Outlook / Intune Company Portal

Nnetworkscreech · 19 Jan

To get my work e-mail I've installed Outlook, and when I try to login to my work account it insists I install Microsoft Intune Company Portal, so I've done this too (Outlook and Intune running on separate 'Work' user profile.

Then, when logging into my work account, Outlook requests to activate Device Administrator - it says it wants to monitor screen unlock attempts and a couple of other things which I can't remember. The thing is, even when I allow this, it doesn't seem to gain any app permissions (still has Network only).

What is this, and is it 'safe'?

Ddreamland · 19 Jan

Device Manager is a special role outside of the permissions system, you can check which apps have the role assigned to them by going to Settings -> Security & Privacy -> Additional settings (not sure the exactly wording in english, lowest menu item) -> under Security there is Apps for device management.

What is this, and is it 'safe'?

It gives a wide range of insights and config rights that the permission system won't give you. Lawnchair for example needs it for the Tap to Lock feature. You will have to trust Microsoft's word that they only use the role for counting unlock attempts and other compliance-related telemetry.
Sadly there is currently no way to make this more granular or verify this behaviour. 🤷

Nnetworkscreech · 19 Jan

dreamland

Thanks. Does it have the permission on all profiles, or just the profile on which it's installed?

Ddreamland · 20 Jan

networkscreech
I'm not entirely sure. But considering that device management specifically covers security related functionality like remote device wiping and locking I believe it covers the entire device, no matter the user.

Ddc32f0cfe84def651e0e · 20 Jan

networkscreech Have you tried the web version instead? https://outlook.office.com/mail

Nnetworkscreech · 21 Jan

dc32f0cfe84def651e0e even when trying to login via the Web using Vanadium, the webpage tells me I must install Intune Company Portal. This is frustrating as I can login via the Web fine from a PC without needing to do this, both on Windows and Linux.

DDeletedUser64 · 21 Jan

Have you tried Thunderbird for android mail client.
I used it on GrapheneOS on an outlook365.com email address without issue. If its just mail you want this might work.

Nnetworkscreech · 21 Jan

DeletedUser64 It's a Microsoft Exchange account at my work's domain so I don't think I'd be able to do that - I doubt they expose POP3 or IMAP.

AlphaElwedritsch · 21 Jan

If your company secures its environment with Intune MDM to such an extent that you can't even access it with a browser (fortunately, we can still do that), then you have no chance of accessing your device without full Intune with Google Play Services. Outlook for mail and if TEams is added, only the app will work anyway. Teams in the browser doesn't work at all.

Nnetworkscreech · 21 Jan

AlphaElwedritsch I feared as much. Well, my work will have to be happy with me only reading work emails when I can get to a computer then!

Nnunyo · 21 Jan

Faced with a similar situation, I asked my work to provide a company phone for conducting company business. Sucks having two devices, but there's no way I'm giving personal device admin rights to my company.

Rrosh · 4 Feb

This worked for me! My MS apps also stopped working last week because Company Portal said my "Device Health" wasn't compatible with the security settings.

TL;DR: You need to (temporarily) turn on Device Admin and Exploit Protection Compatibility Mode for Company Portal before logging in or installing the other MS apps.

https://discuss.grapheneos.org/d/1841-ms-intune-company-portal-with-work-profile-not-working/54