Secure Outlook Mobile with App Protection Policies

Last week I wrote an article about how we can force our users to use Outlook Mobile on Android and iOS devices. In this new (followup) article we go one step further in securing mobile access to our Exchange Online mailboxes by applying App Protection Policies to Outlook. With Intune App Protection Policies (APP) we can secure the company data in the Outlook mobile app, whether the device is managed or unmanaged. For example we can restrict saving email attachments to the local device or copy/ paste text from Outlook to a unmanaged app.
APP is a Mobile Application Management solution which manages the application to secure company data and not the device itself. Policies are applied at the application level instead of the device level which is the case with a Mobile Device Management Solution.

Setup the App Protection Policy

  1. Open the Device Management Portal and click Client Apps
  2. Click App protection policies
  3. Click Create policy to create a new policy

  1. Give the APP a Name and Description (optional)
  2. Choose your Platform; Android or iOS
  3. Under Target to all app types choose Yes to target apps on devices of any management state.
    You can also choose No to choose one or two management states.

  1. Click the Apps tab
  2. Select all apps you want to associate with the APP
  3. Click Select

  1. Click the Settings tab
  2. Click Data Protection tab
  3. Make a decision on your required data protection settings
    For example prevent saving Org data to the local device, but allow saving to OneDrive and require encryption of Org data
  4. Click OK

  1. Click the Access requirements tab
  2. Make a decision on your required access requirement settings
    For example choose to require a PIN code to access the managed apps and the PIN type
  3. Click OK

  1. Click the Conditional launch tab
  2. Take note of the settings, most of the time the default settings are fine
  3. Click OK (twice) and click Create

When the App Protection Policy is created we need to assign the policy to a security group. On the assignments tab choose the group of your choice and click Save.

The App Protection policy is now active, but since this week we have the option to set Require app protection policy as part of a Conditional Access policy. A very usefull expansion of the options we already had in the CA policies to prevent access to company data when the APP is not yet applied.
To see how to create a CA policy and use this setting, have a look at my previous post where we created a CA policy.

End-User experience

In my lab I have already enabled the Conditional Access policy as described in the previous post to set Outlook Mobile as a required (approved) app to access Exchange Online. I also expanded the CA Policy with the control Require app protection policy which is applied to my test user.
The user experience is the same as in the previous post, when you sign-in to the Outlook app you need to download the broker app.

When the broker app is downloaded you need to register your device.

The difference now is, you get a message Your organization protects data in this app. The Outlook app needs a restart and the company profile is applied.

When you set a PIN code for access as a requirement, by opening Outlook you need to create a PIN code.
When the PIN code is created you are taken to your Inbox.

Now also have a look at some of the restrictions which are active on the work profile in Outlook. If you have added a work profile and a personal profile (Outlook, Hotmail), those restrictions are not applied to the personal profile. This is a great solution for bring your own devices.

One of the data protection restrictions we can set is to allow or block copy/paste actions. We can block copy/paste actions to unmanaged apps like in the below screen. You copy text in an email, but when you paste it in an unmanaged app you get the Message Your organization`s data cannot be pasted here.
Depending on the settings you set, it is allowed to paste in to Outlook from unmanaged apps and/ or it is allowed to copy/paste to another managed app.

Another restriction we can set is blocking a screen capture.

We can restrict opening web links to a managed browser. Especially when allowing access to on-premises hosted web applications via the AAD Application Proxy, this helps you to keep company data secure.

When you don`t want the contacts to be saved to the local mobile device, we have the option to block that. As you can see the switch to turn on contacts sync is not available.

Not only copy/ paste actions can be blocked, we can also restrict opening email attachments. Below Word an attachment cannot be opened outside of the managed apps. When the user installs Word on his mobile device (Word is part of the managed apps list I selected) he is allowed to open the Word file.

We cannot only restrict opening email attachments, but also control if and where we can save those attachments. We can restrict saving attachments to the local device, but allow saving directly in to OneDrive or SharePoint. Another option is to completely block saving attachments.

Besides all those visible controls for the end-user it is also a good idea to set the encryption requirement on. This will encrypt the company data in the managed app.

Perform a App Selective Wipe

Because App Protection Policies is an Application Management Solution, we can perform a wipe action from the Intune portal on the application level. To perform an App Selective Wipe follow below steps.

  1. Open the Device Management Portal
  2. Click Client appsApp selective wipeCreate wipe request

  1. Click the User tab
  2. Search for the user and select the user
  3. Click the Device tab
  4. Select the device which need to be wiped
  5. Click Create

Back at the Selective Wipe tab we can see the status of the wipe request. If the device is connected to the internet, the wipe is started immediately after creating the request.

At the mobile device the company data is removed from the app. In Outlook the company profile is completely removed.

By following this and the previous article, we have deployed Outlook in a secure way!

Share This!


  1. Since when do we need a broker app with APP(MAM)? This due to the fact you used ‘required client’ in the CA policy? Then this is not really byod/mam anymore cause user has to register and enroll the device. Is it a AAD registration or intune enrollment when using the CP/broker app ?

    • You get this user experience when you set Require approved client app and/ or Require app protection policy in a CA policy. If you don`t use such a CA policy, users can still bypass the APP.
      And yes the device is AAD Registered.

Leave a Reply

Your email address will not be published.