Using Outlook for iOS and Android in the Government Community Cloud in Exchange Online

Summary: How organizations in the Office 365 U.S. Government Community Cloud (GCC) can enable Outlook for iOS and Android for their Exchange Online users.

Outlook for iOS and Android is fully architected in the Microsoft Cloud and meets the security and compliance requirements of all United States Government customers when the mailboxes reside in Exchange Online.

For customers with Exchange Online mailboxes operating in the Government Community Cloud (GCC Moderate, GCC High or Department of Defense), Outlook for iOS and Android uses the native Microsoft sync technology. This architecture is FedRAMP-compliant (defined by NIST Special Publication 800-145) and approved, and meets GCC High and DoD requirements DISA SRG Level 4 (GCC-High) and Level 5 (DoD), Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR), which were approved by a third-party assessment organization and are FISMA-compliant based on the NIST 800-53 rev 4.

For more information, please see the Office 365 FedRAMP System Security plan located in the FedRAMP Audit Reports section of the Microsoft Service Trust Portal.

Important

Customers operating in the Government Community Cloud might have user mailboxes that also reside on-premises via an Exchange hybrid topology. Accessing on-premises mailboxes with Outlook for iOS and Android doesn't utilize an architecture that is FedRAMP-compliant. For more information on this architecture, see Using Basic authentication with Outlook for iOS and Android.

This article covers how to:

  • Enable Outlook for iOS and Android for Office 365 GCC customers.
  • Unlock non-FedRAMP compliant features, if needed.

Enabling Outlook for iOS and Android for Office 365 GCC customers

GCC (Moderate, High, and Department of Defense) customers can use Outlook for iOS and Android without any special configuration.

For Office 365 GCC customers who don't currently use Outlook for iOS and Android, enabling the app requires the following actions:

  1. Unblocking Outlook for iOS and Android in the organization.
  2. Downloading the app on user devices.
  3. Having users add their account on their devices.

1. Unblock Outlook for iOS and Android

Remove any restrictions in your Exchange environment that might block Outlook for iOS and Android. Update your Exchange mobile device access rules or any relevant Microsoft Entra Conditional Access policies to unblock the app. For more information about making Outlook the only approved mobile messaging client, see Securing Outlook for iOS and Android in Exchange Online.

2. Download and install Outlook for iOS and Android

End users need to install the app on their devices. How the installation happens depends on whether or not the devices are enrolled in a unified endpoint management (UEM) solution, such as Microsoft Intune. Users with enrolled devices can install the app through their UEM solution, like the Intune Company Portal. Users with devices that aren't enrolled in an UEM solution can search for "Microsoft Outlook" in the Apple App Store or Google Play Store and download it from one of those locations.

Note

To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is leveraged. For more information, see App-based conditional access with Intune.

Disabled services and features

By default, certain services and features of Outlook for iOS and Android are disabled automatically for the Office 365 U.S. Government Community Cloud (GCC) because they don't meet FedRAMP requirements:

  • In-app support: Users aren't able to submit support tickets from within the app or upload diagnostic data using Collect Diagnostics. They should contact their internal help desk and provide logs (via the Share Diagnostics Logs option in Setting -> Help). If necessary, the organization's IT department can then contact Microsoft Support directly.

    Important

    Setting OutlookMobileGCCRestrictionsEnabled to false allows submission of support, diagnostic, or crash data to be sent to Microsoft through in-app support or by using Collect Diagnostics. The data are uploaded to Microsoft systems that are outside of the Office 365 GCC compliance boundary, including the Office 365 FedRAMP boundary. Customers should update organizational training and policy materials to instruct users to avoid including any sensitive US government information as part of the in-app support submission.

  • In-app feature requests: Users aren't able to submit in-app feature requests.

  • Multiple accounts: Only the user's Office 365 GCC account and OneDrive account can be added to a single device. Personal accounts can't be added. Customers can use another device for personal accounts, or an Exchange ActiveSync client from another provider.

  • Calendar Apps: Calendar apps (Facebook, Wunderlist, Evernote, Meetup) aren't available with GCC accounts.

  • Add-Ins: Add-ins aren't available with GCC accounts.

  • Storage Providers: Only the GCC account's OneDrive storage account can be added within Outlook for iOS and Android. Third-party storage accounts (for example, Dropbox, Box) can't be added.

  • Office Lens: Office Lens technology (for example, scanning business cards and taking pictures) included in Outlook for iOS and Android isn't available with GCC accounts.

  • File picker: The file picker used for adding attachments during email composition is limited to email attachments, iCloud & Device, OneDrive files, and SharePoint sites. The Recent Files list is limited to email attachments.

  • TestFlight: GCC accounts aren't able to access prerelease features when using the TestFlight version of Outlook for iOS.

Executing the below Exchange Online cmdlet enables GCC users using Outlook for iOS and Android access to the above features and services that aren't FedRAMP compliant:

Set-OrganizationConfig -OutlookMobileGCCRestrictionsEnabled $false

At any time, access to the above features can be revoked by resetting the parameter back to the default value:

Set-OrganizationConfig -OutlookMobileGCCRestrictionsEnabled $true

Changing this setting typically takes effect within 48 hours. As this setting is a tenant-based change, all Outlook for iOS and Android users in the GCC organization are affected.

For more information on the cmdlet, see Set-OrganizationConfig.

Services and features not available

Certain services and features of Outlook for iOS and Android aren't available for the Office 365 U.S. Government Community Cloud (GCC) because they don't meet FedRAMP requirements:

  • Location services: Bing location services aren't available with GCC accounts. Features that rely on location services, like Cortana Time To Leave, are also unavailable.
  • Privacy settings: Privacy settings can't be configured through the Office cloud policy service.
  • Play My Emails: Play My Emails isn't available for GCC accounts.
  • To Do: To Do is currently not available for GCC accounts.

For more information on the cmdlet, see Set-OrganizationConfig.