Managing Outlook for iOS and Android in Exchange Online
Summary: This article describes best practices for managing mobile devices with Outlook for iOS and Android in Exchange Online.
Outlook for iOS and Android give users the fast, intuitive email and calendar experience, while being the only app to provide support for the best features of Microsoft 365 and Office 365. In addition, Microsoft provides many utilities for managing and protecting company data on mobile devices in your Exchange Online organization.
Options for managing devices and applications
Customers looking to manage Outlook for iOS and Android have the following options:
Recommended: The Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra Conditional Access.
Basic Mobility and Security for Microsoft 365.
Third-party Unified Endpoint Management solutions.
Mobile Device Access and Mobile Device Mailbox Policies.
Note
For implementation details on each of these three options, see Securing Outlook for iOS and Android in Exchange Online.
Microsoft recommends that customers use the features of the Enterprise Mobility + Security suite to protect corporate data on mobile devices, due to the advanced capabilities provided by these services.
Important
When the user authenticates in Outlook for iOS and Android, Exchange Online mobile device access rules (allow, block, or quarantine) are skipped if there are any Microsoft Entra Conditional Access policies applied to the user that include:
- Cloud app condition: Exchange Online or Office 365
- Device platform condition: iOS and/or Android
- Client apps condition: Mobile apps and desktop client
- One of the following Grant access controls: Require device to be marked as compliant, Require approved client app or Require app protection policy.
Note
When using mobile device cmdlets such as Get-MobileDevice to check the status of a device, the timestamp for Outlook for iOS and Android synchronization, indicated by the LastSyncTime property, may be up to 15 minutes behind the actual time of synchronization. While device synchronization does occur in real time, the returned time stamp may lag behind.
Using Enterprise Mobility + Security
The richest and broadest protection capabilities for Microsoft 365 and Office 365 data are available when you subscribe to the Enterprise Mobility + Security suite. This suite includes Microsoft Intune, Azure Information Protection, and Microsoft Entra ID P1 or P2 features, such as conditional access.
Note
While the Enterprise Mobility + Security suite subscription includes licenses for both Microsoft Intune and Microsoft Entra ID, customers can purchase Microsoft Intune licenses and Microsoft Entra ID P1 or P2 licenses separately. All users must be licensed to leverage the conditional access and Intune app protection policies discussed in this article.
Intune provides mobile application management (MAM) capabilities, and other conditional access and device management capabilities. With Intune app protection policies, you can restrict actions on corporate data between apps managed by Intune and unmanaged apps. For example, cut, copy, paste, and "save as." For more information, see How to create and assign app protection policies. Additionally, the Intune-managed Outlook apps include a new multi-identity management feature that enables users to access both their personal and work email accounts in the same Outlook app while only applying the Intune app protection policies to the user's work account. This feature provides a much more seamless user experience.
Conditional access is a capability of Microsoft Entra ID that enables you to centrally enforce app access controls based on specific conditions. By using conditional access policies, you can apply the right access controls under the required conditions. Microsoft Entra Conditional Access provides you with added security when such security is needed, and it stays out of your users' way when it isn't.
Key features of the Enterprise Mobility + Security suite with Outlook for iOS and Android:
Conditional access. Microsoft Entra ID ensures that Exchange Online email can be accessed only when the conditional access requirements are met. For more information on device enrollment, see What is Conditional Access?.
Intune app protection. Outlook for iOS and Android allows you to protect your corporate data with Intune app protection policies. This method is a great option for "bring your own device" (BYOD) scenarios where you want to keep corporate data safe without managing a user's devices. For more information on Intune app protection policies, see Protect app data using mobile app management policies with Microsoft Intune.
Device enrollment. Intune lets you manage your workforce's devices and apps, and how they access your company data. Outlook for iOS and Android ensures that Exchange Online email is accessible only on managed and compliant phones and tablets. When users sign in to the Outlook app on an unmanaged mobile device, Outlook prompts users to enroll the device in Intune by using the Azure conditional access policy, and then validates that the device meets organizational standards of device compliance.
Device management and reporting. The enrollment process allows organizations to set and manage security policies. For example, enforce device-level PIN lock, require data encryption, and block compromised devices to prevent untrusted devices from accessing corporate email and data. Each enrolled device appears in the Microsoft 365 admin center, and reporting is available to provide details on the devices that access your corporate data.
Selective wipe. Microsoft Intune can remove email data from Outlook for iOS and Android, while leaving any personal email accounts intact (whether the device is enrolled or not). This feature is an increasingly important requirement as more businesses adopt a "bring your own device" approach to phones and tablets.
Using Basic Mobility and Security for Microsoft 365
Basic Mobility and Security for Microsoft 365 provides device management capabilities at no extra cost. Microsoft Intune powers these basic capabilities, providing a core set of controls in the Microsoft 365 admin center for organizations that need the basics.
There's no native capability to control which apps can be used, even after a device is enrolled. If you want to limit access to Outlook for iOS and Android, you need Microsoft Entra ID P1 or P2 licenses to use conditional access policies.
Outlook for iOS and Android fully supports the capabilities provided by Basic Mobility and Security for Microsoft 365.
For detailed information, see the following resources:
Manage settings and features on your devices with Microsoft Intune policies
Instructions for your end-users to enroll a device in Basic Mobility and Security: Enroll your mobile device using Basic Mobility and Security
Using Third-Party Unified Endpoint Management Solutions
Third-party unified endpoint management providers can deploy the Outlook for iOS and Android the same way they would deploy any iOS or Android app, using their existing tools. They can also apply important, universal device management controls. For example, device PIN, device encryption, device wipe, and more.
Third-party providers can also deploy certain app configuration settings, like account setup, organization allowed accounts mode, and general app configuration settings, to Outlook for iOS and Android; for more information, please see Deploying Outlook for iOS and Android app configuration settings.
To manage and protect corporate data within the app (for example, restrict cut, copy, paste, and "save as" actions with corporate data), customers need to use Microsoft's Enterprise Mobility + Security suite.
Using Mobile Device Access and Mobile Device Mailbox Policies
Microsoft recommends that customers use either the Enterprise Mobility + Security suite or the built-in Basic Mobility and Security for Microsoft 365 to manage company data on mobile devices, due to the advanced capabilities provided by those services. Outlook for iOS and Android does support mobile device access and mobile device mailbox policies (formerly known as Exchange Active Sync policies), which are available through the Exchange admin center.
Outlook for iOS and Android supports the following Exchange mobile device mailbox policy settings:
Device encryption enabled
Min password length (only on Android)
Password enabled
Allow Bluetooth (used to manage the Outlook for Android wearable app when Intune App Protection Policies aren't in use)
- When this setting is enabled (it's enabled by default) or configured for HandsfreeOnly, Outlook synchronization between the Android device and the wearable device is allowed for the work or school account.
- When this setting is disabled, Outlook synchronization between the Android device and the wearable device isn't allowed for the work or school account (and any previously synced data for the account is deleted). Disabling the synchronization is controlled entirely within Outlook itself. Bluetooth isn't disabled on the device or wearable nor is any other wearable app affected.
For information on how to create or modify an existing mobile device mailbox policy, see Mobile device mailbox policies in Exchange Online.
Exchange administrators can also initiate a remote device wipe against Outlook for iOS and Android using Exchange admin center. After receiving the remote wipe request, the app removes the Outlook profile and all data associated with it.
Note
Outlook for iOS and Android only supports the Wipe Data remote wipe command and does not support Account Only Remote Wipe Device as defined in the Exchange admin center. For more information on how to perform a remote wipe, see Perform a remote wipe on a mobile phone.
For more information about Microsoft Intune, see Documentation for Microsoft Intune.