Secure your mobile email with Microsoft EMS and Microsoft Outlook for iOS and Android
Published Apr 02 2019 09:51 AM 35.3K Views
Microsoft

 

(This post is co-authored by Adrian Moore, Senior Program Manager, and Mayunk Jain, Product Manager, Microsoft 365 Security, with expert contributions by Saud Al-Mishari and Ross Smith)

 

 

Whether you have an official BYOD (bring your own device) policy or not, chances are you caught up on some work email this weekend on your mobile phone. If so, you’re not alone; more than 80% of employees admit using non-approved SaaS apps for work purposes, including mobile email. What is worth noting, is that 63% of confirmed data breaches involve weak, default, or stolen passwords. According to Verizon's 2018 Breach Investigations report, 92 percent of malware is still delivered by email

 

As an IT leader investing in Microsoft 365 modern workplace to meet cyber-security challenges head-on, secure email access is likely to be a key part of your strategy. In this article, we take a technical deep dive into the integrated approach of Microsoft Enterprise Mobility + Security (EMS) and Microsoft Outlook for iOS and Android devices, that we consider the gold standard of secure mobile email access.

 

img 01.png

 

How it works

Let us dig deeper and explore the configuration settings to deliver the rich experience of Microsoft secure mobile email. To read the full article, scroll vertically in the Sway below

 

 

 

27 Comments
Silver Contributor

This reminded me how on my previous job one of the execs tried Outlook and then demanded to bring back default Samsung email app because Outlook's calendar is crap :) Yeah, it does look inferior to other calendar apps. You can't have a normal work week view. People still work in weeks, you know. Security and standardizing is good, but MS needs to flesh out Outlook a lot to make it a proper replacement.

Microsoft

Hey @wroot - we take time management very seriously and continually refine and improve our calendaring experience in Outlook mobile, enabling a number of scenarios that are not available in EAS clients (e.g., shared/delegate calendar access). For your one specific ask, we recently added support for weekly (in landscape) and monthly calendar views.

Silver Contributor

I wonder how many users will found out that you have to turn your phone into landscape mode. 90% of a time mail and calendar is used in portrait mode. Also, in landscape mode i get a floating view, not strictly week view and i still have to drag vertically to see all events. Btw, i don't have events on this phone, so maybe it automatically zooms out to fit all events. I have 5,5 inch phone, many have even bigger. I think i could have all week view on my screen without dragging.

Microsoft

@wroot - I'm not sure what you mean by a floating view. When you rotate, we automatically expose 7 days and you can scroll through the hours. Here's what it looks like on a Pixel 2 - https://imgur.com/Cq3FdC9

Silver Contributor

It was maybe 5 months ago, so i can't remember exactly or find fitting screenshots for comparison. I have installed Outlook for him and he didn't like that he couldn't see just whole current week (or month) in one screen without dragging or swiping. We didn't try to rotate it into a landscape view, though maybe it wasn't available yet at that point and as i have mentioned i found it not intuitive. Also don't like hidden features when you have no indication or hint that this should happen. When you press on a button, you see no week option and automatically assume there is no week view.

Microsoft
@wroot - this feature rolled out about a month ago, so don't worry about that. Thanks for the feedback regarding discoverability. We'll definitely look at ways to improve discovering features in the app.
Microsoft

On Android currently I can opt for 3 day portrait view and it switches to week view when I rotate to landscape  Very nice  

Copper Contributor

@wroot check this app again - Outlook mobile has currently best calendar I worked with (with clear indicators of free/busy etc.) 

@Mayunk Jain to add a small comment on the Device Platform setup. To make sure non supported platform are not allowed to bypass anything I target ALL platform and EXCLUDE on the platforms I don't want to target. 

 

Example:

Policy 1 for Mobile 

Include ALL and EXCLUDE Windows and MAC

Policy 2 for PC's

Include ALL and EXCLUDE Android and iOS

 

This makes sure that I have coverage so that someone from a not supported platform is not allowed access. 

Copper Contributor
I would like to pose a concern that I have with the statement on the document. "In order to use the “Require approved client app” control, a valid Intune license is required." Can I ask for a link on this statement and why would an Intune license be required for it to work? Is it because it is relying on MAM? This may appear be yet another example of undocumented licensing requirements that are not programmatically restricted. What will happen if a user is in scope of a policy that uses this control but does not have an Intune license? If it will permit the CA Policy to apply successfully, it appears to be a compliance risk. Azure AD Premium is one of the worst of the cloud services stack in regard to the way it doesn't validate licensing for a user before allowing a given service. In my opinion, Microsoft needs to carefully ensure users can still mix and match, and not force clients to buy M365 E3 or E5 licenses for all users. The cost is still too prohibitive for many end users.
Microsoft
@A Jacob Reinhardt - Thank you for your feedback. We view this as a holistic solution to provide secure email access. To secure the Outlook apps, Intune App Protection is the way to do that. Azure AD, via Conditional Access, ensures the use of Outlook. The two things need to work together to provide an end-to-end solution.
Copper Contributor
@Ross Smith IV, Thank you for your reply. While I agree with you on it as a holistic solution, that still does not answer the licensing question. Do you have evidence from actual service terms that to enable "require approved client app" requires more than the base Azure AD Premium P1 license? It is very important to be able to delineate carefully where there are limited funds what requires what type of license. It seems logically possible to enable this condition but to not enable Intune App Protection. Therefore, the statement in the post seems possibly inaccurate. Thank you.

