Multi-identity in the managed Outlook app – Part 1

Microsoft_OutlookThis blog post can be seen as a follow up about a previous post about the email profile behavior after retiring a mobile device. During that post I showed the behavior of email profiles in the native mail app and the Outlook app after retiring the mobile device. In this post I’ll dive deeper into the Outlook app. More specifically, the behavior of the managed Outlook app and multi-identities. To be complete, I’ll divide this blog post in two parts. This first part will describe the assumptions, the configuration and the behavior and the second part will show the behavior in a real example.

Assumptions

During this blog post I’ve done four important assumption, about the used environment, that might impact the test results. When these four items are not in place, the results might differ from the results in this blog post. The key is that these four items create a fully managed Outlook app for company email.

  1. Office 365, including Exchange Online, is in place for the company email;
  2. Microsoft Intune hybrid, or standalone, is in place for managing the mobile devices;
  3. Conditional access is used to provide access to the company email;
  4. Application management policies are in place to protect the company email.

Configuration

During this blog post I’ve used the configuration, for the managed Outlook app, as shown in the pictures below. These pictures are taken from a Microsoft Intune hybrid environment, but the settings that can be configured are identical to the settings that can be configured in a Microsoft Intune standalone environment.

iOS Android
iOS_AppManagementPolicy Android_AppManagementPolicy

Behavior

One key takeaway about the behavior is a difference in the behavior of the Outlook app for iOS and the Outlook app for Android.

If a PIN requirement is configured, the Outlook app for iOS will always prompt for a PIN.

It will even prompt for a PIN during the initial startup. On the other hand, if a PIN requirement is configured, the Outlook app for Android will only prompt for a PIN after a company email profile is configured.

Besides that key difference the behavior of the Outlook app for iOS and the Outlook app for Android will be identical. Based on the configured managed application policy the end-user will experience the following behavior.

Setting Company email Personal email
Restrict web content to display in the Managed Browser

The end-user will experience that an URL will open in the Managed Browser.

Note: When the Managed Browser is used with an allow list, the URL has to be part of that list.

The end-user will experience that an URL will open in the default browser.
Prevent Android backups (Android only)1 The end-user will not experience anything special. The end-user will not experience anything special.
Prevent iTunes and iCloud backups (iOS only)1 The end-user will not experience anything special. The end-user will not experience anything special.
Allow app to transfer data to other apps The end-user will experience that data can only be transferred to other managed apps. The end-user will experience that data can be transferred to any other apps.
Allow app to receive data from other apps The end-user will experience that data can be received from all other apps. The end-user will experience that data can be received from all other apps.
Prevent “Save As The end-user will experience that the “Save As” option is missing for attachments. The end-user will experience that the “Save As” option is available for attachments.
Restrict cut, copy, and paste with other apps The end-user will experience that content and attachments can only be copied and pasted to other managed apps. The end-user will experience that content and attachments can be copied and pasted to all other apps.
Require simple PIN for access (including number of attempts before PIN reset) The end-user will experience that a PIN is required for access.

iOS – The end-user will experience that a PIN is required for access.

Android – The end-user will experience that a PIN is not required for access.

Require corporate credentials for access The end-user will experience that corporate credentials are required for access.

iOS – The end-user will experience that corporate credentials are  required for access.

Android – The end-user will experience that corporate credentials are not required for access.

Require device compliance with corporate policy for access The end-user will experience that there is no access when the device is jailbroken (iOS) or rooted (Android). The end-user will experience that there is always access.
Recheck the access requirements after timeout and offline grace period3 The end-user will not experience anything special. The end-user will not experience anything special.
Encrypt app data4 The end-user will not experience anything special. The end-user will not experience anything special.
Block screen capture(Android only) The end-user will experience that the screen capture option can’t be used. The end-user will experience that the screen capture option can be used.

1 This setting would make sure that the backup of the Outlook app is disabled, but, by default, the Outlook app already doesn’t perform online backups.
2 This setting will make sure that the access requirements for the Outlook app are checked again after the specified timeout and grace period.
3 This setting will make sure that all data associated with the Outlook app will be encrypted. On iOS the data is encrypted at rest using the device level encryption of iOS and on Android the data is encrypted during file I/O operations via encryption provided by Microsoft.

More information

For more information about controlling managed apps, please refer to the following links:

8 thoughts on “Multi-identity in the managed Outlook app – Part 1”

  1. Great article… I have currently issues with configuration of the managed Outlook app. I deploy a email profile (Exchange On-Premise) with ConfigMgr, but still the native Mail app will be configured with the Exchange account, not the Outlook app. Also I define in the MAM policy for Outlook that a PIN is required, but if I open the app after installation from the portal no PIN needs to be set. Do you have any pointers what I am missing here? Compliance Policy is in place, the only thing that I do not have Is an Exchange Connector for Conditional Access, since I have over 400 active AS-Devices which are currently not enrolled with Intune and I do not want to impact these devices! Thanks a lot!

    Reply
    • Hi Mike,

      Correct at this moment only the profile of the native Mail app can be configured, not the profile of the Outlook app. Also, the PIN policy should kick in as soon as you configure a company profile in the Outlook app.

      Peter

      Reply
  2. Hi Peter, for the setting “Encrypt app data”, if using Android device, is it required to encrypt the phone and/or SD card in order to achieve. I try this on a non-encrypted phone and the save a file in SD card. But the file can be opened in other PC or device.

    Am I testing it wrongly? Or, say, does it depend on device/SD card encryption?

    Thanks
    Eddie

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.