Enabling Outlook for iOS and Android in Exchange Online

Exchange Online
 

Applies to: Exchange Online, Office 365

Topic Last Modified: 2017-04-05

Summary: How to enable Outlook for iOS and Android in your Exchange Online environment, and how to get the full benefits of the app.

There are two key tasks necessary to setup and enable Outlook for iOS and Android.

  1. Set up Outlook for iOS and Android as the primary email app for your end users to connect to their Exchange mailboxes. This involves both blocking other email apps from connecting to your mailboxes and ensuring that Outlook for iOS and Android itself is not blocked.

  2. In order to protect company data on individual devices, set up Microsoft Intune, Office 365 MDM, or the mobile device access and mobile device mailbox policies available in the Exchange Admin Center.

    NoteNote:
    See Additional access management methods later in this article if you'd rather implement an Exchange Web Services (EWS) application policy or client access rules in order to manage mobile device access in your organization.

Outlook for iOS and Android should be enabled by default, but in some existing Exchange Online environments the app may be blocked for a variety of reasons. Once an organization decides to standardize how users access Exchange data and use Outlook for iOS and Android as the only email app for end users, you can configure blocks for other email apps running on users' iOS and Android devices. You have two options for instituting these blocks: the first option blocks all devices and only allows usage of Outlook for iOS and Android; the second option allows you to block individual devices from using the native Exchange ActiveSync apps.

You can define a default block rule and then configure an allow rule for Outlook for iOS and Android, and for Windows devices, using the following commands. This configuration will prevent any non-Windows Exchange ActiveSync native app from connecting, and will only allow Outlook for iOS and Android.

  1. Create the default block rule:

    Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block
    
  2. Create an allow rule for Outlook for iOS and Android

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Allow
    
  3. Create rules that allow Outlook on Windows devices for Exchange ActiveSync connectivity (WP refers to Windows Phone, WP8 refers to Windows Phone 8 and later, and WindowsMail refers to the Mail app included in Windows 10):

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP" -AccessLevel Allow
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WP8" -AccessLevel Allow
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "WindowsMail" -AccessLevel Allow
    
    

Alternatively, you can block native Exchange ActiveSync apps on specific Android and iOS devices or other types of devices.

  1. Confirm that there are no Exchange ActiveSync device access rules in place that block Outlook for iOS and Android:

    Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | ft Name,AccessLevel,QueryString -auto
    

    If any device access rules that block Outlook for iOS and Android are found, type the following to remove them:

    Get-ActiveSyncDeviceAccessRule | where {$_.AccessLevel -eq "Block" -and $_.QueryString -like "Outlook*"} | Remove-ActiveSyncDeviceAccessRule
    
  2. You can block most Android and iOS devices with the following commands:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Android" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPad" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPhone" -AccessLevel Block
    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "iPod" -AccessLevel Block
    
    
  3. Not all Android device manufacturers specify “Android” as the DeviceType. Manufacturers may specify a unique value with each release. In order to find other Android devices that are accessing your environment, execute the following command to generate a report of all devices that have an active Exchange ActiveSync partnership:

    Get-MobileDevice | Select-Object DeviceOS,DeviceModel,DeviceType | Export-CSV c:\temp\easdevices.csv
    
  4. Create additional block rules, depending on your results from Step 3. For example, if you find your environment has a high usage of HTCOne Android devices, you can create an Exchange ActiveSync device access rule that blocks that particular device, forcing the users to use Outlook for iOS and Android. In this example, you would type:

    New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "HTCOne" -AccessLevel Block
    
    NoteNote:
    The QueryString parameter does not accept wildcards or partial matches.

Additional resources:

Protecting company or organizational data on users' mobile devices is extremely important. Office 365 provides three methods for doing so:

  1. Recommended: Microsoft Intune (requires a separate purchase, or the purchase of the Microsoft EMS suite).

  2. Office 365 MDM solution, which is included with Office 365.

  3. PIN lock and encryption options available through mobile device access and mobile device mailbox policies in the Exchange Admin Center.

For more details and resources for implementing each of these three options, see Managing devices for Outlook for iOS and Android in Exchange Online.

If you don't want users in your organization to access Exchange data with Outlook for iOS and Android, you have two options.

  • Option 1: Block Outlook for iOS and Android on both the iOS and Android platforms

  • Option 2: Block Outlook for iOS and Android on a specific mobile device platform

Every Exchange organization has different policies regarding security and device management. If an organization decides that Outlook for iOS and Android doesn't meet their needs or is not the best solution for them, administrators have the ability to block the app. Once the app is blocked, mobile Exchange users in your organization can continue accessing their mailboxes by using the built-in mail applications on iOS and Android.

The New-ActiveSyncDeviceAccessRule cmdlet has a Characteristic parameter, and there are three Characteristic options that administrators can use to block the Outlook for iOS and Android app. The options are UserAgent, DeviceModel, and DeviceType. In the two blocking options described in the following sections, you will use one or more of these characteristic values to restrict the access that Outlook for iOS and Android has to the mailboxes in your organization.

The values for each characteristic are displayed in the following table:

 

CharacteristicString for iOSString for Android

DeviceModel

Outlook for iOS and Android

Outlook for iOS and Android.

DeviceType

Outlook

Outlook

UserAgent

Outlook-iOS/2.0

Outlook-Android/2.0

With the New-ActiveSyncDeviceAccessRule cmdlet, you can define a device access rule, using either the DeviceModel or DeviceType characteristic. In both cases, the access rule blocks Outlook for iOS and Android across all platforms, and will prevent any device, on both the iOS platform and Android platform, from accessing an Exchange mailbox via the app.

The following are two examples of a device access rule. The first example uses the DeviceModel characteristic; the second example uses the DeviceType characteristic.

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Outlook" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic DeviceModel -QueryString "Outlook for iOS and Android" -AccessLevel Block

With the UserAgent characteristic, you can define a device access rule that blocks Outlook for iOS and Android across a specific platform. This rule will prevent a device from using Outlook for iOS and Android to connect on the platform you specify. The following examples show how to use the device-specific value for the UserAgent characteristic.

To block Android and allow iOS:

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Block
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Allow

To block iOS and allow Android:

New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-Android/2.0" -AccessLevel Allow
New-ActiveSyncDeviceAccessRule -Characteristic UserAgent -QueryString "Outlook-iOS/2.0" -AccessLevel Block

Beyond Microsoft Intune, Office 365 MDM, and mobile device policies, there are two additional methods for managing the access that mobile devices have to information in your organization:

  • Exchange Web Services (EWS) application policies

  • Client access rules

An EWS application policy can control whether or not applications are allowed to leverage the REST API. Note that when you configure an EWS application policy that only allows specific applications access to your messaging environment, you must add the user-agent string for Outlook for iOS and Android to the EWS allow list.

The following example shows how to add the user-agent strings to the EWS allow list:

Set-OrganizationConfig -EwsAllowList @{Add="Outlook-iOS/*","Outlook-Android/*"}

If you aren't using an EWS application policy but are still controlling application access to EWS, ensure that EWS is not disabled for your organization or for the individual mailboxes owned by users of Outlook for iOS and Android. The following commands will enable EWS at the organization and mailbox levels:

Set-OrganizationConfig -EwsEnabled:$true
Set-CASMailbox <mailbox> -EwsEnabled:$true

Where <mailbox> is the ID of the mailbox for which you want to enable EWS.

For more information, see How to: Control access to EWS in Exchange.

Client access rules are like transport rules for client connections to your Exchange Online environment. Conditions and exceptions are applied to each connection attempt based on the properties of the user or the properties of the client connection.

Because client access rules affect only the management of the protocol session that the client is utilizing, you will need to ensure that the REST API is allowed access (this is done with a client access rule). Otherwise, Outlook for iOS and Android users will not be able to connect and access their mailboxes.

The following example shows how to allow the REST API access:

New-ClientAccessRule -Action AllowAccess -Name AllowREST -AnyOfProtocols REST

Note that you can't use the AnyOfClientIPAddressesOrRanges or ExceptAnyOfClientIPAddressesOrRanges parameters to manage Outlook for iOS and Android. This is due to the Office 365-based architecture that is leveraged by Outlook for iOS and Android.

Additional resources:

Be aware that EWS application policies and client access rules function independently in an Exchange Online organization. Client access rules only have knowledge of a given client's protocol session. This means the following:

When you have a client access rule that allows the REST session

  • If Outlook for iOS and Android is specified in the EWS block list, then the Outlook for iOS and Android app is blocked from connecting (due to the EWS Application policy definition).

  • Conversely, if Outlook for iOS and Android is specified in the EWS allow list, then users can connect.

When you have a client access rule that blocks the REST session

  • If Outlook for iOS and Android is specified in the EWS block list, then users of the app are blocked from connecting (due to the client access rule definition).

  • If Outlook for iOS and Android is specified in the EWS allowed list, then users are still blocked from connecting (due to the client access rule definition).

 
Show: