Bonjour everyone. We are back with another interesting topic Configure Email Settings for Android devices in Intune. This article will discuss various topics like the Email apps that Intune support for Android, Deploying the Email app, and Configure Email settings for the Outlook app.
Email Settings can be configured using App Configuration policies. These App configuration policies can be delivered using Mobile Device Management OS channel for enrolled devices or through the Mobile Application Management channel.
In Intune, we can create App configuration policies in 2 ways, Managed Devices or Managed Applications. When app configuration policies are created using Managed devices options, the devices should be enrolled and managed by Intune.
When app configuration policies are created using Managed Applications, the app should be integrated by Intune SDK or Intune wrapping tool to support the App Protection Policies. We can create App configuration policies and deploy them to users even if the devices are enrolled in 3rd Party MDM solutions.
Supported Emails Apps in Intune
Microsoft Intune Supports Email configurations to various Email apps available in public app stores. But, Microsoft recommends using Outlook, Gmail, and Nine for Work for Android and for iOS Outlook and Native Email clients. The Configurations helps to preconfigure and Customize the Email apps for users based on your organization’s requirement.
Deploy Email Apps to Users
As discussed above, Intune supports various Email client apps for email access. Once we decide on the email client based on your organization, we must deploy the app from Intune to end-user devices. Deploy the Email app for Android Enterprise devices using the article. Instead of Edge browser(used as an example in the article), search for any email app and assign the app as required for end users.
Similarly, Deploy the Email app for iOS devices using the article, and assign the app as required based on your organization’s requirements to end users. Now we have deployed the Email app to the end user, let’s see how to configure email settings using the app configuration policy.
Configure Email Settings using the App Configuration Policy
In this article, we will discuss the Email settings or App configuration policies for the Outlook app(which most organizations use) as it is ideal for Exchange Online. As discussed above, we can deploy App configuration policies in 2 ways.
If you are using Application Protection policies to manage the apps, it is better to create App configuration policies in Managed applications way. Create an App configuration policy using Managed devices to target only Intune-enrolled devices.
Create App Configuration Policies for Managed Devices.
In the steps below, let’s see how we can configure email settings using App Configuration Policies for Managed devices.
- Sign in to the Microsoft Endpoint Manager admin center https://intune.microsoft.com/.
- Select Apps > App Configuration policies > Add > Managed devices.
Now enter the Name and Description of the policy. You can notice the Device Enrolment type is selected as Managed Devices. Now under Platform, Select iPad/iOS or Android Enterprise. If you select Android Enterprise, select Profile Type between Corporate devices and Personally Owned Work Profile Only, or we can create a policy for all types of Android Enterprise devices. Select the targeted app as Outlook and Click Next.
NOTE! Make sure you have already added the required apps from the public store for iOS/iPadOS and Managed Google Play Store app published in Intune.
Now on the configuration page, we have options to configure Configuration settings which configure the Outlook app and S/MIME settings used for encrypting and signing the emails. Let’s see what configurations we can configure for the Outlook app.
Permissions: When configuring this section, we will provide permission to the Outlook app without requesting the user to provide permissions while setting up the app. We have various Permissions that can be enabled, but I have chosen a couple. When we select the permissions, the default permissions given by users will be overridden and set to the permissions we have set.
We can choose what kind of permissions we can provide, and We have three options that can be configured as per the below table.
| Permission | Action on App |
|---|---|
| Prompt | The user will be prompted for permission. |
| Auto Grant | App permission will be granted, and the user is not prompted for permission. |
| Auto Deny | The app will be denied from accessing the permissions, and the user will not prompt for permission. |
Now let’s configure the features and email configurations for the Outlook app, the configurations are configured under the Configuration Settings section, now select Configuration Settings format as either Enter JSON data, we need to provide restrictions in JSON format or Use Configuration Designer, we need to enable the toggles next to each setting. In this article, I have chosen Use Configuration Designer.
Email Account Configuration
Under the Email Account Configurations section, we have configurations related to Email. We can configure the authentication type, username, and Email attributes from Azure Active Directory. Let’s configure them as per below.
