Lack of device info causing Conditional Access rule bypass

Cook, Phil (IT) 1 Reputation point

Some of our Windows mobile devices are quite old and can't install the current version of Outlook application so rely on ActiveSync and native mail apps. Whilst we update these we created a conditional access rule that blocks ActiveSync on Android and iOS devices but doesn't apply to Windows Mobile, Windows or macOS. We're using Intune Application Protection policies, not full enrollment to allow BYOD devices.
Where a device doesn't report it's device type during sign-in we're finding it can continue to use ActiveSync as the Conditional Access rule isn't triggered. This is allowing Android and iOS devices to continue using native email apps and therefore bypass the Intune app protection policy that requires an approved application. Any idea how to enforce all Android and iOS devices to only be allowed to use the Outlook app for email access without using full device enrollment in Intune?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,560 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 66,601 Reputation points MVP

    You can block other apps/allow only the Outlook app by using the Exchange Online controls: ActiveSync device rules or block the relevant protocols via Set-CasMailbox. It's all detailed in the documentation: