At Microsoft Ignite, Outlook for iOS and Android announced support for deploying managed device general app configuration settings for Office 365 mailboxes and on-premises mailboxes leveraging hybrid modern authentication. This capability leverages either the Managed App Configuration for iOS or the Android managed configurations to enable MDM solutions to push configuration settings.
Today, we are announcing the availability of new functionality within Intune that enables admins to easily deploy general app configuration to Outlook for iOS and Android via App configuration policies. This new functionality allows IT admins to configure the default behavior for several settings within Outlook for iOS and Android, such as Focused Inbox.
Note: For Outlook for iOS and Android to apply these settings, the app needs to be installed and managed by the Company Portal.
Figure 1: App Configuration Policy for Outlook for iOS on enrolled iOS devices from https://devicemanagement.microsoft.com. If you're in https://portal.azure.com, then you'll go to Intune -> Client apps -> App configuration policies and add a configuration policy.
With this new policy experience, administrators can simply configure certain Outlook app settings’ default behavior and deploy them to their user’s enrolled mobile devices. For this first release, Outlook is supporting the following settings for configuration:
Setting |
Default app behavior |
Notes |
Focused Inbox |
On |
|
Require Biometrics to access the app |
Off |
This setting is only available for Outlook for iOS.
If using App Protection Policies, Microsoft recommends disabling this setting to prevent dual access prompts. |
Save Contacts |
Off |
User must grant access to the native Contacts app for contact sync to occur. |
External Recipients MailTip |
On |
|
Block external images |
Off |
|
As you may have noticed, settings that are security-related in nature have an additional option, Allow user to change setting. For these settings (Save Contacts, External recipients MailTip, Block external images, and Require Biometrics to access the app), administrators can prevent the user from changing the app’s configuration; in other words, the administrator’s configuration cannot be overridden. Allow user to change setting does not change the app behavior. For example, if the admin enables Block external images and prevents user change, then by default external images will not be downloaded in messages; however, the user can manually download the images for that message body.
Note: The Allow user to change setting for Require Biometrics to access the app is currently only available as a configuration key. This will be addressed in a future Intune portal update. For more information regarding the configuration key, please see Deploy app config settings.
The following conditions apply with respect to Outlook’s behavior when implementing app configuration:
Users are alerted to configuration changes via a notification toast in the app:
Figure 2: Outlook for iOS and Android app config notification toast
This notification toast will automatically dismiss after 10 seconds. There are two scenarios where this notification toast will not appear:
The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user interaction – the user needs to grant Outlook permissions to access the native Contacts app and the data stored within. If the user does not grant access, then contact sync cannot be enabled.
Note: With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile; for more information on how to assign permissions, please see Add app configuration policies for managed Android devices. When assigning default permissions it is important to understand which Android Enterprise deployment models are in use, as the permissions may grant access to personal data.
The workflow for enabling Save Contacts is the same for new accounts and existing accounts.
Figure 3: User notification regarding contact sync
Figure 4: User is prompted to grant access to native Contacts app
Figure 5: User is prompted to enable contact sync in OS settings
Figure 6: User can re-enable contact sync access in OS settings
We hope you enjoy this new policy experience available within the Intune portal for Outlook for iOS and Android. We'll continue to update the list of settings that can be managed via the MDM OS channel.
For more information on general app config with Outlook for iOS and Android, see Deploy app config settings. Up next is general app configuration for the without enrollment scenario. Stay tuned!
Ross Smith IV
Principal Program Manager
Customer Experience Engineering
Q: What versions of Outlook for iOS and Android support general app configuration on enrolled devices?
Outlook for iOS 3.15.0 and Outlook for Android 3.0.34 and later support this functionality.
Q: Can I deploy general app config to Outlook for iOS and Android if the device is not enrolled?
Not at this time, but in the future we plan to support this scenario for accounts that have an Intune App Protection Policy applied.
Q: What if I had already deployed the configuration keys manually in an App Configuration Policy; do I need to do anything?
No! The keys will be automatically consumed in the new policy experience.
Q: How do I create an App Configuration Policy for Outlook for iOS or Outlook for Android?
We’ll be updating Deploy app config settings to include the new policy experience, but you can also review Add app configuration policies for managed iOS devices and Add app configuration policies for managed Android devices.
Q: What if we are not using Intune to manage device enrollment, but instead are leveraging a third-party MDM solution?
Not to fear, we have you covered. These settings can be delivered via any MDM provider. For more information on the configuration keys you need to use, see Deploy app config settings.
Q: I need to configure IntuneMAMUPN to manage data transfer between iOS apps. Why is it that when I manually add IntuneMAMUPN in the Additional Configuration grid, it disappears from the policy?
This is a side effect of “Allow only work or school accounts” as that setting configures IntuneMAMUPN automatically behind the scenes for the policy. A configuration key cannot be configured automatically and exposed manually in the Additional Configuration grid. However, even though IntuneMAMUPN appears to disappear after saving the policy, your manual configuration is preserved. You can verify using MobileAppConfiguration PowerShell module. For example:
App Configuration Policy: Outlook iOS App Config
…/…
createdDateTime : 2019-04-02 T15:46:58.1363479Z
description :
lastModifiedDateTime : 2019-04-02T15:46:58.1363479Z
displayName : Outlook iOS App Config
version : 1
encodedSettingXml :
settings : {@{appConfigKey=IntuneMAMUPN; appConfigKeyType=stringType; appConfigKeyValue={{UserPrincipalName}}}, @{appConfigKey=IntuneMAMAllowedAccountsOnly; appConfigKeyType=stringType;
appConfigKeyValue=Disabled}, @{appConfigKey=com.microsoft.outlook.Contacts.LocalSyncEnabled.UserChangeAllowed; appConfigKeyType=booleanType; appConfigKeyValue=true},
@{appConfigKey=com.microsoft.outlook.Mail.BlockExternalImagesEnabled.UserChangeAllowed; appConfigKeyType=booleanType; appConfigKeyValue=true}...}
assignments@odata. …/…
We’re investigating how we can improve this experience.
Updated 4/2/19 with an update regarding IntuneMAMUPN
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.