@A Jacob Reinhardt  if you read the post it has the correct statement. With AADP1 you can use CA to make sure users use apps that has the MAM SDK enabled (like Outlook Mobile).

But if you want to actually manage outlook with policies you need to have the Intune license to do that :) 

Brass Contributor

Getting Android people on Outlook is not a problem, except on-call people, iOS on the other hand is almost impossible as most executives are iOS users and won't switch over.  Main reasons:

1. No Special alert rules, such as VIPs with custom notifications. For people on-call there is no Nagging or pop-up notifications.

2. Calendar is not as nice as native

3. Notes are not available when using outlook compared to native

4. Shared Mailboxes are not available

Microsoft

Hey @Daniel Schmidt, Thanks for the feedback! We definitively understand the gaps and are working on a number of these.

 

  1. Favorite People with notifications (aka VIP notifications) is targeted to begin rollout in May for Office 365 accounts leveraging the native Microsoft sync technology.
  2. Our calendaring capabilities are unparalleled when compared to the native client (shared/delegate calendar support, attendee status, Skype (and later this month Teams support), etc.). We have a few videos (more to come) that highlight our scenarios and capabilities at http://aka.ms/omvideos.
  3. Our strategic direction for notes and tasks is OneNote and To-Do services/apps. OneNote recently launched Sticky Notes support which works with notes in the Exchange mailbox. To-Do synchronizes tasks with Exchange.
  4. Shared mailbox support is on our roadmap and will begin rolling out later this quarter for Office 365 accounts leveraging the native Microsoft sync technology.

 

As always, you can stay up to date on our planned features via our roadmap at http://aka.ms/m365roadmap.

Brass Contributor

If you want your users to have the best Office 365 experience then Outlook for iOS and Android is the best way to go. We are an 80,000+ company and are just mid way through migrating our users to Intune (from AirWatch). We have set Outlook as the default client and the majority of our users love it. They key is to show and educate users on why Outlook is so much better than the fragmented experience they have with the native Mail and Calendar apps.

Once they get over the initial bump users are love all the new capability that Outlook brings. Just the ability to book rooms and having Microsoft's AI and machine learning showing you the available rooms based on the people in the invite is a crowd winner.

Add in SSO with Microsoft Edge to the company intranet and they are sold.

Copper Contributor
@merill Can you en-light what will happen if you create a new contact on your IOS device loaded with Outlook app,,,, I guess it will end up on the device or my PERSONAL email instead of Exchange. So no contact integration is something pretty serious specially when we replace smartphones every 2y.
Copper Contributor
And why should we change to Outlook app since you have the native IOS client and everything is working there... productivity increase of 0.05% ... MSFT MUST FOCUS ON QA and make their products more stable vs coming up with new apps and feature every month just to fulfill the marketing hype of other companies!
Copper Contributor
@A Jacob Reinhardt Jacob I asked the same question here before - and yes you need Azure premium in order to use conditional access, and YES it will work WITHOUT license, however it is compliance issue!
Brass Contributor

@Chris78 It's about user education. We encourage them to use the Outlook app to manage company Contacts. If the user is using the native Contacts then it is very hard to know where their contacts are saved. If they have iCloud enabled the contacts will end up in their personal iCloud and will not be available in Exchange.

 

BTW the productivity improvement with Outlook for iOS and Android is much more than 0.05%. If you are the IT person in your company I would encourage you spending time with the Outlook app for iOS and Android. Watch the Ignite keynote sessions, learn about all the investments that are going in and educate your users. See why Outlook is rated so highly by end users and learn from comparisons like this https://www.theverge.com/2018/9/28/17911432/best-email-app-ios-android

 

 

Copper Contributor

@Merill Fernando 

I'm sorry seems like i'm missing something here - there is an option to manage contacts in Outlook app for IOS ..? 

Can you please tell me where is that

Brass Contributor

This was added back in 2017. Tap the search box to manage contacts.

See https://www.microsoft.com/en-us/microsoft-365/blog/2017/06/05/improving-people-in-outlook-for-ios-an...

Copper Contributor

@Merill Fernando  Thanks Merill!!! We are now 2019 I think im gonna have to quit my job Smiley Wink

Copper Contributor

Hi All,

When the Outlook app is distributed via EMS;

Will this allow two outlook apps to exist on the phone? ie;

Outlook distributed via EMS with a policy allowing access to the corporate email account, ie: "Contoso Email" with corporate logo.

and also, One Outlook app downloaded from the appstore with access to the user's personal email account.

Microsoft

@Captain_Awesome - it depends on the mobile OS. If you are taking advantage of Android Enterprise work profile, then yes, you can have an instance of Outlook in the work profile and isolate that to just have work data (see https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-androi...) and Outlook in the personal profile with only personal accounts. With Apple OS, you cannot have two instances of the same app available on a single device.

Copper Contributor

Thanks Ross,

 

It's iPhones we would be using primarily. Would this make a difference if the EMS app was renamed to something else like 'Work Email' for example or would this overwrite the pre-installed app?

Microsoft

No. The appID/bundleID remains the same.

Version history
Last update:
‎Oct 22 2019 06:30 PM
Updated by: