How to force Outlook for Mobile and use App Protection Policies

With the upcoming disablement of Basic Authentication for Exchange Online (Click) and to drive more compliancy in your company it is advised to limit your mobile devices to an app that’s compatible and controllable for mail usage.

Outlook for iOS and Android is the home made app of Microsoft and supports the use of App Protection Policies and Modern Authentication.

The power of App Protection Policies is that you can limit and control the app so company mail data on both company (COD) and personally owned devices (BYOD) is controlled and doesn’t get shared outside the Outlook app.

License requirements

FunctionPart ofLicenseMore info
Limit ActiveSyncExchange OnlineExchange Online standalone or as part of subscriptionhttps://www.microsoft.com/en-us/microsoft-365/exchange/compare-microsoft-exchange-online-plans
Create App Protection PoliciesIntuneIntune standalone or as part of subscriptionhttps://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses

Limit ActiveSync to only the Outlook app

This step is really easy and is only a matter of blocking all devices and creating an exception rule for the Outlook app.

GUI

1. Go to https://outlook.office365.com/ecp

2. Then go to the mobile tab

3. Click on the edit button and select the Block access option, optionally you can also quarantine devices to create a temporary bypass option. You can then allow the device by approving it via the same page or by receiving an email.

The block access option

4. Then you need to create an exception rule that allows the Device Model “Outlook for iOS and Android”.

Each mobile device has it’s own device model and type it sends with the ActiveSync request, the Outlook app sends it’s own model and type to distinguish itself.

5. Click the + sign under Device Access Rules

6. The Device Family you need to select is All Families and the Device Model is Outlook for iOS and Android

Adding the device model

7. The last thing you need to do is select Allow access to allow the app

Sidenote: When you click Browse… the GUI collects all the devices that are currently connected or where connected in the past. If there wasn’t an Outlook app connected in the past then it won’t show up in the list.

In this case use the Powershell commands to create the rule.

Powershell

This is even easier, just run the following 2 commands:

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block

New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Allow

And you’re done!

Next up, managing the Outlook app with APP!

To control the usage of the Outlook app you will create a App Protection Policy which will decide what you will and won’t be able to do with the app.

To create a policy you will need to follow the following steps:

  1. Go to the Endpoint Manager : https://endpoint.microsoft.com/#home
  2. Click on apps
  3. Then under Policy go to App protection policies
  4. You will need to create individual profiles for iOS and Android
Creating a APP for iOS or Android

5. The first step is easy, just enter a name and description for the policy you’re going to create

6. Then you select where the policy is targeted on, this can be either Unmanaged (BYOD), Managed (COD) or both.
Android also has the option to split between the (deprecated since Android 9.0) Android Device Administrator and Android Enterprise.

7. After that add the Outlook app as a published app by selecting + Select public apps and search for Outlook

Adding the Outlook app

8. Then select the Microsoft Outlook app, as you can see it’s possible to not only control Outlook but much more applications.

9. Select the app and click the Select button

10. Go to step 3 Data Protection where you can set the parameters on how the users can use the app. Plan your policies carefully and – this is one of the hardest things in IT – try to find a balance between usability and security (data spillage).

I’ve marked the policy settings which I think are the most important, you can get extra information for every setting by hovering over the i symbol.

Try to find the balance between usability and counteracting data spillage

11. Step 4 Access requirements is where you decide which authentication requirements there are before opening the app like requiring a fingerprint scan.
Think of the kids playing with mommies or daddies phone 🙂

Access requirements for the app

12. Step 5 Conditional Launch sets the requirements you have in terms of the device’ s state the app is running on like not allowing rooted devices. You can also set things like a number of days the app is allowed to be used without a connection to the cloud before it wipes the data.

Create conditions for the app to be used

13. The Assignments tab is used for assigning the policy to users and/or groups. This comes in handy when you want to create multiple policies per department or based on other criteria.

14. On the last tab you can review the settings you defined and create the policy.

Deployed says No?!

Wut GIF | Little britain, Wut, Lustig humor

When you are asking yourself, why isn’t the policy being deployed?
If the policy is only for unmanaged devices then it can’t be deployed 😉

This policy is only for unmanaged devices

Hybrid

If you’ve got a Hybrid construction then you to can use the policies as long as there are Intune licenses assigned to the users who are using the app.
You will need to leverage Hybrid Modern Authentication on your On-Prem Exchange server in order to force the policies.

You will find the following information here:

https://docs.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth?view=exchserver-2019

And that wraps up my blog.

Let me know if you have any questions!

Dit vind je misschien ook leuk...

1 reactie

  1. 4 juli 2020

    […] This blog is a follow-up on the blog I wrote earlier about forcing Outlook for Mobile and using App Protection Policies: https://www.patrickvanbemmelen.nl/how-to-force-outlook-for-mobile-and-use-app-protection-policies/ […]

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

%d bloggers liken dit: