Mobile Device - blocking ability to fetch email

Question

My company supports an organization which recently transitioned to O365.

They want to, by policy, prevent any connection by any mobile device to email except for a limited number of managers.

I understand that I can change the mobile device policy to either "block" or "quarantine". I am trying to make sure that I fully understand the ramifications of making such a change. I have some questions:

1 - If I set the Mobile Device Policy to "block" (instead of the default) what is the best way to provide for a group of exceptions? I note that in the settings for individual mailboxes I can enable/disable "Mobile Exchange Active Sync". If I set the mobile device policy to "block" does the "Mobile Exchange Active Sync" function as an exception to that policy, or is it disabled when the Mobile Device Policy is set to "block"?

2 - If I set the Mobile device policy to "Quarantine" - approving the device is an approval for the specific device? (so that if a user gets a new device, it would again be quarantined?) Or is it overridden by exemptions based upon the recipient mailbox in some fashion similar to #1 above?

Your help is greatly appreciated.

Answer 1

Hi @James Harrell

I would advise you to check out Conditional Access policies combined with App Protection Policies to protect your e-mail environment on the mobile devices.
Take a look at this great article describing these bits and pieces: https://learn.microsoft.com/en-us/mem/intune/protect/tutorial-protect-email-on-unmanaged-devices

This will raise the general security related to email on the mobile devices. By using groups to assign user rights to the Conditional Access rules you can achieve the granular approach you are looking for.

By following this track, you will achieve your goal, AND you will also get a general higher level of security in your setup.

Best of luck!
Simon