Browse all topics
All guidesGlossary

Outlook mobile policies and app protection

How to govern Outlook mobile on iOS and Android — app protection policies, security settings, and feature controls.

Outlook for iOS and Android is by far the most-used mobile app for Microsoft 365 email — and for many users, the place they spend most of their workday. Governing it well matters both for security and user experience.

App protection policies (MAM-WE)

The headline control: Intune App Protection Policies apply to Outlook mobile on personal and corporate devices alike. Without enrolling the device in MDM, IT can:

  • Require a PIN or biometric to open the app.
  • Encrypt corporate data stored by Outlook.
  • Block copy/paste from Outlook to personal apps.
  • Block screenshots in some scenarios.
  • Force "open in" managed apps — attachments open in Word / Excel / PowerPoint with their own MAM policies, not in third-party apps.
  • Conditional launch — block sign-in if the device is jailbroken, OS is below minimum, or app is older than minimum.
  • Remote wipe of corporate data inside Outlook without touching the personal device.

A typical baseline: PIN required, encryption on, no copy-paste to personal apps, no save to local files, screenshots blocked, conditional launch on jailbreak. Most users don't notice the restrictions in normal use; the security uplift is significant.

Outlook-specific mobile configuration

Beyond MAM, Outlook has its own configurable settings:

  • Focused Inbox on / off / user-choice.
  • Notification settings — Focused-only notifications, all-mail notifications, or custom.
  • Email signatures — corporate signature pushed via cloud signatures.
  • Calendar settings — default reminder times, work hours.
  • External-account restrictions — block adding personal Gmail / iCloud accounts to the same Outlook instance.
  • Biometric unlock behaviour.

Configured in Intune → Apps → App configuration policies, with the app type set to Microsoft Outlook.

Conditional Access integration

The Conditional Access policy that ties this all together:

For users accessing Office 365 from iOS or Android, require:

  • Approved client app (only Microsoft mobile apps like Outlook, Teams, OneDrive — not native iOS Mail).
  • App protection policy required.

With this policy in place, the only path to corporate email on a personal phone is Outlook with MAM. iOS native Mail can't sign in (it doesn't support MAM); third-party email clients can't sign in either.

Account-restriction options

For organisations with strong BYOD posture, the multi-account behaviour of Outlook mobile matters:

  • Restrict to organisational accounts only — prevent users adding personal Gmail accounts to the same app instance.
  • Force corporate account as primary — when both work and personal accounts exist.

These prevent data leakage scenarios where users accidentally compose a work email from their personal account or vice versa.

Common pitfalls

  • Native iOS Mail confusion — some users prefer it; the right answer is to block it via Conditional Access while making Outlook genuinely good for them.
  • Push notification expectations — over-aggressive notification policies cause users to disable notifications entirely.
  • Authenticator app dependency — Outlook mobile relies on the Authenticator app for some MFA scenarios; ensure both are deployed together.
  • Personal Microsoft accounts — block them on the work app instance if BYOD posture requires.

For Microsoft 365 customers serious about mobile security, Outlook + Intune App Protection + Conditional Access is the standard pattern. Setup is moderate; operational benefit is durable.