:46:58.1363479Z

displayName               : Outlook iOS App Config

version                   : 1

encodedSettingXml         :

settings                  : {@{appConfigKey=IntuneMAMUPN; appConfigKeyType=stringType; appConfigKeyValue={{UserPrincipalName}}}, @{appConfigKey=IntuneMAMAllowedAccountsOnly; appConfigKeyType=stringType;

                            appConfigKeyValue=Disabled}, @{appConfigKey=com.microsoft.outlook.Contacts.LocalSyncEnabled.UserChangeAllowed; appConfigKeyType=booleanType; appConfigKeyValue=true},

                            @{appConfigKey=com.microsoft.outlook.Mail.BlockExternalImagesEnabled.UserChangeAllowed; appConfigKeyType=booleanType; appConfigKeyValue=true}...}

assignments@odata. …/…

We’re investigating how we can improve this experience.

 

Updated 4/2/19 with an update regarding IntuneMAMUPN

50 Comments
Occasional Contributor

Thanks for the updates @Ross Smith IV!

Our Intune tenant isn't showing these newer config settings yet (see attached).  How soon should we expect them to show up?

Thanks,

Aaron

OutlookConfig.png

Microsoft

Aaron it will be live later today.

New Contributor

Hi Sir Ross,

Enjoying your vacation :) ?

Lexi T did the Outlook session @Ignite Tour Amsterdam and brought us this great news.

These features are very welcome!

ps. Lexi did the session better :-P

Regards!

Occasional Contributor

The new settings showed up in our Intune tenant, and they're working perfectly.  Thanks!  Hopefully other Microsoft apps will start enhancing their support for app configuration settings the way the Outlook Mobile team has done. 👍

New Contributor

Hello,

For Android policy, we enable Save Contact, Save Policy, Open policy again and see this:

Like is it enabled or what :) I have this on 2x different tenants:

 

2019_03_22_15_56_58_Window.png

Regular Visitor

@Ross Smith IV  since configuring the "Save Contacts" Option like this, our users get the "Your IT Admin has changed your app settings" notification, on almost every app launch.

 

Anmerkung 2019-03-25 113436.jpg

Senior Member

@Mad Meth Can confirm. In my case I've set Contact-Sync and Focus Inbox but this does not seem to be applied on the endpoint even when it shows that the device is compliant.

Occasional Contributor

Does the latest version include a method to allow calendar sync between Outlook on Android and the native Android calendar?

The reason for this question is simple, only native applications will sync with external devices such as watches to allow the watch calendar to update.

 

Thanks

 

Frequent Visitor

This is a long awaited configuration option and makes Outlook for iOS more enterprise ready.

Focused inbox is a nice option, but confuses many end users so we'd rather have it turned off by default.

Are there plans to manage the defaults for other features such as Organise by thread , swipe options, signature etc?

Microsoft
@AlphaSeb and @Eric Zabel - Thanks for the report. Unfortunately, the required Outlook for Android build hasn't completely rolled out. It's currently rolling out and should be completed before end of week.
Microsoft
@John Goering, no, we don't support calendar sync between the native app and Outlook, though we do have plans to support syncing the local calendar into Outlook (see http://aka.ms/m365roadmap to follow our planned changes). We support Outlook on wearables and you can use that to access your calendar and receive reminder notifications.
Microsoft
@BigAde - this was our first pass at adding settings. More will follow.
Occasional Contributor

Outlook on Tizen? I haven't seen that yet, seems like a stretch. 

Microsoft
@John Goering - No, not Tizen. Outlook is only supported on iOS and Android and their corresponding wearables.
Regular Visitor

We've been fighting with contact sync for a couple of months on Android Enterprise and it seems to be impossible. These new settings did not solve the issue. Are other customers seeing the same behavior?

Frequent Visitor

It appears that if the user installs Outlook from Comp Portal app then the configuration settings take effect and focused inbox is turned off by default.

However if they install Outlook from the App Store then the configuration settings do not take effect. Is that expected behaviour?

Microsoft

@BigAde - That's correct, the app must be included in the management profile in order for it to consume app configuration policies. Once the app is in the profile Intune has the ability to manage (update/remove/apply config) the app. Note, this is not Outlook specific, but applies to any app. We do have some work on the Intune side scheduled to improve this.

 

https://help.apple.com/deployment/ios/#/iorf4d72eded

Microsoft
@AlphaSeb, @Eric Zabel, and @Mad Meth - the required Outlook for Android version (3.0.34) has now been rolled out completely via the Google Play Store. You can now configure the settings appropriately within the App Configuration Policy. Thanks for bearing with us on this issue.
Frequent Visitor

We're seeing some anomalies with the way this works. 

