If you manage mobile devices for your organization, you may need to push Outlook settings to users automatically through a Mobile Device Management system. The OutlookEnabled key controls whether the Outlook mobile app is allowed to connect to your Exchange environment. This article explains what the OutlookEnabled setting does, how to configure it in an MDM policy, and how to deploy it to iOS and Android devices.
When OutlookEnabled is set to false, the Outlook mobile app cannot add or sync Exchange mailboxes. Users will see a connection error. Setting it to true allows the app to connect. You must also configure the Microsoft 365 account settings correctly to avoid conflicts.
This guide covers the exact XML structure for an MDM policy, the required keys, and how to test the deployment. You will also learn what happens if a user already configured Outlook before the policy arrived.
Key Takeaways: Setting OutlookEnabled via MDM
- OutlookEnabled = true: Allows Outlook mobile app to connect to Exchange and sync mail, calendar, and contacts.
- OutlookEnabled = false: Blocks the Outlook mobile app from adding or syncing any Exchange mailbox.
- MDM XML structure: Use the com.microsoft.outlook.OutlookSettings dictionary with AccountDomain, AccountName, and OutlookEnabled keys.
What the OutlookEnabled Setting Controls
The OutlookEnabled key is part of the Outlook for iOS and Android app configuration policy. It is a Boolean value that determines whether the app can authenticate with Microsoft 365 or Exchange Online. When you push this setting through an MDM provider such as Microsoft Intune, VMware Workspace ONE, or Jamf, the Outlook app reads the policy at launch.
OutlookEnabled works together with AccountDomain and AccountName. AccountDomain defines the email domain used for automatic discovery. AccountName is the user principal name or email address. If OutlookEnabled is set to true but AccountDomain is missing or incorrect, the app will still fail to find the server.
The setting does not affect other mail apps on the device. It only controls the behavior of the Outlook app. If you want to block all third-party mail apps, you must use an Exchange ActiveSync policy or Conditional Access.
Prerequisites for MDM Deployment
Before you push the configuration, confirm these requirements are met:
- Devices are enrolled in an MDM that supports custom app configuration policies.
- Outlook for iOS and Android is installed on the target devices.
- The MDM policy targets users who have a valid Microsoft 365 or Exchange Online license.
- The Outlook app version is 4.0 or later for iOS, and 4.0 or later for Android.
Steps to Create the MDM Configuration Policy
The exact steps vary by MDM provider, but the XML payload is the same. Below are the steps using Microsoft Intune as the example. If you use another MDM, adapt the user interface elements accordingly.
- Open the Intune admin center
Go to Apps > App configuration policies. Click Add > Managed devices. - Select the Outlook app
Choose iOS/iPadOS or Android as the platform. Click Select app and pick Microsoft Outlook from the list. Click OK. - Name the policy
Enter a name such as Outlook Mobile Config – Enable. Add an optional description. - Add configuration settings
Click Configuration settings. For the format, choose Use configuration designer. Add the following keys:
– key: OutlookEnabled, Value type: Boolean, Value: true
– key: AccountDomain, Value type: String, Value: contoso.com
– key: AccountName, Value type: String, Value: {{userprincipalname}}
Replace contoso.com with your actual domain. The {{userprincipalname}} variable is resolved per user. - Assign the policy
Click Assignments. Add the device groups or user groups that should receive the policy. Click Review + create and then Create.
Alternative XML Payload Method
If your MDM requires a raw XML string, use the following structure:
OutlookEnabled
AccountDomain
contoso.com
AccountName
{{userprincipalname}}
]]>
Paste this into the configuration payload field. Replace contoso.com with your domain. The variable for AccountName may be different in your MDM.
Common Mistakes and Deployment Issues
Even with the correct XML, the Outlook app may not behave as expected. The following issues are the most frequent.
Outlook App Ignores the Policy
If the Outlook app does not apply the configuration, check the app version. Versions older than 4.0 do not support MDM configuration. Update the app through your MDM or the app store. Also confirm that the policy is assigned to the correct group and that the device has an active network connection.
Users See a Connection Error
When OutlookEnabled is true but AccountDomain is missing or wrong, the app cannot find the Exchange server. The user will see “Cannot connect to server.” Verify that AccountDomain matches the domain portion of the user’s email address. For example, if the email is user@fabrikam.com, set AccountDomain to fabrikam.com.
Policy Works Only After Reinstall
If a user already added their account manually before the MDM policy arrived, the policy may not override the existing account. The Outlook app reads the MDM configuration only during first launch or when no account is configured. To enforce the policy, you must remove the existing account and relaunch the app. You can automate this by deploying a device wipe of Outlook data through the MDM, but this is disruptive. A better approach is to push the policy before the user opens Outlook for the first time.
OutlookEnabled vs Other Block Methods
| Item | OutlookEnabled = false | Exchange ActiveSync Block |
|---|---|---|
| Scope | Only blocks the Outlook mobile app | Blocks all email clients using ActiveSync |
| Configuration | Set in MDM app config policy | Set in Exchange admin center or PowerShell |
| User impact | User can still use other mail apps | User cannot sync any mail app |
| Enforcement timing | Immediate on next app launch | Immediate for new sync requests |
OutlookEnabled is a granular setting for the Outlook app only. Exchange ActiveSync blocking is a broader method that affects all clients. Choose the method that matches your security requirements.
Verifying the Deployment
After the policy is assigned, test on a small group of devices. Open the Outlook app and go to Settings > Account. The account should appear automatically without the user entering credentials. If the account does not appear, check the MDM reporting logs for policy delivery status. On iOS, you can also view the installed configuration profile under Settings > General > VPN & Device Management.
For Android, navigate to Settings > Accounts > Work profile if the device uses Android Enterprise. The policy should appear under the work profile configuration.
You can now deploy the OutlookEnabled setting through your MDM to control whether the Outlook mobile app connects to Exchange. Next, consider configuring the Outlook app to disable third-party account sync if you need stricter data loss prevention. A concrete advanced tip: use the AllowOnlyOrganizationalAccounts key together with OutlookEnabled to block personal accounts in the Outlook app.