Secure Outlook Mobile with App Protection Policies

Last week I wrote an article about how we can force our users to use Outlook Mobile on Android and iOS devices. In this new (followup) article we go one step further in securing mobile access to our Exchange Online mailboxes by applying App Protection Policies to Outlook. With Intune App Protection Policies (APP) we can secure the company data in the Outlook mobile app, whether the device is managed or unmanaged. For example we can restrict saving email attachments to the local device or copy/ paste text from Outlook to a unmanaged app.
APP is a Mobile Application Management solution which manages the application to secure company data and not the device itself. Policies are applied at the application level instead of the device level which is the case with a Mobile Device Management Solution.

Setup the App Protection Policy

  1. Open the Device Management Portal and click Client Apps
  2. Click App protection policies
  3. Click Create policy to create a new policy

  1. Give the APP a Name and Description (optional)
  2. Choose your Platform; Android or iOS
  3. Under Target to all app types choose Yes to target apps on devices of any management state.
    You can also choose No to choose one or two management states.

  1. Click the Apps tab
  2. Select all apps you want to associate with the APP
  3. Click Select

  1. Click the Settings tab
  2. Click Data Protection tab
  3. Make a decision on your required data protection settings
    For example prevent saving Org data to the local device, but allow saving to OneDrive and require encryption of Org data
  4. Click OK

  1. Click the Access requirements tab
  2. Make a decision on your required access requirement settings
    For example choose to require a PIN code to access the managed apps and the PIN type
  3. Click OK

  1. Click the Conditional launch tab
  2. Take note of the settings, most of the time the default settings are fine
  3. Click OK (twice) and click Create

When the App Protection Policy is created we need to assign the policy to a security group. On the assignments tab choose the group of your choice and click Save.

The App Protection policy is now active, but since this week we have the option to set Require app protection policy as part of a Conditional Access policy. A very usefull expansion of the options we already had in the CA policies to prevent access to company data when the APP is not yet applied.
To see how to create a CA policy and use this setting, have a look at my previous post where we created a CA policy.

End-User experience

In my lab I have already enabled the Conditional Access policy as described in the previous post to set Outlook Mobile as a required (approved) app to access Exchange Online. I also expanded the CA Policy with the control Require app protection policy which is applied to my test user.
The user experience is the same as in the previous post, when you sign-in to the Outlook app you need to download the broker app.

When the broker app is downloaded you need to register your device.

The difference now is, you get a message Your organization protects data in this app. The Outlook app needs a restart and the company profile is applied.

When you set a PIN code for access as a requirement, by opening Outlook you need to create a PIN code.
When the PIN code is created you are taken to your Inbox.

Now also have a look at some of the restrictions which are active on the work profile in Outlook. If you have added a work profile and a personal profile (Outlook, Hotmail), those restrictions are not applied to the personal profile. This is a great solution for bring your own devices.

One of the data protection restrictions we can set is to allow or block copy/paste actions. We can block copy/paste actions to unmanaged apps like in the below screen. You copy text in an email, but when you paste it in an unmanaged app you get the Message Your organization`s data cannot be pasted here.
Depending on the settings you set, it is allowed to paste in to Outlook from unmanaged apps and/ or it is allowed to copy/paste to another managed app.

Another restriction we can set is blocking a screen capture.

We can restrict opening web links to a managed browser. Especially when allowing access to on-premises hosted web applications via the AAD Application Proxy, this helps you to keep company data secure.

When you don`t want the contacts to be saved to the local mobile device, we have the option to block that. As you can see the switch to turn on contacts sync is not available.

Not only copy/ paste actions can be blocked, we can also restrict opening email attachments. Below Word an attachment cannot be opened outside of the managed apps. When the user installs Word on his mobile device (Word is part of the managed apps list I selected) he is allowed to open the Word file.

We cannot only restrict opening email attachments, but also control if and where we can save those attachments. We can restrict saving attachments to the local device, but allow saving directly in to OneDrive or SharePoint. Another option is to completely block saving attachments.

