Home

Office Mobile App Config Policies

%3CLINGO-SUB%20id%3D%22lingo-sub-269958%22%20slang%3D%22en-US%22%3EOffice%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-269958%22%20slang%3D%22en-US%22%3E%3CP%3EI%20noticed%20new%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Foutlook-for-ios-and-android-configuration-with-microsoft-intune%23organization-allowed-accounts-mode-settings%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E%20for%20App%20Configuration%20policies%20for%20the%20Outlook%20mobile%20app%20recently.%20The%20settings%20prompt%20my%20curiosity%20so%20I%20ran%20an%20experiment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20applied%20the%20%3CEM%3E%3CSTRONG%3EIntuneMAMAllowedAccountsOnly%3C%2FSTRONG%3E%3C%2FEM%3E%20and%20%3CEM%3E%3CSTRONG%3EIntuneMAMUPN%3C%2FSTRONG%3E%3C%2FEM%3E%26nbsp%3B%20settings%20to%20Excel%2C%20OneDrive%2C%20PowerPoint%20and%20Word%20on%20iOS%20to%20see%20what%20the%20effect%20would%20be.%20My%20actions%20were%20as%20follows.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Create%20an%20App%20Config%20policy%20(Managed%20Device)%20for%20each%20app%3C%2FP%3E%3CP%3E2)%20Apply%20the%20following%20settings%20in%20each%20policy%3C%2FP%3E%3CUL%3E%3CLI%3EIntuneMAMAllowedAccountsOnly%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3EString%3C%2FSTRONG%3E%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EEnabled%3C%2FLI%3E%3CLI%3EIntuneMAMUPN%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3E%3CSTRONG%3EString%3C%2FSTRONG%3E%3C%2FEM%3E%20%7B%7Buserprincipalname%7D%7D%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3E3)%20Factory%20reset%20an%20iPhone%20and%20re-setup%20the%20phone%20with%20a%20fresh%20iTunes%20ID%20(to%20prevent%20inheritance%20of%20settings)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E4)%20Enroll%20the%20iPhone%20with%20Intune%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E5)%20Push%20the%20apps%20to%20the%20phone%20as%20required%20apps%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E5)%20After%20enrollment%20open%20each%20app%20in%20turn%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20behavior%20that%20I%20saw%20was%20that%20each%20app%20automatically%20configured%20a%20user%20account%20using%20the%20Azure%20AD%20account.%20I%20did%20not%20see%20the%20usual%20prompts%20to%20add%20an%20account.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20have%20attached%20a%20screenshot%20of%20the%20settings%20that%20I%20used.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHas%20anyone%20else%20experimented%20with%20Office%20mobile%20App%20Config%20settings%3F%20I%20would%20be%20interested%20to%20hear%20if%20there%20are%20any%20other%20undocumented%20settings%20that%20might%20be%20useful.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-269958%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285624%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285624%22%20slang%3D%22en-US%22%3E%3CP%3EInteresting.%20%26nbsp%3BI'll%20test%20it%20tomorrow%20with%20an%20on-premises%20Exchange%20environment%20I%20have%20access%20to%20and%20see%20if%20I%20get%20the%20same%20results.%20%26nbsp%3BWill%20report%20back.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285612%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285612%22%20slang%3D%22en-US%22%3E%3CP%3EOneDrive%20and%20Skype%20for%20Business%20on%20Android%20don't%20seem%20to%20support%20the%20Key%20Value%20Pairs%20of%20the%20other%20office%20clients%20for%20mobile.%20Another%20thing%20I%20noticed%20is%20Outlook%20app%20doesn't%20work%20with%20the%20Key%20Value%20Pair%20of%20IntuneMAMAllowedAccountsOnly%20enabled%20when%20using%20Exchange%20on-premises.%20That%20option%20is%20assuming%20Exchange%20Online%20mailbox%20is%20being%20used%20from%20what%20I%20can%20tell.%20Would%20be%20good%20to%20fix%20that%20for%20Exchange%20on-premises%2C%20so%20that%20we%20can%20lock%20Outlook%20down%20to%20just%20the%20organization%20provided%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285425%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285425%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Andrew.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20point%20about%20the%20app%20protection%20policies%20for%20doing%20the%20bulk%20of%20the%20work%20in%20reducing%20the%20likelihood%20of%20data%20leakage.%26nbsp%3B%20In%20my%20case%2C%20I%20have%20app%20protection%20policies%20configured%20but%26nbsp%3Bwas%20looking%20at%26nbsp%3Bhow%20the%20app%20config%20policies%20could%20be%20used%20to%20further%26nbsp%3Block%20down%20COBO%20devices%20and%20thus%20make%20over-zealous%20security%26nbsp%3Bfolk%20sleep%20at%20night.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20found%20the%20behaviour%20to%20be%20a%20bit%20hit%20or%20miss%2C%20especially%20on%20devices%20already%20running%20Word%2C%20etc%20and%20configured%20with%20personal%20accounts.%26nbsp%3B%20Outlook%2C%20on%20the%20other%20hand%2C%20works%20perfectly%3B%20it%20removed%20all%20other%20accounts%20I%20had%20configured%20but%20the%20other%20apps%20retained%20the%20private%20accounts.%26nbsp%3B%20Hopefully%2C%20the%20functionality%20improves%20over%20the%20coming%20weeks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285394%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285394%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20behaviour%20is%20a%20bit%20odd%20when%20you%20add%20other%20accounts.%20I%20could%20add%20other%20accounts%20but%20then%20got%20a%20huge%20error%20and%20the%20account%20got%20deleted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20block%20data%20loss%20in%20mobile%20apps%20then%20App%20Protection%20policies%20are%20the%20gold%20standard.%20You%20can%20add%20as%20many%20accounts%20as%20you%20like%20but%20data%20does%20not%20leak%20from%20the%20protected%20corporate%20account%20to%20another%20account%2C%20even%20within%20the%20same%20App.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-285381%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-285381%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Andrew%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%26nbsp%3Btrying%20to%20use%20this%20functionality%20to%20prevent%20users%20from%20adding%20their%20personal%20cloud%20services%20to%20Word%2C%20etc%20and%20thus%20leak%20data%20but%20I%20haven't%20found%20them%20to%20be%20effective.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWere%20you%20able%20to%20block%20additional%20services%2Flocations%20from%20being%20added%20to%20Word%2C%20etc%20after%26nbsp%3Brolling%20this%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277709%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20Mobile%20App%20Config%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277709%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20wondering%20if%20that%20behaviour%20with%20those%20Key%20Value%20Pairs%20would%20work%20on%20the%20other%20Office%20apps%20like%20Word%2C%20Excel%20etc.%20Thanks%2C%20I%20am%20going%20to%20test%20it%20out!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Andrew Matthews
Contributor

