App Configuration Mobile devices for Microsoft office 365 apps

andrewbeard
New Contributor II

Hi guys

Has anyone been able to setup an office 365 account via an email variable in the mobile device app configuration box? e.g. the iPad Microsoft word app. Is it even possible? Any help or guidance would be awesome.

26 REPLIES 26

PAC
Contributor

I would also like to know this answer

er1ca2000
New Contributor II

Same. And I am reading this post nearly 2 years later!

Kayla_durance
New Contributor

Yes! I am looking for an answer also.

miregan
Contributor II

How would you pass the password?

er1ca2000
New Contributor II

Same. I have been scouring the internet. The closest I came was this page:
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/configure-ios-apps-with-app-configuration-policies#example-format-for-the-mobile-app-configuration-xml-file

But... of course it has not a word about the keys we need to set for excel. Boy, I tell you. They are certainly proud of Intune and what ever built in MDM they have with Office 365. Even in all the documentation I have read so far, not 1 single hint of code example.

Malcolm
Contributor II

@er1ca2000 I've been looking into this also .. couldnt figure out if they needed the {{ or a single { or none... and usign wildcards, so far no sucess, but there is also this article which is similar but different

https://docs.microsoft.com/en-gb/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm

so this may also work.... but I havent tried it yet.
<dict>
<key>IntuneMAMUPN</key>
<string>$EMAIL</string>
</dict>

Malcolm
Contributor II

Nope that didn't work, as it appears it isn't supported in their IOS apps, although this article suggests it may work in the Outlook app, which if this is true the other apps may also be able to read the account from the outlook app.

About to give it a try.

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune

rickgmac
Contributor
Contributor

So if you go to this page and look for outlook
https://appconfig.jamfresearch.com/settings/repository

It managed to give me this after a slight bit of modification

<dict>
    <key>com.microsoft.outlook.EmailProfile.EmailAccountName</key>
    <string>$FULLNAME</string>
    <key>com.microsoft.outlook.EmailProfile.ServerHostName</key>
    <string>outlook.office365.com</string>
    <key>com.microsoft.outlook.EmailProfile.EmailAddress</key>
    <string>$EMAIL</string>
    <key>com.microsoft.outlook.EmailProfile.EmailUPN</key>
    <string>$EMAIL</string>
    <key>com.microsoft.outlook.EmailProfile.AccountDomain</key>
    <string></string>
    <key>com.microsoft.outlook.EmailProfile.ServerAuthentication</key>
    <string>Username and Password</string>
    <key>com.microsoft.outlook.EmailProfile.AccountType</key>
    <string>BasicAuth</string>
</dict>

Malcolm
Contributor II

this is what I had, via the outlook app, which was bringing up the account, but for some reason not allowing the device to log into the account.

<dict>
<string>com.microsoft.outlook.EmailProfile.EmailAddress</string>
<key>$EMAIL</key>
<string>com.microsoft.outlook.EmailProfile.EmailUPN</string>
<key>$EMAIL</key>
<string>com.microsoft.outlook.EmailProfile.AccountType</string>
<key>ModernAuth</key>
<string>IntuneMAMAllowedAccountsOnly</string>
<key>Enabled</key>
<string>IntuneMAMUPN</string>
<key>$EMAIL</key>
</dict>

Also tested it with <string>IntuneMAMAllowedAccountsOnly</string>
<key>Disabled</key>

and also with my email address instead of the wildcard.

i will take a look at what you have suggested above.

Malcolm
Contributor II

@rickgmac Strangely, your script (with our domain added and my script listed above) has an issue when it hits the microsoft auth page (as we use azure ad for sign in). although our accounts have no issue being added with out app config set.

Your script did post additional settigns during the account creation process when the app was loaded, but once it attempts to sign into the office365 account it just says unable to log in...

further to this problem, are you using this solution yourself?
I'm curious, if the solution would then pre auth all the other microsoft apps once outlook is launched and signed in.

As it would if you were to sign in word for example and then sign in onenote.

Malcolm
Contributor II

Ill test another device to make sure its not device specific. After testing it against a non app configuration it was still doing it, so it could also be our office365 service.

Malcolm
Contributor II

I suspect its more network or office 365 causing an issue, I will have to find the underlying cause.

Malcolm
Contributor II

strangely on another device the app configuration you gave me did work, and after the email was inserted, the other microsoft apps automatically signed in as expected.

I did find that my set of options provided less sign in options for the end user. and I am just retesting it now, seeing it appears to have been a device issue causing it not to succeed previously.

Unfortunately the App configuration options available from Microsoft for outlook do not support passing the password. This is more of a security issue, as it might be passed as clear text.

I am not considering revisiting how we distribute our mail to our end users, so that the end users can sign into all microsoft apps once adding their password when signing into outlook.

@er1ca2000 @Kayla.durance
@miregan @PAC

Malcolm
Contributor II

It looks like firewall or proxy is stoping our student users from continuing with the configuration. But this does look promising.

It's doubtful it will work but I am going to test and slip in:
<key>com.microsoft.outlook.EmailProfile.Password</key> <string>password</string>

markdmatthews
New Contributor III

For JAMF if using MAM you may want to try the following:
<string>IntuneMAMAllowedAccountsOnly</string>
<key>Disabled</key>
<string>IntuneMAMUPN</string>
<key>%upn%</key>

G_M__webkfoe_
New Contributor III

I'm trying to have the email address automatically filled in the login form of Word Excel and Powerpoint and I am using the two keys suggested by @markdmatthews  but no luck..

 

Anyone with any glimmer of hope here..?

@Malcolm @rickgmac 

Malcolm
Contributor II

I had it working for a while, and then either the mdm update or the office apps stoped it from working, and I ended up clearing out what I had, however shared iPads despite not having a config, seem to get this information from the asm user sign in. no shared, seems to auto suggest using the mail configured user details thee days. At least once one app is signed in, they all are.

 

@G_M__webkfoe_ 

G_M__webkfoe_
New Contributor III

So, what you're saying is that on managed (company owned) devices, there is actually no way to send account informations out from MDM, right? @Malcolm 

I have been trying any possible solution, starting from the ones I've found in this thread up to anything coming from official microsoft pages, but did not find any of these working sadly...

Malcolm
Contributor II

@G_M__webkfoe_ 

love when you write a response that takes too long, it times out.

So I believe the below used to work for me, and at some stage either a mdm update, or iOS update or app update, caused the issue where the wildcard $EMAIL - would end up populating the login as $EMAIL instead the assigned users email address. It perhaps could simply be a need to code it slightly different. It maybe worth researching  JAMF managed distribution app settings, as it might elude to the solution if any.

 

<dict>
<string>com.microsoft.outlook.EmailProfile.EmailAddress</string>
<key>$EMAIL</key>
<string>com.microsoft.outlook.EmailProfile.EmailUPN</string>
<key>$EMAIL</key>
<string>com.microsoft.outlook.EmailProfile.AccountType</string>
<key>ModernAuth</key>
<string>IntuneMAMAllowedAccountsOnly</string>
<key>Enabled</key>
<string>IntuneMAMUPN</string>
<key>$EMAIL</key>
</dict>

Hi @Malcolm 
After some tests, I can tell you that on a different MDM, I am able to correctly pre-configure Outlook App for iOS with the following parameters:

 

 

com.microsoft.outlook.EmailProfile.AccountType
BasicAuth
 
com.microsoft.outlook.EmailProfile.EmailAccountName
$USERNAME
 
com.microsoft.outlook.EmailProfile.EmailAddress
$EMAIL
 
com.microsoft.outlook.EmailProfile.EmailUPN
$EMAIL
 
com.microsoft.outlook.EmailProfile.ServerAuthentication
'Username and Password'
 
IntuneMAMAllowedAccountsOnly
Enabled
 
IntuneMAMUPN
$EMAIL
 
 
But really no luck with the same parameters on Office Apps like Word, Excel and PowerPoint (which are the Apps that I am willing to configure)..
 
Does anyone know if there is any way to contact official Microsoft Support and in which way eventually..?

this seems to have the list of apps that support managed app distribution setting:

 

https://docs.microsoft.com/en-us/mem/intune/apps/apps-supported-intune-apps

 

what semi worked for my users was encoring them to setup outlook first, which then signs in the other applications.

Skimming around, I found this Jamf article, on exactly how to do it for outlook, they don't elude to the other apps supporting the functionality, either, but reinforces the Microsoft link I posted indicating the other apps don't have the similar support.

https://www.jamf.com/blog/o365-ios-and-jamf-best-login-ever/

I discovered it, when I was investigating to see if I can pre-populate safari with office365 sign in.

Yeah, saw this one as well.

I have an open ticket with Microsoft, I'll let you know if anything comes out from it..

So after a lot of searching I found these:
https://blog.eucse.com/app-config-all-the-values-you-need/#1570028207837-b47e051c-379f
https://d2e3kgnhdeg083.cloudfront.net/
https://d2e3kgnhdeg083.cloudfront.net/com.microsoft.Office.Outlook/current/appconfig.xml

I've already written this once before the page timed out so I'm not in the mood to go into the nitty gritty.
Summary is, there were/are no configurable keys for any IOS app other than outlook.
JAMF variables (For JAMF education at least) should be %VARIABLE% instead of $VARIABLE.
If you were hoping that deploying creds to outlook would auth other apps, it doesn't work because as far as I can tell, the config only functions with the Exchange only variables set (see the third link), this can log into an O365 email just fine, but it doesn't interact with the MSidentity 3 cache in the same way as a SSO/office 365 login step would. My guess based on documentation and some perusing of event logs pulled with apple configurator is that it doesn't generate an authentication token that can be used by other apps if you do it this way. I will email the writer of the article 'best login ever' and ask how he gets an office 365 login with values that are exchange exclusive set and the wrong auth type, since either I'm missing something or it's just misleading. 

Since the outlook XML keys haven't been updated since 2019, I'm going to assume that no development resources are going in that direction and all the eggs are in some magical intune ADAL basket.

If you are finding this page because you want to deploy managed configurations to your IOS office apps and it's still 2022, consider giving up now. 

TLDR: You can deploy to outlook and outlook alone of the office apps with managed configs. It will do the account exchange style so no fancy interactions and probably other hidden problems I'm not going to test for right now. Onedrive if you use a file manager app as an intermediary I guess.

Figured I'd reply and mention that if you pasted this in here, your keys and strings are the wrong way around.

illmakeonelater
New Contributor II

I was looking for information for managed configs with office for IOS, but I figured I'd share a tidbit that took me quite a while to learn when making a managed config for the app 'FE file explorer Pro'.
I was frustrated when testing because of seemingly random failures. I was having trouble finding any documentation, so it took me a long time to realise that I could only deploy a managed config with a given UUID once per iPad.
If you push the config to iPad A, make a change and push again, it won't work- but it will be accepted perfectly well by iPad B that is seeing it for the first time.

I'm not sure if this is app specific and I probably shouldn't be surprised that UUID's need to be, unique, but perhaps mentioning this here will save someone a few hours.