Intune App Protection policy. How to block native iOS app sign-in without registration request.

Question

Intune App Protection policy. How to block native iOS app sign-in without registration request.

Tommie van Lent 0

We have configured Intune with App Protection Policies to require an app PIN for all Microsoft apps.

This works great, but when users want to add their M365 mail account to the native iOS Mail app, they are prompted to "register" their device.

When they click "register," the Company Portal app opens with no additional information.

We have blocked user enrollment, so it is working as expected.

Is there any way to block sign-in on the iOS Mail app?

1 answer

Your answer

Answer 1

ZhoumingDuan-MSFT 17,165 Microsoft External Staff

@Tommie van Lent, Thanks for posting in Q&A.

From your description, I know you want to block sign-in on iOS Mail app.

Based on my research, we can create a conditional access policy to achieve this, here are steps you can refer to.

Require approved client apps or app protection policy with mobile devices https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices

Block Exchange ActiveSync on all devices:

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#block-exchange-activesync-on-all-devices

Hope above information can help you.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2025-03-07T05:31:30.59+00:00

@Tommie van Lent, Hope things going well.

May I know the above information is helpful? If there is any update, feel free to let me know.
Tommie van Lent 0 Reputation points

2025-03-07T07:53:51.23+00:00

Hi Duan,

I also hope you are doing well.

Both policies are implemented and working as expected on the conditional access perspective. Only on my iOS devices itself it is redirecting to the company portal app for device enrolment after the modern authenticating screens.

I cant find anywhere if this is "normal behaviour" but i assume i should see a "access denied" message from conditional access in the modern authentication screens on unmanaged my iOS device in the native mail client app.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2025-03-07T09:08:34.12+00:00

@Tommie van Lent, Thanks for your reply.

Please check the two policies status in Intune portal, if both of them are success, after researching, I think it can be related with "Sign-in frequency" in conditional access. When the time is not expired, the user still can access until user do the next sign in. So, the user will be redirect to the company portal during this time period. You can change the "Sign-in frequency" to see if it can help.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

Also, the conditional access policy may be conflict with the user enrollment restriction policy, delete the user enrollment restriction policy and see if this can work.

Hope the above information can help.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2025-03-20T01:57:27.9133333+00:00

HI, @Tommie van Lent, Thanks for your reply.

After my deep research, I find that iOS device needs to download Authenticator to get app protection policy applied, so please try to download it and see if the issue can be fixed.

https://techcommunity.microsoft.com/discussions/microsoft-intune/why-different-broker-apps-for-ios-and-android-not-enrolled-when-using-app-protec/332758

Another situation is you have configured conditional access policy and require device to be marked as compliant, it will let you 'register', please check if there exist conditional access.

Please note that The approved client app grant is retiring in early March 2026. Organizations must transition all current Conditional Access policies that use only the Require Approved Client App grant to Require Approved Client App or Application Protection Policy by March 2026. Additionally, for any new Conditional Access policy, only apply the Require application protection policy grant. For more information, see the article Migrate approved client app to application protection policy in Conditional Access.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-grant#require-approved-client-app

Hope it can help you.

Share via

Intune App Protection policy. How to block native iOS app sign-in without registration request.

1 answer

Your answer