 

Despite the policy being assigned to some test users and some are working fine... some do not see the Outlook app in Comp Portal at all.  Which is odd because they see other apps published in Comp Portal.  iOS is up to date, Comp Portal is up to date.  Have removed and reinstalled Comp Portal.  Have synced their device in Comp Portal, but nothing makes the app show up.  In the Intune console under Client apps - App configuration policies - Device Install Status,  the device is listed but shows as "Not Applicable". 

I can't see why this is happening or how to fix it.

Regular Visitor

@BigAde  youve to get your basics sorted first.

 

The Outlook App only shows in the portal, if youve assigned the app (not just the config policy) to the user or device. Youve to add the app under Client Apps>Apps>Add - or sync the App over Apple's VPP or your Managed Google Play Account.

 

Then youve to assign the policy to the right App. The "App Type" is important "iOS Store App" vs." iOS volume purchased app", a Policy assigned to iOS Store App is not applicable, if youve the Volume Purchased App installed, vice versa.

 

 

 

Frequent Visitor

@AlphaSeb  Thanks... it was already assigned, but you pointed me on the right path... as I had got mixed up in my assignment groups.  What a muppet! Now working as expected. Thank you.  :-)

Frequent Visitor

Sorry, I have three further questions so I can be 100% sure on expected behaviour before I apply settings to thousands of devices.


1. What happens if you have a published client app (doesn't have to be Outlook).  Users install it, but then later I delete the client app from Intune console (or unassign it from the users).  Does the app get removed from their device or does it remain?


2. What happens when you publish the Outlook app WITH an app configuration policy. Users install it, but Microsoft later release new configuration features which we then configure in the policy to company standards (e.g. 'Organize by thread' defaulting to off) . Would it change the setting for existing installations?

 

3. What happens when you publish Outlook WITHOUT an app configuration policy. Users install it.  Focused Inbox is therefore on by default.  You then apply a configuration policy with Focused Inbox defaulting to off.  Would it change the setting for existing installations?

 

Thanks in advance.

New Contributor

Thanks you for this great inform.

Regular Visitor

I just tested this. Using the latest version of Outlook on Android Enterprise with app protection policies in-place stating to share contacts with the built-in contacts app I still cannot use my work contacts to call people. I see my work contacts in contacts within the work profile but they are not in contacts outside of the work profile. :-(

Microsoft
@jmarcum - Outlook is behaving correctly in this scenario - the work profile instance of Outlook can only interface with the work profile instance of the Contacts app. That's the design goal for the work profile in Android Enterprise, to provide a clear separation of work and personal content. This article explains how an admin can enable sharing between the two https://support.google.com/work/android/answer/6275589?hl=en so that you can use dialer/SMS functionality.
Regular Visitor

Thanks @Ross Smith IV  I'll have someone else test this, my test device is too old for version 7.0 of Android. 

Microsoft

@BigAde: 1. What happens if you have a published client app (doesn't have to be Outlook). Users install it, but then later I delete the client app from Intune console (or unassign it from the users). Does the app get removed from their device or does it remain? Answer: For your specific scenario (removing the assignment), the app will remain. But different scenarios can result in different behaviors. If for example, you issue an MDM retire, the apps will be removed. If you change the assignment type to uninstall, the app would be removed.

 

 

2. What happens when you publish the Outlook app WITH an app configuration policy. Users install it, but Microsoft later release new configuration features which we then configure in the policy to company standards (e.g. 'Organize by thread' defaulting to off) . Would it change the setting for existing installations? Answer: an admin will be able to push the new settings without issue to existing managed Outlook app (however, keep in mind the conditions I outlined in the above article).

 

 

3. What happens when you publish Outlook WITHOUT an app configuration policy. Users install it. Focused Inbox is therefore on by default. You then apply a configuration policy with Focused Inbox defaulting to off. Would it change the setting for existing installations? Answer: Yes, it would get disabled (keep in mind the conditions I outlined in the above article).

Frequent Visitor

Ok, thanks Ross. That makes sense... so it works in a similar manner to a GPO.

That helps with the rollout plans, thank you.

Frequent Visitor

If you're thinking about new configuration settings to include for future, what we'd ideally like is a fully configurable profile with a silent install for the end user in the same way as we can achieve with SCCM on Windows desktops.  In other words we want to push the Outlook app out to end users without having to issue them instructions for setting up and configuring their profile.