I noticed new documentation for App Configuration policies for the Outlook mobile app recently. The settings prompt my curiosity so I ran an experiment.

 

I applied the IntuneMAMAllowedAccountsOnly and IntuneMAMUPN  settings to Excel, OneDrive, PowerPoint and Word on iOS to see what the effect would be. My actions were as follows.

 

1) Create an App Config policy (Managed Device) for each app

2) Apply the following settings in each policy

  • IntuneMAMAllowedAccountsOnly String Enabled
  • IntuneMAMUPN String {{userprincipalname}}

3) Factory reset an iPhone and re-setup the phone with a fresh iTunes ID (to prevent inheritance of settings)

4) Enroll the iPhone with Intune

5) Push the apps to the phone as required apps

5) After enrollment open each app in turn

 

The behavior that I saw was that each app automatically configured a user account using the Azure AD account. I did not see the usual prompts to add an account.

 

I have attached a screenshot of the settings that I used.

 

Has anyone else experimented with Office mobile App Config settings? I would be interested to hear if there are any other undocumented settings that might be useful.

6 Replies

I was wondering if that behaviour with those Key Value Pairs would work on the other Office apps like Word, Excel etc. Thanks, I am going to test it out!

Hi Andrew,

 

I've been trying to use this functionality to prevent users from adding their personal cloud services to Word, etc and thus leak data but I haven't found them to be effective.

 

Were you able to block additional services/locations from being added to Word, etc after rolling this out?

The behaviour is a bit odd when you add other accounts. I could add other accounts but then got a huge error and the account got deleted.

 

If you want to block data loss in mobile apps then App Protection policies are the gold standard. You can add as many accounts as you like but data does not leak from the protected corporate account to another account, even within the same App.

Highlighted

Thanks Andrew.

 

Good point about the app protection policies for doing the bulk of the work in reducing the likelihood of data leakage.  In my case, I have app protection policies configured but was looking at how the app config policies could be used to further lock down COBO devices and thus make over-zealous security folk sleep at night. :)

 

I've found the behaviour to be a bit hit or miss, especially on devices already running Word, etc and configured with personal accounts.  Outlook, on the other hand, works perfectly; it removed all other accounts I had configured but the other apps retained the private accounts.  Hopefully, the functionality improves over the coming weeks.

OneDrive and Skype for Business on Android don't seem to support the Key Value Pairs of the other office clients for mobile. Another thing I noticed is Outlook app doesn't work with the Key Value Pair of IntuneMAMAllowedAccountsOnly enabled when using Exchange on-premises. That option is assuming Exchange Online mailbox is being used from what I can tell. Would be good to fix that for Exchange on-premises, so that we can lock Outlook down to just the organization provided mailbox.

Interesting.  I'll test it tomorrow with an on-premises Exchange environment I have access to and see if I get the same results.  Will report back.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies