Using Intune you can secure and configure applications on unmanaged devices. This is called “Mobile application management without enrollment” (MAM-WE). In this blog I will show how to configure and secure email on an unmanaged Android/iOS device using the Outlook app for iOS and Android. To secure and configure email I will configure conditional acces policies, an app protection policy and for the configuration an App Configuration policy.
Seperate Datalayers using an App Protection policy
In the following picture you can see that corporate data is secured on an unmanaged device and can only be opened with applications which are allowed to open corporate data. Other apps like Twitter or Facebook are not allowed to open the corporate data.
- Can be used when a device is already enrolled with a different Intune tenant
- Outlook widgets can be used. (optional)
- Outlook address book can be synced with personal contacts. (This is important if you used Whatsapp)
- Company data protected at app level
- Every application needs to be configured before it will be protected.
- Not all apps support App Protection policies, this can be added by using the Intune App Wrapping Tool.
- Software needs to be installed manually by the user
- Company Portal is required for MAM-WE.
- Only a single managed account is allowed on a device.
Before we start with the configuration you will need the following:
- Testuser with an Azure AD account and the following licences
- Conditional access policies require a Azure AD Premium P1 license
- App protection policies requires a Microsoft intune license
- Office 365 license for Exchange online
- Azure AD group containing the testuser to apply the policies
I’ve created a group “Secure Mobile Outlook” and a testuser “Cynthia Carey” which is member of this group.
Conditional Access policies
To secure the company data on unmanaged Android and iOS devices we only want users to connect with exchange online using the mobile app “Outlook for iOS and Android“. To prevent users from using different Mail client to connect we need to configure conditional access policies. Depending on your situation you will need to configure one or two conditional access policies. If you only allow Modern Authentication you will have to configure one access policy, but if you still allow basic authentication an additional access policy has to be created for this protocol. In this blog I will configure both conditional access policies. I will be using the MEM admin center, but you can also configure this in the Azure Portal.
Conditional access for Exchange Activesync
Let’s start with the conditional access policy for Exchange Activesync clients. This policy will prevent users from using other clients than the “Outlook for iOS and Android” when they connect to exchange online using Exchange ActiveSync.
1. Go to “Endpoint Security” -> “Conditional access” or press here. Press “+New policy” to create a new Conditional Access policy.
2. Enter a name, I will call this policy “CA – iOS & Android – Outlook – EAS clients”. Assign the policy to the group with the testuser “Secure Mobile Outlook”
3. Select “Cloud apps or actions” go to “Include” -> “Select apps” and select “Office 365 Exchange Online”
4. Select “Conditions” -> “Device platforms” -> select “Configure” yes and select the device platforms “Android” and “iOS” and press “Done”
5. Select “Conditions” -> “Client apps” -> select “Configure” yes and select Legacy authentication clients “Exchange ActiveSync clients” and press “Done”
6. Select “Access Controls” -> “Grant” and select “Grant access” -> “Require approved client app” and press “Select”
7. The final step is to enable the policy and press “Create” to finish.
Conditional access for Modern Authentication
Now we will create the conditional access policy for Modern Authentication clients. This policy will prevent users from using other clients than the “Outlook for iOS and Android” when they connect to exchange online using Modern Authentication and requires the use of MFA.
8. Go to “Endpoint Security” -> “Conditional access” or press here. Press “+New policy” to create a new Conditional Access policy.
9. Enter a name, I will call this policy “CA – iOS & Android – Outlook – Modern authentication clients”. Assign the policy to the group with the testuser “Secure Mobile Outlook”
10. Select “Cloud apps or actions” go to “Include” -> “Select apps” and select “Office 365 Exchange Online”
11. Select “Conditions” -> “Device platforms” -> select “Configure” yes and select the device platforms “Android” and “iOS” and press “Done”
12. Select “Conditions” -> “Client apps” -> select “Configure” yes and select Modern authentication clients “Mobile apps and desktop clients” and press “Done”
13. Select “Access Controls” -> “Grant” and select “Grant access” -> select “Require multi-factor authentication” and “Require approved client app”. Press “Select” to continue.
14. The final step is to enable the policy and press “Create” to finish.
With the Conditional Access policies configured it should not be possible to use a mailclient other than Outlook on an iOS or Android device to connect. Let’s see what happens when the testuser Cynthia tries to add an email account in a mailclient which is not in the approved client apps list for example the Native Samsung app. The following message will appear, notice the line “It looks like you’re trying to open this resource with an app that hasn’t been approved by your IT department”.
App protection policies
The CA policies have been configured. The testuser will only be able to connect to their mailaccount with Outlook. The next step is to secure the corporate data this can be accomplished using an App protection policy. Using these policies you can protect corporate data on managed and unmanaged devices. App protection policies can prevent data relocation e.g Restrict printing, save copies, cut, copy, and paste. Also additional access security can be set like require a pincode and prevent opening on a jailbroken device.
App protection policy for outlook
The app protection policies need to be created separately for each OS type. I will only create the App protection policy for Android, but the policy for iOS is almost simular, so the same steps can be used to create the App protection policy for iOS.
15. Go to “Apps” -> “App protection policies” or press here. Press “+Create policy” and select “Android” to create a new App protection policy.
16. Enter a name and press “Next”
17. Because this Protection policy will be only used for unmanaged devices I will select only Unmanaged, but you can also target other device types if you want to use the same policy. Press “+ Select public apps” to add “Microsoft Outlook”. Press “Next” to continue.
