VMware Workspace ONE Community
RyanWampler
Enthusiast
Enthusiast

Outlook app config settings

MS now supports app config settings in the Outlook for iOS and Android app:  https://technet.microsoft.com/EN-US/library/mt829322(v=exchg.160).aspx
Labels (1)
84 Replies
mponcin
Contributor
Contributor

Luke/Michael hi guys, we actually checked for these App Config settings and they worked on iOS. In Android devices we had to enroll with AFW in order to make it work, do you know why? We cannot figure out why some apps accept App Config values and some others require to be AFW enrolled. It would be such a huge problem if we have to reenroll  3000 devices with AFW method just to use Outlook. Thanks!
Reply
0 Kudos
CTRIM
Enthusiast
Enthusiast

I had these working but then they stopped working.
Marcos, What is AFW?
Reply
0 Kudos
mponcin
Contributor
Contributor

Hi Carl, with AFW I mean Android For Work, Enterprise Android.
Reply
0 Kudos
PeterMohr
Contributor
Contributor

Android for Work / Android Enterprise is a requirement for doing App Config on Android (with out the need to AirWatch SDK). Can't really blame AirWatch for not working when the platform doesn't support the feature. Anyway. We all need to move to Android Enterprise since the current version (Android P) is the latest version that supports Android Legacy. After that you can't manage anything on Android without Android Enterprise. And yes, you do need to reenroll your devices to migrate from Android Legacy => Android Enterprise 😞
Reply
0 Kudos
BWLADP
Contributor
Contributor

Anybody knows how to configure the OneDrive app ? I just want to configure the Email address field in the app.
Reply
0 Kudos
JamesKingJamesK
Contributor
Contributor

I am also trying to find the config key to do this.. can anyone help?
Reply
0 Kudos
anonymousmigrat
Enthusiast
Enthusiast

outlook now supports configuration for modernauth as well. made it work for another MDM vendor, trying to do the same with WS1 now. will keep you posted if it's working.
https://docs.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...
Reply
0 Kudos
anonymousmigrat
Enthusiast
Enthusiast

made it work for o365 + ModernAuth (+VIDM SSO) with these exact values:
com.microsoft.outlook.EmailProfile.EmailAddress         {EmailAddress}
com.microsoft.outlook.EmailProfile.AccountType         ModernAuth
IntuneMAMAllowedAccountsOnly                                  Enabled
IntuneMAMUPN                                                               {UserPrincipalName}
com.microsoft.outlook.EmailProfile.EmailUPN               {UserPrincipalName}
-> all values are Strings.
Reply
0 Kudos
DharmarajanSeet
Contributor
Contributor

@ Wannes 


 


Sorry disregards my previous statement it worked seamlessly after adding IntuneMAMAllowedAccountsOnly Enabled


IntuneMAMUPN {UserPrincipalName} along with other three you have mentioned above. 

Reply
0 Kudos
Boe_K
Enthusiast
Enthusiast

I've been able to get all the settings to push down to the app however the issue I have run into is the SEG sees it as an unmanaged app and as a result per our policy blocks it. Whats funny is if you look at the device it shows the app as Public (Managed) any one else run into this?
Reply
0 Kudos
antherITguy
Enthusiast
Enthusiast

Does anyone know if Outlook for iOS supports anything other than Basic Auth?  I'm looking for Kerberos or certificate auth.
Reply
0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

For those using Office 365 with PowerShell integration, how are you preventing unmanaged mobile devices from using the Outlook app to access corporate email?

Reply
0 Kudos
RyanWampler
Enthusiast
Enthusiast

Do you block all devices by default and then use PS to unblock those that are managed?  If so, you don't have to do anything different to block the Outlook app.  Now, if you want to allow managed devices to use the Outlook app and automatically unblock them, good luck.  Since AW can't provision the Outlook app (thanks MS), it doesn't know to unblock it once enrolled.  I've spoken to VMWare about this and there's no good solution.
Reply
0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Ryan - We have a Device Access Rule in place to block the Outlook app. For everything else, we quarantine by default and the PowerShell session on the AirWatch servers sends the command to automatically allow (remove from quarantine) Boxer and native Apple mail for managed devices. I'm assuming you're saying that we can't do the same thing with Outlook.
Reply
0 Kudos
RyanWampler
Enthusiast
Enthusiast

That is my understanding and confirmed by VMWare.  If anyone comes up with some magic to make it happen, I'd love to know about it.
Reply
0 Kudos
PeterMohr
Contributor
Contributor

With conditional access on Workspace One Identity Manager you will be able to allow only access for enrolled devices (and compliant) running Outlook apps to sync while blocking unknown/non-compliant devices. You need to federate your Office365 to VIDM or at least configure VIDM as a 3rd party IDP in your ADFS/STS setup. You MUST federate your Office365 domain away from login.microsoft.com for this to work 🙂

We've set this up also on MobileIron Access (iDM) and it works great there too.
Reply
0 Kudos
MarkSchwantje
Enthusiast
Enthusiast

Peter - Can you explain further what you mean by this: ' You MUST federate your Office365 domain away from login.microsoft.com for this to work' ?

Thanks.
Reply
0 Kudos
PeterMohr
Contributor
Contributor

Sure! A domain in Office 365 can either be ' managed'  or ' federated' . Managed domain users login using ' login.microsoft.com'  and federated domain users login using what ever iDP you use. This is normally ADFS and the official guide for that is here:

https://blogs.technet.microsoft.com/askpfeplat/2017/02/06/convert-a-managed-domain-in-azure-ad-to-a-...

You can replace ADFS with VMware Workspace ONE Identity Manager and provide true SSO from both desktops (certs) and mobile devices (Kerberos).

If you configure this in VIDM to only allow cert or Kerberos login, then you will only grant access from managed devices (as only they have correct certs deployed). You can also disable basic auth on the ActiveSync protocol in Exchange Online leaving only modern auth (VIDM).

LOTS of cool stuff you can do with VIDM....

Peter
Reply
0 Kudos
Ramkumara11
Enthusiast
Enthusiast

Hi Guys,
Happy new year all.
Is it possible to do this setup WITHOUT vIDM? We already have our compliance policy to block outlook, as i am wondering how i'd bypass that.
WE dont want un-managed devices accessing outlook without AirWatch enrollment.

Note: I have already setup the AW related keys using the technet M.S document.
Reply
0 Kudos
RyanWampler
Enthusiast
Enthusiast

As far as I'm aware, it's still not possible to selectively allow only managed devices to access Outlook.
Reply
0 Kudos