- Configure email account settings: Select Yes, if you want to configure the Email Settings for the Outlook app, else let it be as NO
- Authentication Type: When we select Yes to configure email account settings, we select the authentication type for users, we have two options Basic Authentication and Modern Authentication. Select Modern Authentication for Office 365, Microsoft 365, or On-premise accounts using hybrid modern authentication.
- Username Attribute from AAD: We need to specify the username attribute for the email profile that will be used to authenticate the account, select UserPrincipal Name as an attribute
- Email address Attribute from AAD: Select the Email Address Attribute for sending and receiving the emails. I have selected the Primary SMTP Address.
- Allow only work or school accounts: Enable this setting to allow only Work accounts and block personal accounts from configuring on the Outlook app.
NOTE! All Email configuration settings above will vary from organization to organization based on how the Exchange team is configured. Please get in touch with your exchange team before configuring the settings.
We can configure the app behavior or features of the Outlook app. These can be configured under the General app configuration. Let’s see below what are the options available for us to configure.
- Focused Inbox: Focused Inbox separates important and regular emails by creating two tabs in the Outlook app Focused and Others. All important emails reside in the Focused tab. When selected OFF, the focused tab in the inbox is removed.
- Save Contacts: When selected ON, the Outlook app lets users save contacts to the local address book. We can choose to allow users to change the settings by selecting YES.
- Suggested Replies: When set ON, users will get suggested replies while replying to an email. We can choose to allow users to change the settings by selecting YES.
- Block External images: If you want to block downloading images embedded in the Email and hosted over the Internet, select ON.
- Organize mail by Thread: Outlook app organizes emails as conversations. Select OFF to show the emails as individual mail instead of conversations.
- Sync calendar: Select the value ON, if you want to allow the Outlook calendar to sync with Native Calendar
I have chosen important settings that most organizations use. A few other settings, like Discovery Feed, will show you the most frequently used office files when set to ON, External Recipients MailTip, the setting will display users if they add external email addresses while composing new emails. Configure the Outlook app’s general settings as per your requirements.
We can also configure some additional configurations which are not shown in the settings using the JSON editor. When you click ADD, search for the configuration settings and set the required value.
Connected Apps: If you want to enable users to view Work or School information across the connected apps, set the value as Enable. This will show both Work and Personal accounts data together. This setting only works for Personal devices with Work-Profile and Corporate devices with Work profile.
Intune also allows us to configure Secure Multipurpose Internet Mail Extensions, allowing users to send and receive digitally signed and encrypted. Let’s see the available settings that can be configured.
- Enable S/MIME: Select Yes. To enable S/MIME while composing an email, Admins can choose to allow users to change the settings by selecting YES.
- Encrypt all emails: Select Yes, to encrypt all emails. This will convert the data to cipher text that can only be read by the intended recipients.
- Sign all emails: When selecting YES, a digital signature verifies all the emails for authenticity and ensures that the Email is not tampered with while receiving from the sender.
- LDAP URL: Define the LDAP hostname where the clients can get the public encryption key for email recipients.
After configuring the required settings, click Next to the Assignment blade, add the required user groups, and click Next to Review and Create the policy.
End-User Experience
Now let’s see the behavior on the user’s device in the screenshots below. I have enrolled my Personal Android device to Android for work profile.
I downloaded the Outlook App, launched it, and clicked on Add Account as I had configured Email settings, the email address populated automatically, and it configured the account without asking for a password.
Once the account is configured, I was prompted to allow S/MIME configurations that are created by Admin to block images from external sources. Once the configurations are applied, the Focused tab is removed. You can observe that in the above screenshot.
Conclusion
Till now, we have discussed the settings based on Managed devices. Intune also provide us to configure App configuration policies based on Managed Apps. Let us discuss How to create Email configuration for Android devices using Managed apps method. Till then, have a nice read.
Author
About Author – Narendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.
This did not work for managed devices using the outlook iOS app. The ms documentation says that the app has to be installed directly from the comp portal. If we use apple vpp will this work??