Nowadays, the smartphone takes up a lot of room in our personal and professional lives. Being able to receive your work emails directly on a mobile device is becoming popular. Based on latest numbers provided by Brad Anderson from Microsoft, companies are more willing to use mobile device management solution like Microsoft Intune and let users access company data from outside the corporate network. Some companies shared beautiful stories of using Microsoft’s EMS solution, like Pepsi Cola and much more.
Companies gain a lot of benefits in letting their employees access corporate data from everywhere, especially emails. There are several mail applications available in the App Store or Google Play Store for Android, but iOS native mail app and Outlook app are by far the most popular for iOS platform. Which one do you prefer?
Some users will gain more productivity with iOS native mail app while some users will choose Outlook app for preference and security. The good thing about Outlook app with Intune is that it supports MAM policy that protects data in the application.
Using non-Microsoft mail app expose you the risk of getting minimum of support. For example, a few months ago, Apple modified the way iOS mail native works, some users were affected by the new one and they can’t synchronize with Office 365. If you MDM is Microsoft Intune and you want to secure your mobile devices, we highly recommend that you enforce the use of Outlook App without exception.
It’s not something hard to do as long as you follow a guideline if your goal is to do it smoothly. This blog post will explain how to move all users from Native Mail app to Outlook app with Intune.
- Deploying Microsoft Outlook App
- Assign App Protection Policy
- Blocking Mail Native App using Conditional Access
Intune iOS Mail Outlook app – Better Together
The learning curve with a new application may seem obvious and easy to you, but for some, it’s not. Each person manages emails differently and uses different options. Migrating to Outlook means, they need to change the way they work and learning the new app. There are good chances that you create a shock wave in your company if you coordinate to block iOS mail native app and the installation of Microsoft Outlook App at the same time.
What about using both apps during a grace period? Users will be able to test the Outlook App, report any technical issues or request features. A kind of inside technical preview! Doing it this way won’t affect productivity.
Deploying Microsoft Outlook App
With Intune, you can configure a required deployment of Microsoft Outlook app for iOS and targets a group or all users. This way ensure that all enrolled devices in Intune receive the Microsoft Outlook app.
- To deploy an application with Microsoft Intune, open your browser and navigate to https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/1/selectedMenuItem/Overview
- Click on Add and select App Type iOS
- Click on Search the App Store and type Outlook in the search field
- Once you find Microsoft Outlook, select the app and click Select at the bottom
- Review the information provided automatically by clicking on App information
- Once you’re ready, click on Add at the bottom
- The application is created but not assigned yet, to assign the application to a group, click on Assignments blade and Add group
- Select Required at Assignment type to enforce the app on mobile devices
- Select Included Groups and choose which group you want to target or use both switch to deploy to all users or all devices. Once you configure the included assignment, click on Ok at the bottom
- If you want to exclude a specific group that doesn’t want to receive the app automatically, click on Excluded Groups and selects the group
- To save the assignment, don’t forget to click on Save at the top of the assignments blade.
App Protection Policy
Now that the application is currently being deployed to all your devices, it’s important that you secure your app data in Microsoft Outlook App for iOS. This will make sure to containerize the content of your company data in the app and block copy paste or save-in. MAM protects corporate data from managed apps to a personal app.
- To create an app protection policy, open your browser and navigate to https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/14/selectedMenuItem/Overview
- Click on Add a policy and type a policy name
- Make sure the platform is iOS and click on Select required apps
- For a better user experience, check all apps and click Select at the bottom
- Click on Configure required settings and change these settings
- Allow the app to transfer data to others apps
- Policy managed apps
- Prevent “Save As”
- Select which storage services corporate data can be saved to
- OneDrive for Business
- Restrict cut, copy and paste with other apps
- Policy managed apps with paste in
- Allow the app to transfer data to others apps
- Click on Ok at the bottom once you’re finish
- Click Create at the bottom to save the new policy
Now that the policy is created, we will assign the policy to the same group we used to deploy Outlook app.
- Click on your new policy and then click Assignments
- Click on Select groups to include, choose the same group previously selected for Outlook app assignment and click Select
From now, users that have already installed the outlook app will start to get this popup on their iPhone
Blocking Mail Native App with Conditional Access
The Outlook app is now deployed and users can use it securely. Users will start to use the application side by side with the iOS mail app. Consequently, users will use this time to learn functionalities and become familiar with the new app.
By experience, try to educate your users with videos or step by step guide. Explain to them the use of Microsoft support directly in the Outlook app. User Voice is also available to see which features is coming soon.
If some users don’t want to use anymore the iOS mail app and you are deploying an email profile with Intune, you can disable the mail synchronization on the mobile device itself by going to Settings – Accounts & Passwords.
- Click on your account and deactivate Mail
Important InfoIf you deploy an email profile with your MDM, the email profile won’t be removed once you remove the profile deployment. Only a new enrollment will remove the email profile on your iOS devices.
Before going to the next step, wait from 2 weeks to 2 months based on users expectation or CSO requirement. It’s a balance between productivity and security. Try to educate the most you can your users before going further.
Are you now ready to block mail native app? Follow this step by step guide by using the conditional access.
- Open your browser and navigate to conditional access blade https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
- Click on New and type a policy name like Mail Native Block
- In the Assignments section, click on Users and groups and within Include section, choose Select users and groups, which is the same group you are using till the beginning.
- Once you’re finished, click Done at the bottom
- Click on Cloud apps, select Office 365 Exchange Online to target email service and select Done at the bottom.
- Click on Conditions blade, and select Device Platforms
- Configure the conditions by clicking Yes, click on Include, select iOS platform and click Done at the bottom
- Select Client apps (preview) and enable by selecting Yes
- Enable these checkboxes
- Mobile apps and desktop clients
- Exchange ActiveSync clients
- Other clients
- Once you’re finished, click on Done twice at the bottom
- In the Access controls section, click on Grant blade
- Select Block access in the Grant section then click Select at the bottom
- The conditional access rule is now ready and configure, enable the policy by choosing Enable Policy at Yes.
Ask your users to open the mail native app and if your rule works, you will see this warning email telling the user that the access has been blocked.
For now, users will need to use Microsoft Outlook app. 🙂
Share this Post
For iOS Native Mail make sure you set the “Prevent Move” restriction in the native mail app configuration. Plus set the two Managed open in restrictions.
The demos of native mail leaking will have these restrictions disabled.
Alos do not set the Only in Mail restriction as the mail will not be available in your managed work apps
Thanks Frewy for the details. A lot of stuff changed since the creation of this post.
the provided solution is not working on iOS device. Still Email profile has been configured in Native mail client app while enrolling iOS device into Intune.
Conditional access policy, configuration policy and compliance policies are live in the environment. Still by default the native Email client will be configured automatically while enrolling the device into Intune.
Need your immediate assistance to rectified the same.
I know it’s a 2 years comment. I hope you rectified the issue fast. Have you removed the native profile deployment at that time?
Thanks for your nice article. I think the best option to migration users to Outlook is not to create a block rule but to create a Grant with condition “Require Approved Application”. With that settings, users will receive a mail to download or open outlook to continue to read email.
Thanks for your good article,
Yeah! You’re right. Things changed since that post. You can do it with Required Apps clients.