We are excited to announce in partnership with the Outlook team that you can now manage the Outlook apps for iOS and Android using Microsoft Intune mobile application management (MAM) and conditional access capabilities. With Intune MAM, you can restrict actions such as cut, copy, paste, and “save as” of corporate data between the Intune-managed Outlook app and personal apps like Twitter or Facebook, and with conditional access, you can restrict unmanaged and non-compliant devices from accessing Exchange Online.
Being able to access corporate email from anywhere is critical for employee productivity, but this introduces complexity for IT administrators who need to secure this corporate data on a variety of devices. Microsoft Intune and Outlook help solve this problem for organizations using the Outlook app paired with Intune MAM and conditional access capabilities by enabling employees to be productive from almost anywhere on virtually any device while helping protect corporate data. This blog post details how to set up the Intune MAM and conditional access capabilities for Outlook.
Mobile Application Management with Outlook
Intune MAM with Outlook provides app-level management for organizations seeking to protect corporate data in Outlook. MAM achieves this by exposing data protection controls, such as app data encryption, copy/paste restrictions, and backup prevention. This solves a key data protection challenge for organizations that need to enable users to be fully productive on their mobile devices while maintaining protection of corporate data. When combined with Microsoft’s device, data, and identity protection capabilities delivered by the Enterprise Mobility Suite, MAM helps provide organizations with comprehensive protection of corporate email and other sensitive corporate data on devices. You can read more about our multi-layered protection strategy here.
This release of the Intune-managed Outlook apps includes the next generation of Intune MAM with new multi-identity management functionality. This feature is especially helpful for organizations where devices and apps are used for both work and personal use. When using Outlook with this multi-identity management feature, users will be able to access both their personal and work email accounts in the same application, but with app management applied only to their work account. For example, the Intune settings may dictate that data copied from a corporate email can be copied to another corporate email or another corporate application, but not to a personal email. At the same time, this allows users to access their personal email using the same app on their device without IT controls, providing an optimal user experience. This Intune multi-identity management feature is available for the Outlook apps today and will be added to additional Office mobile apps over the coming months.
How the solution works
As an Intune administrator, you can create MAM policies and associate them to your Outlook app deployments. Then, when the user logs into Outlook on their device with their work email account, Intune will apply these settings to protect corporate data. The MAM policies allow you to customize these settings for the Outlook app to achieve the level of protection that meets your organization’s needs in the following ways:
- Data relocation: Prevent corporate app data from being transferred to personal apps and locations, including backup, copy and paste, and sharing data to other apps or cloud services.
- Screenshots: Prevent user from taking screenshots while in the application on Android. On iOS, this can be configured via device policy.
- Application access: When the user is accessing corporate content, require a PIN or corporate credentials to be entered.
- Encryption: Encrypt corporate app data.
In addition to the protection MAM enables with the above settings, Outlook also now supports Intune MAM’s selective wipe feature. When a device with the Outlook app is retired or unenrolled, all of the application’s corporate data will be deleted, leaving only personal data behind on the device. This protection means that even when the device is removed from management, corporate data is still protected. See the full details on Intune MAM on TechNet here.
Deploying the solution
Step 1: Create a mobile application management policy
Your MAM policy dictates which restrictions are placed on your deployment of Outlook for iOS or Android. Intune applies this policy to the apps when they are initially deployed and also gives you the option to update the settings even after the apps have been installed by users.
On the device, these settings will be applied when the user’s corporate email account is added to Outlook. If personal and corporate accounts are both added, Intune MAM capabilities will ensure that the accounts and the data within them are maintained separately; corporate data will be encrypted even if personal data is not, and saving to personal storage locations will be blocked for corporate emails and attachments.
To create a Mobile Application Management policy, go to Policy > Configuration Policies and select Add… Then choose Software > Mobile Application Management Policy (select iOS or Android). Select the settings you require, and click Save Policy.
Step 2: Add Outlook to your Intune app catalog
To deploy Outlook to end users, you will need to upload the app information to the Intune admin console. The Outlook apps are available in the Google Play and iOS App Stores, so all you need to do is add links to those apps to Intune and deploy the apps.
In the Intune console, go to Apps > Add Apps. Under Select how this software is made available to devices, choose:
- External link for the Android app and enter the link: https://play.google.com/store/apps/details?id=com.microsoft.office.outlook
- Managed iOS App from the App Store for the iOS app and enter the link: https://itunes.apple.com/app/microsoft-outlook/id951937596?mt=8
Then complete the wizard to upload the app. For more details on app deployment, see the TechNet article here.
Step 3: Deploy Outlook with your mobile application management policy
You are now ready to deploy Outlook with a MAM policy. In the Intune console, navigate to Apps > Apps. Locate Outlook on that list, and click Manage Deployment…
First, you will select the groups for the deployment and the deployment action for each group. Then, on the Mobile App Management tab, you can choose the MAM policy that you created in step 1. If you need different MAM policies per group in the deployment, you can create additional MAM policies and target them to the appropriate groups on this page.
When you finish this wizard, Outlook is deployed to the selected group(s) with the selected policy(s). If you need to change the policy in the future, remember that you can either edit the policy itself, or add a new MAM policy to the deployment in the Manage Deployment wizard.
Conditional Access with Outlook
In addition to Intune mobile app management, organizations can implement conditional access to restrict access to Exchange Online. When a user tries to log in with their corporate account from an unmanaged mobile device, the Outlook app will prompt the user to enroll their device in Intune.
Upon enrollment, devices are evaluated against any compliance policies defined in the Intune console. If the device is not compliant, the user will not be allowed to log in and will be given a link to Intune that explains which device settings are out of compliance and how to remediate them.
You can configure conditional access by deploying a compliance policy to a group of users and enabling the relevant conditional access policy against the service you need to protect. Detailed steps for configuring conditional access in the Intune console for Exchange Online are available here.
For more information on Intune mobile application management, check out the article on how to ‘Control apps using mobile application management policies with Microsoft Intune’ in the Intune Documentation Library. For more information on Intune conditional access, check out the article on how to ‘Manage access to email and services with conditional access for Microsoft Intune’ in the Intune Documentation Library. You can also find technical resources in this library on mobile device and app management with Microsoft Intune and can find more information on the Outlook app here. Additionally, make sure to check out the new Intune UserVoice site where you can submit your ideas for new product features and vote for ideas submitted by the community.
Note: These features are currently available in Intune standalone (cloud only) and will be made available to hybrid customers by July 2 as part of an upcoming Intune service update.