18. Select the Data protection settings you want to apply. These settings will protect the corporate data in Outlook. For this demo I will “Block” Screen capture and Google Assistant” and “Restrict cut, copy, and paste between other apps”. Press “Next” to continue.
19. Select the Access requirements you want to apply to Outlook to prevent unwanted access. By default a 4 digit pincode is required to be entered after a reboot or 30 minutes of inactivity. For this demo I will change it to 6 digit. Press “Next” to continue.
20. In the conditional launch tab you can edit settings how long an application can run offline and after how many days offline a selective wipe will be performed (more info here). Also device conditions can be set for example if an Jailbroken device can be used. I will use the default settings and press “Next” to continue.
21. Apply any additional Scope tags (optional) and press “Next” to continue.
22. Assign the policy to the testgroup “Secure Mobile Outlook” and press “Next” to continue.
23. Press “Create” to create and assign the App Protection policy to the testuser.
After the app protection policy has been applied, its no longer possible to take screenshots of your mailbox. You will see an error “Couldn’t save screenshot” (screenshot left). When you try to copy data from outlook and paste it outside the outlook profile. Instead of the copied data a message “Your organization’s data cannot be pasted here” (screenshot right) will be pasted.
App Configuration Policies
App Configuration policies can be used to preconfigure settings for users. Using an App Configuration policy settings are supplied automatically when the app is configured on the end-users device. This way users don’t have to configure (global) settings themself and there will be more consistency in application configuration across users. App configuration policies can be used on managed applications and devices. The policies are available for Android, iOS and iPadOS.
App Configuration policy for outlook
In this blog we will create an App Configuration policy for Outlook. Because the confiration policy will be applied to unmanaged devices it will be a managed apps policy.
24. Go to “Apps” -> “App configuration policies” or press here. Press “+Add” and select “Managed apps” to create a new App configuration policy.
25. Enter a name for the policy and press “+ Select public apps” to add the Public apps “outlook for Android and iOS/iPadOS”. Press “Next” to continue.
26. On the Settings page you can configure the settings you want preconfigure for users. In this demo I will disable the “Focused inbox” and disable “organize mail by thread”. Press “Next to continue.
27. Apply any additional Scope tags (optional) and press “Next” to continue.
28. Assign the policy to the testgroup “Secure Mobile Outlook” and press “Next” to continue.
29. Press “Create” to create and assign the App Configuration policy to the testuser.
After the app configuration policy has been applied the “Focused inbox” and “Organise email by thread” will be disabled by default. The user will be able to change the setting if they would like to enable the focuse inbox or organise email by thread.
For the Conditional access and App protection policies to work the user needs to have the Company portal installed on Android. If the Company portal has not installed before setup it needs to be installed during the configuration of the email account. I’ve created two GIFs to show the difference in setup. The Left GIF is adding the mailaccount with the company portal and the right is without the company portal installed.
For the App Protection policy to work the Company portal is required, but the user does not have to launch or sign-in to the Company Portal. It’s important to instruct your users not to login to the company portal because this will enroll their device in Intune. As you can see in the screenshot below, there is only a “Sign In” button and not a “Close” button to close the Company Portal to continue setup.
By combining Conditional access, App protection policy and App configuration policy you can use Intune to secure corporate data and pre-configure settings. Beacause of the requirement for the Company Portal the installation can be a real hassle. Therefore It’s important to create instructions for users what to do with the Company Portal to prevent unwanted Intune enrollments if you allow personal enrollment of Android devices for all users.
In my next blog I will show how you can Monitor policies on unmanaged devices.
hello, Aad, thanks for this great post. I have one question about that.
How do you manage to force Outlook mobile Apps as email client only on unmanaged devices ? The idea is that I don’t want to force only Outlook mobile apps on the managed devices.
Thanks for your help.
May I ask why you would allow managed devices to use other email clients?
You can add the condition Device State to the Conditional Access policy and configure it to exclude devices which are marked as compliant. This will exclude managed devices (compliant devices) from the conditional access policy. Another way is by limiting the Assignment from all users to a specific group with users who are allowed to use unmanaged devices.
best regards, Aad
Clearest set of guidelines I’ve seen on this – thanks!
Do you know if iOS has to use Microsoft Authenticator for unmanaged devices? I don’t have an Apple device to hand and want to email staff what they will see on connecting their devices.
There is no need for the Microsoft Authenticator app. Once the App protection policy is applied, the user is prompted to restart the app.
I have consultants that will have our corporate accounts, but be working at a client site where they are also given a client account.
Is it possible to setup MAM-WE connected to company tenant, and then have Company Portal logged in to a client tenant. On Android, the Work profile would be managed by a Client thru MDM, but under the personal profile M365 Apps are managed through MAM?
Yes, this is possible, but I’m not sure if it’s officially supported by Microsoft. To make this work you need to take an additional step to enable the company portal in the personal profile. In the past, the company portal remained active in the personal profile, but nowadays it is disabled after the work profile is configured. You can do this by opening the play store in the personal profile and searching for Company portal. Then select enable and the Company Portal is active again in the personal profile. Now the App protection policy will be applied in the personal profile.
best regards, Aad
I notice with this configuration you have to installed the broker app on iOS. Just like on Android to install the company portal app.
Do you see this too, without the broker app (MS authenticator) MAM-WE is not working anymore.
That’s correct app-based conditional access needs a broker app. For iOS you need the Authenticator app and for Android the Microsoft Company portal. More information about can be found here