Besides all those visible controls for the end-user it is also a good idea to set the encryption requirement on. This will encrypt the company data in the managed app.

Perform a App Selective Wipe

Because App Protection Policies is an Application Management Solution, we can perform a wipe action from the Intune portal on the application level. To perform an App Selective Wipe follow below steps.

  1. Open the Device Management Portal
  2. Click Client appsApp selective wipeCreate wipe request

  1. Click the User tab
  2. Search for the user and select the user
  3. Click the Device tab
  4. Select the device which need to be wiped
  5. Click Create

Back at the Selective Wipe tab we can see the status of the wipe request. If the device is connected to the internet, the wipe is started immediately after creating the request.

At the mobile device the company data is removed from the app. In Outlook the company profile is completely removed.

By following this and the previous article, we have deployed Outlook in a secure way!

The App Protection Policy can be expanded with the requirement of a minimum Threat Level by integrating a Mobile Threat Defense Partner with Intune as you can read in this post.


  1. Since when do we need a broker app with APP(MAM)? This due to the fact you used ‘required client’ in the CA policy? Then this is not really byod/mam anymore cause user has to register and enroll the device. Is it a AAD registration or intune enrollment when using the CP/broker app ?

    • You get this user experience when you set Require approved client app and/ or Require app protection policy in a CA policy. If you don`t use such a CA policy, users can still bypass the APP.
      And yes the device is AAD Registered.

      • Its actually based on OS. iOS doesn’t require the Intune Company Portal app and the controls are fully within the apps. On android, MAM policies will require the Intune Company Portal – but an important note is you don’t need to login to the portal app at all, it just needs to be on the device – the apps use it on the backend as the broker for Android. Logging into the portal app is only necessary in regards to full MDM and device policies.

        CA is really not necessary for the experience described above, if you apply MAM correctly you will force a pin, or secure the data regardless of a CA policy. This article is also missing that iOS MAM policies do not have an option for blocking screen capture.

        Directly from Microsoft on Android:
        “The Company Portal app is required for all apps that are associated with app protection policies on Android devices.

        For devices that are not enrolled in Intune, the Company Portal app must be installed on the device. However, the user does not have to launch or sign into the Company Portal app before they can use apps that are managed by app protection policies.

        The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.”

        Directly from Microsoft on iOS
        “If the device is not enrolled in Intune, the user is asked to restart the app when they first use it. A restart is required so that app protection policies can be applied to the app.

        For devices that are enrolled for management in Intune, the user sees a message that their app is now managed.”

        • Also note, the only reason your device is AAD registered and the only reason you had to have the device registered with the Company Portal App (or Authenticator app on iOS) is because you are using the CA policy. This would largely only be good if you plan to push MDM level controls instead of MAM controls down to all devices. I would avoid this if you don’t want to enforce the use of the broker app for BYOD.

          From Microsoft:
          “In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.”

          “- Apps for app protection policy support the Intune mobile application management feature with policy protection.”
          ” – The Require app protection policy requirements:
          Only supports the iOS and Android for device platform condition.
          A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.”

  2. How often will a user be prompted to enter their PIN / touch ID to access the Outlook app controlled by App Protection policy? I have timeout set to default of 30 mins and yet I never seem to get prompted for PIN even if the device is left overnight now? Will just unlocking the phone with fingerprint unlock the Outlook app by default?

    • Depending on Android version and/ or vendor there might be a settings ‘Use one lock’. Set to enabled it uses one lock for the work profile and device screen. Might be located under Accounts or in the separate Work profile settings section.

  3. Peter voor welke licentie structuur is dit? ik heb 1 beheerder en 30 business standaards. werkt dat hier op? welke licenties heb ik allemaal nodig om dit te laten werken?

    • Pieter,

      As it involves Intune and Azure AD, for this you need licenses. That means you should purchase an EMS license (instead of separate an Intune and AZure AD license).



Leave a Reply

Your email address will not be published.