How to force Outlook to be used on mobile devices with Intune

How to force Outlook to be used on mobile devices with Intune

outlookWhat the Enterprise Mobility Suite solution of Microsoft unique makes, is the Office suite which is available for iOS and Android. (and later this year on Windows 10 Mobile) One of the apps of the suite is the Outlook app. This app on iOS and Android can be managed via the Mobile Application Management policies in Microsoft Intune to control data leakage. When you want to prevent data leakage you may want to force the users to use the Outlook app instead of the native mail and calendar apps on iOS and Android.

This can be done, let’s see how.

In this scenario we want to control access to the email in Office 365 and force the usage of the managed Outlook App. Default behavior is that when you enroll the device, the device will have access to Exchange Online, so both the Outlook app as the native app will be able to synchronize with Exchange online. We don’t want to have that.

What we need is the following;

  • Setup Microsoft Intune Service to Service Connector for Hosted Exchange
  • Compliance Policies
  • Conditional Access for Exchange Online Policy
  • Exchange Access Rules

Microsoft Intune Service to Service Connector for Hosted Exchange

Using the Microsoft Intune Service to Service Connector for Hosted Exchange allows you to define and use the mobile device access rules of Exchange Online. With the Exchange Access Rules you are able to configure access to Exchange ActiveSync based on device family and device model.

Exchange Connection

Exchange Connection

Setting up the service to service connector for hosted exchange is easy. Just logon with a user that has Global Admin permissions in Office 365 and the same tenant. If logged on with such account just click Set Up Service to Service Connector and click OK in the Admin > Mobil Device Management > Microsoft Exchange > Microsoft Exchange node in the Intune Admin console.

Compliance Policies

When using Conditional Access for Exchange online you are able to check if the device is compliant before allowing access to Exchange Online. Settings that can be checked are for instance if a password is set, if password complexity is set, but also is a device is encrypted or if the device is jailbroken or rooted.

If a device is not compliant the user needs to configure it so that it is compliant again to get access to the resources.

When compliant the user gets access to Exchange Online, with the compliance policy settings you are able to configure a compliance status validity period. This means that a device must report the status for all received compliance policies every XX number of days. (by default 30 days) If the device not returns a status within the period, the device will be treated as noncompliant.

Compliance policy settings

Compliance policy settings

Conditional Access for Exchange Online Policy

Next we need to configure the Conditional Access of Exchange Online Policy. This is done by enabling the conditional access policy. Be sure to select the platforms you want to use and be sure that a group with users is added to the Targeted Groups.

What we don’t need to enable is the option “Require mobile devices to be compliant” in the Exchange ActiveSync mail apps section. By leaving this option unchecked the Exchange ActiveSync access rules will work.

Exchange Online Policy

Exchange Online Policy

Exchange Access Rules

Under the Exchange ActiveSync node in the Policy workspace you are able to configure device access rules for Exchange ActiveSync connected devices. One of the handy things of the Outlook apps on iOS and Android is that it register itself as a device called Outlook.

So by clicking on Add Rule we are able to select Outlook as the Family and choose All Models or Outlook for iOS and Android as the model.

Add Access Rule

Add Access Rule

As a default rule Block the devices from accessing Exchange must be configured so that only Outlook has Access to Exchange Online. All Android, iOS and Windows Phone devices via the native apps will be blocked access to Exchange Online.

Show what is the result of all this?

Putting all of this together allows you to do the following;

  1. Have conditional access for Exchange Online via Microsoft Intune.
  2. Only have access via Outlook app, when enrolled into Intune.
  3. No access to Exchange Online via the native apps when enrolled into Intune via Exchange Access Rules.
  4. No access to Exchange Online via the native app when not enrolled via Exchange Access Rules.

Hope this helps, and like always test the usability for you first in a Lab environment. 🙂

 

Comments

 
Comments
Bob Smithe

Hello – Will this rule block Outlook 2013 running on a Windows 7 system from accessing email?

Peter Daalmans

Hi Bob, no Outlook 2013 uses most likely Outlook Anywhere not ActiveSync.

Unfortunately when setting this up, we find that Conditional access is still overriding the Mobile device access rules and allowing the native mail client to connect.

After combing through the instructions again, and reaching out, it appears the Intune Exchange Activesync service-to-service connector was not fully established in my setup. once that was working, we were able to block the outlook client. Thanks!

Peter Daalmans

great, just saw your question.. There are some issues with the service to service connector lately.. thanks for sharing!

Is this also possible in a hybrid environment with SCCM?

Peter Daalmans

no unfortunately not (yet)

I dont have the options Windows Mobile & Windows devices must meet…. in the Exchange Online Policy.
Any idea why?

Peter Daalmans

you need to apply for the preview via https://connect.microsoft.com

Trackbacks for this post

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.

 
Read previous post:
How to preconfigure an iOS app with Microsoft Intune

Since this week Microsoft Intune supports Mobile App Configuration Policies which allows you to configure Read more

Close