At Microsoft Ignite, Outlook for iOS and Android announced support for deploying managed device general app configuration settings for Office 365 mailboxes and on-premises mailboxes leveraging hybrid modern authentication. This capability leverages either the Managed App Configuration for iOS or the Android managed configurations to enable MDM solutions to push configuration settings.
Today, we are announcing the availability of new functionality within Intune that enables admins to easily deploy general app configuration to Outlook for iOS and Android via App configuration policies. This new functionality allows IT admins to configure the default behavior for several settings within Outlook for iOS and Android, such as Focused Inbox.
Note: For Outlook for iOS and Android to apply these settings, the app needs to be installed and managed by the Company Portal.
Figure 1: App Configuration Policy for Outlook for iOS on enrolled iOS devices from https://devicemanagement.microsoft.com. If you're in https://portal.azure.com, then you'll go to Intune -> Client apps -> App configuration policies and add a configuration policy.
General App Configuration details
With this new policy experience, administrators can simply configure certain Outlook app settings’ default behavior and deploy them to their user’s enrolled mobile devices. For this first release, Outlook is supporting the following settings for configuration:
Setting |
Default app behavior |
Notes |
Focused Inbox |
On |
|
Require Biometrics to access the app |
Off |
This setting is only available for Outlook for iOS.
If using App Protection Policies, Microsoft recommends disabling this setting to prevent dual access prompts. |
Save Contacts |
Off |
User must grant access to the native Contacts app for contact sync to occur. |
External Recipients MailTip |
On |
|
Block external images |
Off |
|
As you may have noticed, settings that are security-related in nature have an additional option, Allow user to change setting. For these settings (Save Contacts, External recipients MailTip, Block external images, and Require Biometrics to access the app), administrators can prevent the user from changing the app’s configuration; in other words, the administrator’s configuration cannot be overridden. Allow user to change setting does not change the app behavior. For example, if the admin enables Block external images and prevents user change, then by default external images will not be downloaded in messages; however, the user can manually download the images for that message body.
Note: The Allow user to change setting for Require Biometrics to access the app is currently only available as a configuration key. This will be addressed in a future Intune portal update. For more information regarding the configuration key, please see Deploy app config settings.
The following conditions apply with respect to Outlook’s behavior when implementing app configuration:
- If the admin configures a setting with its default value, and the app is configured with the default, then the admin’s configuration doesn't have any effect. For example, if the admin sets External recipients MailTip=on, the default value is also on, so Outlook’s configuration doesn't change.
- If the admin configures a setting with the non-default value and the app is configured with the default, then the admin’s configuration is applied. For example, the admin sets Focused Inbox=off, but app default is on, so Outlook’s configuration for Focused Inbox is off.
- If the user has configured non-default value, but the admin has configured a default value and allows user choice, then we retain the user’s configured value. For example, the user has enabled contact sync, but the admin sets Save Contacts=off and allows user choice, so Outlook keeps contact sync on and does not break caller-ID for user.
- If the admin disables user choice, then Outlook always enforces the admin defined configuration, regardless of the user's configuration or default app config. For example, the user has enabled contact sync, but the admin sets Save Contacts=off and disables user choice, so contact sync gets disabled and the user is prevented from enabling it.
- If after the MDM configuration is applied, if the user changes the setting value to not match the admin desired value (and user choice is allowed), then the user’s configuration is retained. For example, block external images is off by default, admin set Block external images=on, but afterwards, user changes block external images back to off; in this scenario, block external images remains off the next time the policy is applied.
Users are alerted to configuration changes via a notification toast in the app:
Figure 2: Outlook for iOS and Android app config notification toast
This notification toast will automatically dismiss after 10 seconds. There are two scenarios where this notification toast will not appear:
- If the app has previously shown the notification in the last hour.
- If the app has been installed in less than 24 hours.
Save Contacts
The Save Contacts setting is a special case scenario because unlike the other settings, this setting requires user interaction – the user needs to grant Outlook permissions to access the native Contacts app and the data stored within. If the user does not grant access, then contact sync cannot be enabled.
