Migrate Users from iOS Mail Native to Microsoft Outlook with Intune

Nicolas PilonApp Protection Policies, Conditional Access, EMS, Intune6 Comments

Nowadays, the smartphone takes up a lot of room in our personal and professional lives. Being able to receive your work emails directly on a mobile device is becoming popular. Based on latest numbers provided by Brad Anderson from Microsoft, companies are more willing to use mobile device management solution like Microsoft Intune and let users access company data from outside the corporate network. Some companies shared beautiful stories of using Microsoft’s EMS solution, like Pepsi Cola and much more.

Companies gain a lot of benefits in letting their employees access corporate data from everywhere, especially emails. There are several mail applications available in the App Store or Google Play Store for Android, but iOS native mail app and Outlook app are by far the most popular for iOS platform. Which one do you prefer?

Some users will gain more productivity with iOS native mail app while some users will choose Outlook app for preference and security. The good thing about Outlook app with Intune is that it supports MAM policy that protects data in the application.

Using non-Microsoft mail app expose you the risk of getting minimum of support. For example, a few months ago, Apple modified the way iOS mail native works, some users were affected by the new one and they can’t synchronize with Office 365. If you MDM is Microsoft Intune and you want to secure your mobile devices, we highly recommend that you enforce the use of Outlook App without exception.

It’s not something hard to do as long as you follow a guideline if your goal is to do it smoothly. This blog post will explain how to move all users from Native Mail app to Outlook app with Intune.

  1. Deploying Microsoft Outlook App
  2. Assign App Protection Policy
  3. Blocking Mail Native App using Conditional Access

Intune iOS Mail Outlook app – Better Together

The learning curve with a new application may seem obvious and easy to you, but for some, it’s not. Each person manages emails differently and uses different options. Migrating to Outlook means, they need to change the way they work and learning the new app. There are good chances that you create a shock wave in your company if you coordinate to block iOS mail native app and the installation of Microsoft Outlook App at the same time.

What about using both apps during a grace period? Users will be able to test the Outlook App, report any technical issues or request features. A kind of inside technical preview! Doing it this way won’t affect productivity.

Deploying Microsoft Outlook App

With Intune, you can configure a required deployment of Microsoft Outlook app for iOS and targets a group or all users. This way ensure that all enrolled devices in Intune receive the Microsoft Outlook app.

Intune iOS Mail Outlook app

  • Click on Add and select App Type iOS
  • Click on Search the App Store and type Outlook in the search field
  • Once you find Microsoft Outlook, select the app and click Select at the bottom

Intune iOS Mail Outlook app

  • Review the information provided automatically by clicking on App information

Intune iOS Mail Outlook app

  • Once you’re ready, click on Add at the bottom
  • The application is created but not assigned yet, to assign the application to a group, click on Assignments blade and Add group

Intune iOS Mail Outlook app

  • Select Required at Assignment type to enforce the app on mobile devices
  • Select Included Groups and choose which group you want to target or use both switch to deploy to all users or all devices. Once you configure the included assignment, click on Ok at the bottom

Intune iOS Mail Outlook app

  • If you want to exclude a specific group that doesn’t want to receive the app automatically, click on Excluded Groups and selects the group
  • To save the assignment, don’t forget to click on Save at the top of the assignments blade.

Intune iOS Mail Outlook app

App Protection Policy

Now that the application is currently being deployed to all your devices, it’s important that you secure your app data in Microsoft Outlook App for iOS. This will make sure to containerize the content of your company data in the app and block copy paste or save-in. MAM protects corporate data from managed apps to a personal app.

  • To create an app protection policy, open your browser and navigate to https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/14/selectedMenuItem/Overview

Intune iOS Mail Outlook app

  • Click on Add a policy and type a policy name
  • Make sure the platform is iOS and click on Select required apps
  • For a better user experience, check all apps and click Select at the bottom

Intune Block iOS Mail App

  • Click on Configure required settings and change these settings
    • Allow the app to transfer data to others apps
      • Policy managed apps
    • Prevent “Save As”
      • Yes
    • Select which storage services corporate data can be saved to
      • OneDrive for Business
      • Sharepoint
    • Restrict cut, copy and paste with other apps
      • Policy managed apps with paste in
  • Click on Ok at the bottom once you’re finish

Intune Block iOS Mail App

  • Click Create at the bottom to save the new policy

Now that the policy is created, we will assign the policy to the same group we used to deploy Outlook app.

