You can block other apps/allow only the Outlook app by using the Exchange Online controls: ActiveSync device rules or block the relevant protocols via Set-CasMailbox. It's all detailed in the documentation: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android#option-1-block-all-email-apps-except-outlook-for-ios-and-android
Lack of device info causing Conditional Access rule bypass
Some of our Windows mobile devices are quite old and can't install the current version of Outlook application so rely on ActiveSync and native mail apps. Whilst we update these we created a conditional access rule that blocks ActiveSync on Android and iOS devices but doesn't apply to Windows Mobile, Windows or macOS. We're using Intune Application Protection policies, not full enrollment to allow BYOD devices.
Where a device doesn't report it's device type during sign-in we're finding it can continue to use ActiveSync as the Conditional Access rule isn't triggered. This is allowing Android and iOS devices to continue using native email apps and therefore bypass the Intune app protection policy that requires an approved application. Any idea how to enforce all Android and iOS devices to only be allowed to use the Outlook app for email access without using full device enrollment in Intune?
Sign in to comment
Sort by: Most helpful