Share via

Block Native Mail App using Intune

Matt Dillon 437 Reputation points
2023-08-30T18:10:44.6533333+00:00

Client is asking to block Exchange/ O365 mail on Native mail app on devices. I built out the following two Conditional Access Policies:

Require approved client apps or app protection policy with mobile devices
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices

Block Exchange ActiveSync on all devices:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#block-exchange-activesync-on-all-devices

On my test iPhone, I reboot the phone, launch Company Portal, policies apply and I try adding my tenant email and the policy works great and does not let me.

I then disable the policy, reboot the phone, launch Company Portal, let policies apply, and then successfully add my tenant email after signing in.

I then re-enable the policy, reboot the phone, launch Company Portal, let policies apply, but here is where the problem or my misunderstanding of what should happen lies - my Exchange mail remains active. I am able to send from this account on my iPhone and receive to this account as well.

What step am I missing to either block new email from coming or going from this account on my phone or ideally - how can I just have the exchange mail removed altogether automatically from the phone.

Thanks in advance.

Matt

Microsoft Security | Intune | Microsoft Intune iOS
Microsoft Security | Intune | Microsoft Intune Android
Microsoft Security | Intune | Configuration
Microsoft Security | Intune | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 53,986 Reputation points Microsoft External Staff
    2023-08-31T02:22:24.65+00:00

    @Matt Dillon, Thanks for posting in Q&A. For your issue, after researching, I think it can be related with "Sign-in frequency" in conditional access. When the time is not expired, the user still can access until user do the next sign in. So the user can still receive new mails during this time period. You can change the "Sign-in frequency" to see if it can help.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.