Note: With Android Enterprise, administrators can configure the default permissions assigned to the managed app. Within the policy, you can define that Outlook for Android is granted READ_CONTACTS and WRITE_CONTACTS within the work profile; for more information on how to assign permissions, please see Add app configuration policies for managed Android devices. When assigning default permissions it is important to understand which Android Enterprise deployment models are in use, as the permissions may grant access to personal data.
The workflow for enabling Save Contacts is the same for new accounts and existing accounts.
- The user is notified that the administrator has enabled contact sync. In Outlook for iOS, the notification occurs within the app, whereas, in Outlook for Android, a persistent notification is delivered via the Android notification center.
Figure 3: User notification regarding contact sync
- If the user taps on the notification, the user is prompted to grant access:
Figure 4: User is prompted to grant access to native Contacts app
- If the user allows Outlook to access the native Contacts app, access is granted and contact sync will be enabled. If the user denies Outlook access to the native Contacts app, then the user is prompted to go into the OS settings and enable contact sync:
Figure 5: User is prompted to enable contact sync in OS settings
- In the event the user denies Outlook access to the native Contacts app and dismisses the previous prompt, the user may later enable access by navigating to the account configuration within Outlook and tapping Open Settings:
Figure 6: User can re-enable contact sync access in OS settings
Summary
We hope you enjoy this new policy experience available within the Intune portal for Outlook for iOS and Android. We'll continue to update the list of settings that can be managed via the MDM OS channel.
For more information on general app config with Outlook for iOS and Android, see Deploy app config settings. Up next is general app configuration for the without enrollment scenario. Stay tuned!
Ross Smith IV
Principal Program Manager
Customer Experience Engineering
Common questions
Q: What versions of Outlook for iOS and Android support general app configuration on enrolled devices?
Outlook for iOS 3.15.0 and Outlook for Android 3.0.34 and later support this functionality.
Q: Can I deploy general app config to Outlook for iOS and Android if the device is not enrolled?
Not at this time, but in the future we plan to support this scenario for accounts that have an Intune App Protection Policy applied.
Q: What if I had already deployed the configuration keys manually in an App Configuration Policy; do I need to do anything?
No! The keys will be automatically consumed in the new policy experience.
Q: How do I create an App Configuration Policy for Outlook for iOS or Outlook for Android?
We’ll be updating Deploy app config settings to include the new policy experience, but you can also review Add app configuration policies for managed iOS devices and Add app configuration policies for managed Android devices.
Q: What if we are not using Intune to manage device enrollment, but instead are leveraging a third-party MDM solution?
Not to fear, we have you covered. These settings can be delivered via any MDM provider. For more information on the configuration keys you need to use, see Deploy app config settings.
Q: I need to configure IntuneMAMUPN to manage data transfer between iOS apps. Why is it that when I manually add IntuneMAMUPN in the Additional Configuration grid, it disappears from the policy?
This is a side effect of “Allow only work or school accounts” as that setting configures IntuneMAMUPN automatically behind the scenes for the policy. A configuration key cannot be configured automatically and exposed manually in the Additional Configuration grid. However, even though IntuneMAMUPN appears to disappear after saving the policy, your manual configuration is preserved. You can verify using MobileAppConfiguration PowerShell module. For example:
App Configuration Policy: Outlook iOS App Config
…/…
createdDateTime : 2019-04-02 T15:46:58.1363479Z
description :
lastModifiedDateTime : 2019-04-02T15:46:58.1363479Z
displayName : Outlook iOS App Config
version : 1
encodedSettingXml :
settings : {@{appConfigKey=IntuneMAMUPN; appConfigKeyType=stringType; appConfigKeyValue={{UserPrincipalName}}}, @{appConfigKey=IntuneMAMAllowedAccountsOnly; appConfigKeyType=stringType;
appConfigKeyValue=Disabled}, @{appConfigKey=com.microsoft.outlook.Contacts.LocalSyncEnabled.UserChangeAllowed; appConfigKeyType=booleanType; appConfigKeyValue=true},
@{appConfigKey=com.microsoft.outlook.Mail.BlockExternalImagesEnabled.UserChangeAllowed; appConfigKeyType=booleanType; appConfigKeyValue=true}...}
assignments@odata. …/…
We’re investigating how we can improve this experience.
Updated 4/2/19 with an update regarding IntuneMAMUPN