Email profile behavior after retiring a mobile device

Microsoft_OutlookThis blog post will be a follow-up on my blog post of last week about the three layers of protection with conditional access for Exchange email. During that post I tried to stress the importance of protecting, and being in control of, company email. In this blog post I will go through different scenarios to show the behavior of company email after retiring a mobile device from Microsoft Intune. I will show the results of these scenarios for both the native email app and the Outlook app.

Scenarios

Before I start with the different scenarios it’s important to mention that, after a mobile device is successfully retired from Microsoft Intune, the user will be able to configure company email on its mobile device. This is due to a default cache on Exchange. It might take up to, somewhere between, 6 and 24 hours before Exchange will re-check the device. For more information about this, please refer to this forum discussion.

Scenario 1: Email profile and the native mail app

In this scenario the Email Profile that’s configured by Microsoft Intune, is used in the native mail app.

Result after retiring mobile device
1 The Email Profile for the native mail app is successfully removed

Scenario 2: Email profile, the native mail app and additional personal email account

In this scenario the Email Profile that’s configured by Microsoft Intune, is used in the native mail app. Besides that, an additional personal email account is manually configured in the native mail app.

Result after retiring mobile device
1 The Email Profile for the native mail app is successfully removed
2 The additional personal email account is still available in the native mail app

Scenario 3: Email profile, the native mail app and the Outlook app

In this scenario the Email Profile that’s configured by Microsoft Intune, is used in the native mail app. Besides that, the same company account is manually configured in the Outlook app.

Result after retiring mobile device
1 The Email Profile for the native mail app is successfully removed
2 The same company account is removed from the managed Outlook app.

Scenario 4: Email profile, the native mail app, the Outlook app and additional company account

In this scenario the Email Profile that’s configured by Microsoft Intune, is used in the native mail app. Besides that, the same company account and an additional company account are manually configured in the Outlook app.

Note: Via the default mail app it’s not possible to configure multiple company accounts. The default mail app will require enrollment of every company account that’s used for configuring company email.

Result after retiring mobile device
1 The Email Profile for the native mail app is successfully removed
2 The same company account is successfully removed from the Outlook app
3 The additional company account is still available in the Outlook app, but will require the device to be re-enrolled

Scenario 5: Email profile, the native mail app, the Outlook app and additional personal account

In this scenario the Email Profile that’s configured by Microsoft Intune, is used in the native mail app. Besides that, the same company account and an additional personal account are manually configured in the Outlook app.

Result after retiring mobile device
1 The Email Profile for the native mail app is successfully removed
2 The same company account is successfully removed from the Outlook app
3 The additional personal account is still available in the Outlook app

Conclusion

I probably could have created even more scenarios to test behavior of company email, after retiring a mobile device from Microsoft Intune, but, as the scenarios show, that I did test, the company email behaves exactly as expected. Basically I can summarize the results in two very simple, but very important, points:

1 The company email won’t be available after retiring the mobile device from Microsoft Intune
2 The personal email will be left untouched after retiring the mobile device from Microsoft Intune


Note
: Even though I state everywhere only Microsoft Intune, this behavior is applicable for Microsoft Intune standalone and Microsoft Intune hybrid.

3 thoughts on “Email profile behavior after retiring a mobile device

  1. Have you heard anything on the roadmap about blocking the native mail application and only allowing access via the Outlook application?

    For two reasons:
    1) It seems perverse to have a mail account pushed to the device, but then manually configure the Outlook application – I’m not really seeing the use case as yet.
    2) In a BYOD scenario, it makes sense to force registration with Intune but have a lighter touch compliance policy for the device itself, then use the Outlook application only for access to e-mail (i.e. not support the native mail application – or block it completely)

    I would assume that one could block the non-modern authentication methods in an ADFS environment, but this raises support issues for other applications in the organisation. What are your thoughts?

Leave a Comment