  • Click on your new policy and then click Assignments

Intune Block iOS Mail App

  • Click on Select groups to include, choose the same group previously selected for Outlook app assignment and click Select

From now, users that have already installed the outlook app will start to get this popup on their iPhone

Blocking Mail Native App with Conditional Access

The Outlook app is now deployed and users can use it securely. Users will start to use the application side by side with the iOS mail app. Consequently, users will use this time to learn functionalities and become familiar with the new app.

By experience, try to educate your users with videos or step by step guide. Explain to them the use of Microsoft support directly in the Outlook app. User Voice is also available to see which features is coming soon.

If some users don’t want to use anymore the iOS mail app and you are deploying an email profile with Intune, you can disable the mail synchronization on the mobile device itself by going to Settings – Accounts & Passwords.

  • Click on your account and deactivate Mail

Email profile iOS

Important Info
If you deploy an email profile with your MDM, the email profile won’t be removed once you remove the profile deployment. Only a new enrollment will remove the email profile on your iOS devices.

Before going to the next step, wait from 2 weeks to 2 months based on users expectation or CSO requirement. It’s a balance between productivity and security. Try to educate the most you can your users before going further.

Are you now ready to block mail native app? Follow this step by step guide by using the conditional access.

  • Open your browser and navigate to conditional access blade https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
  • Click on New and type a policy name like Mail Native Block
  • In the Assignments section, click on Users and groups and within Include section, choose Select users and groups, which is the same group you are using till the beginning.
  • Once you’re finished, click Done at the bottom

Conditional access blocking Basic Authentication

  • Click on Cloud apps, select Office 365 Exchange Online to target email service and select Done at the bottom.

Conditional access blocking Basic Authentication

  • Click on Conditions blade, and select Device Platforms
  • Configure the conditions by clicking Yes, click on Include, select iOS platform and click Done at the bottom

Conditional access blocking Exchange ActiveSync

  • Select Client apps (preview) and enable by selecting Yes
  • Enable these checkboxes
    • Mobile apps and desktop clients
    • Exchange ActiveSync clients
    • Other clients
  • Once you’re finished, click on Done twice at the bottom

Conditional access blocking Exchange ActiveSync

  • In the Access controls section, click on Grant blade
  • Select Block access in the Grant section then click Select at the bottom

Conditional access blocking Exchange ActiveSync

  • The conditional access rule is now ready and configure, enable the policy by choosing Enable Policy at Yes.

Conditional access blocking Exchange ActiveSync

User Behavior

Ask your users to open the mail native app and if your rule works, you will see this warning email telling the user that the access has been blocked.

Conditional access blocking Exchange ActiveSync

For now, users will need to use Microsoft Outlook app. 🙂

Happy migration!


Share this Post

6 Comments on “Migrate Users from iOS Mail Native to Microsoft Outlook with Intune”

  1. For iOS Native Mail make sure you set the “Prevent Move” restriction in the native mail app configuration. Plus set the two Managed open in restrictions.

    The demos of native mail leaking will have these restrictions disabled.

    Alos do not set the Only in Mail restriction as the mail will not be available in your managed work apps

  2. Hi Nicolas,

    the provided solution is not working on iOS device. Still Email profile has been configured in Native mail client app while enrolling iOS device into Intune.

    Conditional access policy, configuration policy and compliance policies are live in the environment. Still by default the native Email client will be configured automatically while enrolling the device into Intune.

    Need your immediate assistance to rectified the same.

    1. Hello Vinayak,

      I know it’s a 2 years comment. I hope you rectified the issue fast. Have you removed the native profile deployment at that time?


Leave a Reply