Provide support for AirWatch MDM for Office 365 business
my office IT admin declines permission for Outlook app to access my work email which is on Outlook 365 business. Says it is because Outlook app does not support AirWatch MDM, which is required for them to be able to remote wipe in case of loss of device. This should receive high priority since the app is so much better than native emails on Android and iOS.
We use Intune and Company Portal App for device management. When user goes to add his work email to Outlook for Android, he gets prompted to enroll his device to intune first. When Enrolling his device, he is asked to download "Company portal" app and make it Device administrator to enforce security requirements like passcode, encryption etc in intune policy. User activates Device administrator for "Company portal" app, updates security settings to meet the requirements set in Intune Policy and completes device registration.
Now that his device meets all the security requirements form intune policy, he comes back to Outlook to add his work email but Outlook prompts to be device administrator again if Exchange Activesync Policy assigned to mailbox requires password even though his device already meets password requirement. User is now confused. He just activated Device Administrator for Company portal app and he is seeing same prompt again. User does not understand that this second Device Administrator prompt is for outlook.
Therefore, we would like to request "Outlook for Android" PG to add a mechanism to detect if device is already managed by Intune or any other MDM. If managed by MDM or Intune, defer to Intune/MDM policies for security restrictions and Ignore EAS policy and do not prompt for Outlook to become Device Administrator.
"What if I have non-EMM provided apps that uses device admin?" section in FAQ here. <https://developers.google.com/android/work/device-admin-deprecation> also recommends apps to add mechanism to detect if device is MDM managed. Article says this detection can be achieved via a token exchange through Mobile Configuration Management (MCM). So we would like Outlook for Android to explore this.
Workaround we were given to avoid this double "Device Administrator" Prompt was to remove EAS policy from mailbox or remove all password restrictions from EAS policy. We have tried this approach but it is turning out to be difficult to manage given that there are scenarios where some mailboxes are exempt from Intune enrollment. EAS policy is the only way to enforce security restrictions on those mailboxes so we now have to continuously run script to identify new accounts that are exempt from intune enrollment and assign EAS policy with password restrictions on them. If for some reason, script does not run, we risk having mailboxes that can connect from unprotected mobile devices.
Oliver Hare commented
The key issue here is that the Outlook ActiveSync record created on the mailbox is only showing very limited information. It doesn't provide any information like a native ActiveSync record does to allow either the IMEI or device ID's to be aligned with the enrolled mobile phone
Petri Räsänen commented
airwatch app config settings for o365...
Justin Delpero commented
please enable airwatch mdm integration so that we can configure and deploy outlook app configurations and manage activesync connections.
We have the same issue in our company and we need to have a solution provided by Microsoft.
Ryan Wampler commented
MS's refusal to allow 3rd party MDMs to manage mobile Office app settings is hindering our ability to provide a quality client experience.
allow deployment through mdm solutions like airwatch.
Anthony Ross [DATACOM] commented
Currently I cannot manage my mail profile on android unless Knox is installed.
I suggest you allow the outlook app to be managed by office 365 or intune.
there is presently no other way to update a mobile fleet unless we use airwatch and Samsung.
this is a huge opportunity to fill in a gap and promote uptake of outlook on android and uptake of O365 or in tune.
Malay Nayak commented
EMM MDM API integration