How to force Outlook for Mobile and use App Protection Policies

With the upcoming disablement of Basic Authentication for Exchange Online (Click) and to drive more compliancy in your company it is advised to limit your mobile devices to an app that’s compatible and controllable for mail usage.
Outlook for iOS and Android is the home made app of Microsoft and supports the use of App Protection Policies and Modern Authentication.
The power of App Protection Policies is that you can limit and control the app so company mail data on both company (COD) and personally owned devices (BYOD) is controlled and doesn’t get shared outside the Outlook app.
License requirements
Function | Part of | License | More info |
---|---|---|---|
Limit ActiveSync | Exchange Online | Exchange Online standalone or as part of subscription | https://www.microsoft.com/en-us/microsoft-365/exchange/compare-microsoft-exchange-online-plans |
Create App Protection Policies | Intune | Intune standalone or as part of subscription | https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses |
Limit ActiveSync to only the Outlook app
This step is really easy and is only a matter of blocking all devices and creating an exception rule for the Outlook app.
GUI
1. Go to https://outlook.office365.com/ecp
2. Then go to the mobile tab
3. Click on the edit button and select the Block access option, optionally you can also quarantine devices to create a temporary bypass option. You can then allow the device by approving it via the same page or by receiving an email.

4. Then you need to create an exception rule that allows the Device Model “Outlook for iOS and Android”.
Each mobile device has it’s own device model and type it sends with the ActiveSync request, the Outlook app sends it’s own model and type to distinguish itself.
5. Click the + sign under Device Access Rules
6. The Device Family you need to select is All Families and the Device Model is Outlook for iOS and Android

7. The last thing you need to do is select Allow access to allow the app
Sidenote: When you click Browse… the GUI collects all the devices that are currently connected or where connected in the past. If there wasn’t an Outlook app connected in the past then it won’t show up in the list.
In this case use the Powershell commands to create the rule.
Powershell
This is even easier, just run the following 2 commands:
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString “Outlook for iOS and Android” -AccessLevel Allow
And you’re done!
Next up, managing the Outlook app with APP!
To control the usage of the Outlook app you will create a App Protection Policy which will decide what you will and won’t be able to do with the app.
To create a policy you will need to follow the following steps:
- Go to the Endpoint Manager : https://endpoint.microsoft.com/#home
- Click on apps
- Then under Policy go to App protection policies
- You will need to create individual profiles for iOS and Android

5. The first step is easy, just enter a name and description for the policy you’re going to create

6. Then you select where the policy is targeted on, this can be either Unmanaged (BYOD), Managed (COD) or both.
Android also has the option to split between the (deprecated since Android 9.0) Android Device Administrator and Android Enterprise.

7. After that add the Outlook app as a published app by selecting + Select public apps and search for Outlook

8. Then select the Microsoft Outlook app, as you can see it’s possible to not only control Outlook but much more applications.
9. Select the app and click the Select button
10. Go to step 3 Data Protection where you can set the parameters on how the users can use the app. Plan your policies carefully and – this is one of the hardest things in IT – try to find a balance between usability and security (data spillage).
I’ve marked the policy settings which I think are the most important, you can get extra information for every setting by hovering over the i symbol.

11. Step 4 Access requirements is where you decide which authentication requirements there are before opening the app like requiring a fingerprint scan.
Think of the kids playing with mommies or daddies phone 🙂

12. Step 5 Conditional Launch sets the requirements you have in terms of the device’ s state the app is running on like not allowing rooted devices. You can also set things like a number of days the app is allowed to be used without a connection to the cloud before it wipes the data.

13. The Assignments tab is used for assigning the policy to users and/or groups. This comes in handy when you want to create multiple policies per department or based on other criteria.
14. On the last tab you can review the settings you defined and create the policy.
Deployed says No?!

When you are asking yourself, why isn’t the policy being deployed?
If the policy is only for unmanaged devices then it can’t be deployed 😉

Hybrid
If you’ve got a Hybrid construction then you to can use the policies as long as there are Intune licenses assigned to the users who are using the app.
You will need to leverage Hybrid Modern Authentication on your On-Prem Exchange server in order to force the policies.
You will find the following information here:
And that wraps up my blog.
Let me know if you have any questions!
1 reactie
[…] This blog is a follow-up on the blog I wrote earlier about forcing Outlook for Mobile and using App Protection Policies: https://www.patrickvanbemmelen.nl/how-to-force-outlook-for-mobile-and-use-app-protection-policies/ […]