Microsoft
@BigAde - this already exists. See Account Setup Config in http://aka.ms/omappconfig or my previous blog article on this subject - https://techcommunity.microsoft.com/t5/Intune-Customer-Success/New-Outlook-for-iOS-and-Android-App-C.... It will never be completely silent as the user must obtain a token by issuing some form of creds (password, PIN, cert).
Occasional Contributor

You said that: @John Goering, no, we don't support calendar sync between the native app and Outlook, though we do have plans to support syncing the local calendar into Outlook (see http://aka.ms/m365roadmap to follow our planned changes). We support Outlook on wearables and you can use that to access your calendar and receive reminder notifications.

 

Why one way into Outlook Calendar? 

Syncing native out to the native Calendar would be the same path as you allow for contacts to sync out to the native dialer.

There isn't much of any security concern, it's just the Calendar info that you can share out in other ways.

 

Or is there a way to sync out to Google Calendars via 365? Then the native calendar could get the info?

Microsoft
@John Goering - Intune App Protection policies ensure the data cannot be leaked to unprotected apps. Syncing the corporate calendar data from Outlook into the native app would bypass the APP and allow the data to be shared to unprotected apps/services. Calendar events can contain fairly sensitive information just in the subject alone (e.g., HR, merger/acquisitions/divestitures, etc.). The same is true for contact sync, which is why we introduced via App Configuration Policies, a way for customers to limit the contact fields that are exported. Some customers lock it down such that only first, last and phone number are exported, others restrict certain fields like the note. In any event, we have chosen to do native calendar import into Outlook as the first step because the Android ecosystem enables users to have a gmail account for personal usage and it is likely the user may be using the native apps. Calendar export requires additional thought and implementation to ensure data leakage doesn't occur.
Occasional Contributor

I get it, but it should be on your roadmap as a choice for companies to make. Without this, the add-ins that native apps have like an extra reminder, unique tones for different types of events are all lost. Making it much harder for us to turn off active sync, which we would like to do, just forcing Outlook to be the only primary way to get email.

 

And then there is the second most popular watch for Android (personal issue) which isn't going to get Outlook because it runs on Tizen.

Those people have to stay on the native app, so won't give up Active Sync or if they adopt Outlook they have their watches calendars become door stops. 

In my not so little IT circle, Samsung is king and this becomes an adoption issue.

 

Frequent Visitor

@Ross Smith IV Got it, thanks, and that's what we're using, but it's not really silent enough to avoid sending instructions to end users.

Frequent Visitor

We're currently using native iOS email client with Intune and planning to migrate as smoothly as possible to Outlook for iOS (and some Android) client.

 

If we set an Outlook configuration policy, we end up managing the entire Outlook app via Intune.  From initial testing, this seems to mean that any personal email a user may have setup with the Outlook app would also get wiped when the device gets retired and any managed apps get removed.  What we would like to happen is to be able to manage this in the same way we do currently with the native iOS email client.  This means that on retiring a device:

  1. Company email profile on Outlook for iOS that we have pushed to the device gets wiped.
  2. Additional company mailbox setup manually by user in Outlook for iOS gets wiped.
  3. Personal email profile setup by user in Outlook for iOS (e.g. to Hotmail) remains.

Is this possible?  Seems it must be, but I can't see it, but I may have missed something.

 

One final question...

Our instructions to end users advise manually removing native iOS email data when they have finished setting up Outlook for iOS.  Inevitably, some won't do this, and that's fine in the short term.  Longer term, can we manually remove this using Intune at a later date without retiring the entire device?  I know we can block ActiveSync connecting using basic auth, but this is more about removing the data.

Thanks in advance.

Regular Visitor

@BigAde 

 

Personal Accounts will remain in the Outlook App if you wipe just the Company data. You can control this over the setting "Allow only work or School accounts". When set to disable, users are able to configure personal accounts inside the Outlook App which will remain, once wiped.

 

This can be easily tested, simply add a personal account and try yourself.

 

To block the native Mail.App after you finished the rollout of Outlook, use Conditional Access.

 

Frequent Visitor

@AlphaSeb 

Thanks for the response.  I already have "Allow only work or School accounts" set to disable, yet from testing, when I retire the device it seems to remove all managed apps which includes Outlooks along with the Outlook personal accounts.

 

Re the native mail app, yes I could use conditional access rules, but the question was about removing the data.

Regular Visitor

We saw the same thing, any app including Outlook that is set as required will be removed when you do a corporate wipe. This is “be design” I was told. 

Frequent Visitor

@jmarcum Interesting. If that is the case, that may be a problem for us adopting Outlook app across the organization.

Regular Visitor

@BigAde  Your only two options are to not make it a forced install or to communicate to users that the app will be removed if the device is corporate wiped. They do not lose any data, they just have to reinstall the app.

Frequent Visitor

@jmarcum I will have to re-do my testing then, because even though I had the app set to 'available' rather than 'required', IIRC it still wiped my personal mail profile along with Outlook.  Yes, they could manually reinstall, but it's not really an ideal solution.

Microsoft

@AlphaSeb @BigAde -

 

 

"Personal Accounts will remain in the Outlook App if you wipe just the Company data. You can control this over the setting "Allow only work or School accounts". When set to disable, users are able to configure personal accounts inside the Outlook App which will remain, once wiped."

 

 

That's not correct. "Allow only work or school accounts" enables org allowed accounts mode and disables the ability to add personal accounts or personal storage accounts when Outlook is managed via MDM (see https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-... for more info). This is intended for fully locked down devices where the user isn't allowed to use the device for any personal data.

 

 

Regardless of whether that setting is enabled, an Intune MDM retire will force the uninstall of the apps that are pinned to the management profile. We're investigating ways to improve this for multi-identity apps.

 

 

Instead of issuing an MDM retire, you could use selective wipe from Intune App Protection Policies. This will remove the corporate data, but retain the personal data and the apps. https://docs.microsoft.com/intune/devices-wipe discusses the scenarios.

Frequent Visitor

@Ross Smith IV Thanks for the response.  App selective wipe wouldn't really help in our case, we'd still want to be able to retire the device.

So for example, if a person leaves the organization and wants to keep their personal Hotmail account active within Outlook app on their personal device, we'd still want to be able to retire the device from Intune MDM to remove other apps.  Security would insist on a retirement anyway.  So (for us anyway) App selective wipe wouldn't take away the need for a retire to be done.

 

I don't see an obvious answer to this: either we don't allow personal accounts (won't be popular), or we have to tell them to reinstall Outlook app after a retire.  The latter is probably the least worst option.

Senior Member

@Ross Smith IVThanks for this post. Unfortunately a large number of our Android Enterprise users are repeatedly seeing the 'Your IT admin has changed your app settings'. Some are seeing it every 30 seconds. Others are seeing it even when they are not on Outlook etc.

Any thoughts? Is this a known issue?

Regular Visitor

We had a case escalated all the way up to the PG about contact sync on Android Enterprise. Here's the final info given to us:

 

Good Afternoon. After speaking to our Intune team and looking into the logs provided we have answers to the error you are seeing. 

Findings: 

  • Intune policy is not preventing any contact sync. 
  • Outlook App is seeing the contacts and completing the sync:
  • V            2019-03-04T21:37:34.807+0000 [ci=hL4YPWrNIR]             AndroidJob-5                   outlook.contactSync > HxContactManager                processTwoWayContactSync: [Android count = 0, Outlook count = 167]
  • From the Outlook App side once the sync is completed and the contacts are made available to the contacts app our job is done.
  • Suggestion is to reach out to BB and Google for issues with the Native Contacts App and Android For Work. 
New Contributor

 @Ross Smith IV - We successfully rolled out Outlook for Android using Work Profiles but users are finding that they can't open any URL links in emails.

 

If they install Outlook in their personal profiles links work fine and open in their browser.

 

We haven't configured any restrictions that I can find but maybe there is a default I've missed?

 

Cheers, Tim Welch

Microsoft
@Tim Welch - Work profile apps are isolated from the personal apps (where the browser exists). So, you will need to approve a web browser from the managed Google Play Store and assign it to be available to users (https://docs.microsoft.com/en-us/intune/apps-add-android-for-work). You could deploy the Chrome browser, or our personal favorite, Edge.
Occasional Visitor

We are having the same issue @Ross Smith IV . Some users are reporting that the toast message "your IT admin has changed your app settings" keeps poping up all the time. Documentation mentions that this should only pop up once and dismiss after 10 seconds.

Microsoft

@J_Koz - we recently addressed in this in iOS 3.23.0 and a few releases ago with Android. If you are still seeing this issue on the latest releases, please open a support case and you can message me the case number.

Occasional Contributor

@Ross Smith IV  Is there a limitation on the number of contacts a user can save to their device?