New Outlook for iOS and Android App Config Policy Experience in Intune - Account Setup Config
Published Jan 29 2019 09:57 AM 19.1K Views

By Ross Smith, IV | Principal Program Manager on the Enterprise Mobility and Customer Experience Engineering Team

 

At Microsoft Ignite, Outlook for iOS and Android announced support for deploying managed device account setup configuration settings for Office 365 mailboxes and on-premises mailboxes leveraging hybrid modern authentication. This capability leverages either the Managed App Configuration for iOS or the Android managed configurations to enable MDM solutions to push configuration detail. This functionality was delivered to facilitate large scale deployments of the leading, secure email client which is known to be loved by users and trusted by IT.  

 

Today, we are announcing the availability of new functionality within the Intune portal that enables admins to easily deploy account setup configuration to Outlook for iOS and Android for modern authentication capable accounts via App Configuration Policies.

 

Outlook Android ACP.PNG

Figure 1: App Configuration Policy for Outlook for Android on Android Enterprise devices from https://devicemanagement.microsoft.com. If you're in https://portal.azure.com, then you'll go to Intune -> Client apps -> app configuration policies and add a config policy. 

 

With this new policy experience, administrators can simply push Outlook account setup details to their user’s enrolled mobile devices. This updated policy experience combines the prior experience and provides administrators with a choice depending on your messaging environment:

  1. If the messaging environment is on-premises and not leveraging hybrid modern authentication (basic authentication), then the authentication type needs to be set to Basic authentication. Additional details like Email Server, Username attribute, and Email address attributes are required.
  2. If the messaging environment is Office 365 or an on-premises environment leveraging hybrid modern authentication, then the authentication type needs to be set to Modern authentication. The admin only needs to define the Username attribute and Email address attributes. Modern authentication capable accounts also support the ability for the admin to restrict Outlook for iOS and Android to only allow the work or school account; for more information see “Organization allowed accounts mode” in Setup with modern authentication.

Note that for Outlook for iOS and Android to apply these settings, the app needs to be installed and managed by the Company Portal.

 

We hope you enjoy this new policy experience available within the Intune portal  for Outlook for iOS and Android. Up next is general app configuration. That’s right, Outlook for iOS and Android will soon support managing and configuring Outlook for iOS and Android features such as Focused Inbox and contact synchronization capabilities. Stay tuned!

 

Common questions:

 

Q: What if we are not using Intune to manage device enrollment, but instead are leveraging a third-party MDM solution?

Not to fear, we have you covered. These settings can be delivered via any MDM provider. For more information on the configuration keys you need to use, see the following articles:

 

Q: Can I deploy account setup configuration to Outlook for iOS and Android if the device is not enrolled?

No, unfortunately, that is not possible. Enrolled devices provide the identity and information necessary for configuring the app.

 

Q: What if I had already deployed the configuration keys manually in an App Configuration Policy; do I need to do anything?

No! The keys will be automatically consumed in the new policy experience.

 

Q: How do I create an App Configuration Policy for Outlook for iOS or Outlook for Android?

We’ll be updating Deploy app config settings to include the new policy experience, but you can also review Add app configuration policies for managed iOS devices and Add app configuration policies for managed Android devices.

 

Q: Wait – I see the setting “Block External Images” but it’s not working on the device - why?

Surprise, you caught us! This is unfortunately an UX bug that exposed a setting that is not yet available (configuring the setting will not have any impact in Outlook for iOS). Please stay tuned, we’ll have more to share soon.

 

Blog updates:

  • Updated 1/30/2019 with a new image 
15 Comments
Steel Contributor

Today it seems like the Intune Company Portal is passing tokens to result in a 'sso' like experience on first launch.  What does this add, or does it remove the step of 'picking your account'?

 

Are you sure your screenshot have not switched around the settings for Username Attribute and Email Adress? You have configured Email Adress to be UPN and Username to be Primary SMTP. A good setup would have UPN = EMAIL but it feels wrong if it should be configured the way your screenshot is. 

Microsoft
@Dustin - yes, Outlook supports token re-use and the token can be used to setup the account (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...). However, that doesn't work if the token is expired. By offering a "profile push" model, we're helping to ensure that the user can quickly setup an account without having to enter any info, other than what is required to obtain a new token.
Microsoft
@Jan - Oops. You're absolutely right, they should be switched. We'll fix the image. :)
Do you have any plans or road map to support Work only Outlook configuration for non-enrolled devices. We identified and reported a bug , restricting Work only account for non-enrolled devices will help in that scenario. Scenario (ios) : User configured personal account in Outlook App and Corporate email account. When sending email from Corporate context to a contact from personal contact, the sender is switched automatically to personal email account.
Microsoft
Hi @Senthilkumar Velloresubramaniam, We have no plans to support work only mode (org allowed accounts mode) without enrollment. We feel that in a without enrollment scenario, users should have the option to add their personal accounts to the apps. I was not able to reproduce the issue you cited on either Outlook for iOS or Outlook for Android. If you can let me know the support case, I can look at it in more detail.
Thank you for the immediate response Ross, this happens only on iOS devices , support case number “118080918760346” , the case should also have a video clip attached to it.
Microsoft
Thanks @Senthilkumar Velloresubramaniam. Good news, this looks to be fixed in 3.9.0 which should release next week.
Awesome news, thanks.
Brass Contributor

Nice article.

Can you point me to a document where I can find out which key value pairs are available for other Microsoft applications? Like here you point out the keys which can be used with Outlook, I am looking for the same information for Skype for Business and Teams app (iOS and Android). Your support was not able to help me with that.

Thank you

Copper Contributor

Intune App configuration.GIF

 

Hello Team,

 

I am unable to view the option as shown in screen shot.

Microsoft

@nbkst7b you need to select Outlook as an "associated app".

Microsoft
@John Matrix - Outside of the "only allow work or school account" support for Word, Excel, PowerPoint, and OneDrive (https://docs.microsoft.com/en-us/intune/app-configuration-policies-use-ios, https://docs.microsoft.com/en-us/intune/app-configuration-policies-use-android). Edge and the managed browser support additional configuration keys - https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser.
Copper Contributor

I was wondering if there is a way to get Intune App Configuration policy XML properties for Teams, OneDrive, SharePoint, and Authenticator for iOS.

 

There are only two configuration keys available “IntuneMAMUpn” and "IntuneMAMAllowedAccountsOnly" but it would be great if there are more configuration keys like the outlook for iOS

Microsoft

@Sujith Suriya Those apps don't support any specific app config customization.

Version history
Last update:
‎Dec 19 2023 01:26 PM
Updated by: