The Outlook Groups mobile app enforces secure communication protocol (HTTPS) for all communication channels over public networks. The Outlook Groups mobile app uses certificate pinning to establish trust. To further ensure data safety of all our users, we only support certificates signed by well-known Root Certification Authorities for communication between users and Office 365 services.
Data storage and security on the device
Outlook Groups mobile app uses the mobile operating system’s encryption and security features to lock the app data so it is completely segregated from other apps. Also, the Outlook Groups mobile app service doesn't store any email, files, calendar, or other group data. It only stores the user’s display name, email address, and encrypted user token, which is used for authentication and app notifications.
Outlook Groups mobile app uses the Oauth protocol, which provides client applications a secure delegated access. It provides authorization to Office 365 email, files, and so on without sharing the user’s username and password.
Blocking Outlook Groups mobile app
Administrators can block Outlook Groups mobile app by using remote PowerShell to run one or both of the following cmdlets.
To block an individual user (e.g., firstname.lastname@example.org);
Set-CASMailbox –Identity email@example.com –EwsApplicationAccessPolicy:EnforceBlockList –EwsBlockList:"OutlookGroupsAppService*"
This change generally takes effect within minutes. If needed, see Set-CASMailbox for more details.
To block all users in the organization from using Outlook Groups mobile app.
Set-OrganizationConfig –EwsApplicationAccessPolicy:EnforceBlockList –EwsBlockList:"OutlookGroupsAppService*"
This change could take more than two hours to take effect. If needed, see Set-OrganizationConfig for more details.
For help with using remote PowerShell with Exchange OnlineExchange Online in Office 365, see Connect to Exchange Online PowerShell.
Support for Mobile Data Management (MDM) solutions
MAM conditional access capabilities for Outlook Groups mobile app are delivered through integration with Intune, Microsoft’s cloud-based mobile device and application management solution, or through other third-party MDM products.
Enforcing device PIN lock for Groups
If your organization has set Exchange ActiveSync policies requiring users to set up a PIN before they can connect and sync to their mailboxes, and your users have already established a connection to their work or school email on their devices, then device-level PIN is likely already enforced by the device's main email client (e.g. iOS Mail app, or Outlook app). Also, most MDM solutions, such as the built-in Mobile Device Management (MDM) feature for Office 365, will let you set a PIN lock for your user’s work device.
Additionally, you can configure the Mobile Application Management (MAM) policy to require a PIN to access the app. See Configure and deploy mobile application management policies in the Microsoft Intune console for more information. These application management capabilities with Intune are available with or without Intune’s device management features. MAM without device enrollment can be particularly valuable if you're using other MDM solutions to manage the devices within your organization, or in scenarios where your IT department is not able to enroll the devices.