Block unmanged Android and iOS devices native mail applications

Dan 81 Reputation points
2022-04-05T16:26:24.937+00:00

Hello everyone!

I would like to know if there is a possible solution to our request.

We recently started using Microsoft Endpoint Manager (Intune) for managing companies and employees mobile devices (Android and iOS). We already enrolled more then 500 devices and device management is working super.
We would like to secure device management so that devices that are not managed by Microsoft Endpoint Manager (Intune) won't have any access to O365 services. We would like to achieve that users couldn't add mail profiles to unmanaged devices (not to allow adding mail profile to native iOS and Android applications). But at the same time we have a requirement for iOS users to use Apple Mail app for enrolled devices.

I have tested this with setting up App protection policies and conditional access. I was able to achieve that unmanaged devices are not able to add mail profile to native mail applications. But issue I have now is that if I enroll new device access to mail is not configured because conditional access policy.

Is this something that can be configured?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,583 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,146 questions
0 comments No comments
{count} votes

Accepted answer
  1. Simon Burbery 556 Reputation points
    2022-04-07T14:16:55.5+00:00

    You could try this:

    1. Create an Azure AD group - dynamic membership.
    2. Add a rule that adds all the enrolled iPhones to the group (use enrolment profile, device is 'managed' or 'compliant' or OS type - whatever works).
    3. Exclude this group from your app protection policy.

    Not perfect but once the device is in the group it would be able to use the Mail app, whereas an un-enrolled iPhone will not.


3 additional answers

Sort by: Most helpful
  1. Crystal-MSFT 45,011 Reputation points Microsoft Vendor
    2022-04-06T01:46:29.643+00:00

    @Dan , For app protection policy, only the Microsoft Intune protected apps can apply it.
    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy

    In the Mcrosoft Intune protected apps list, the native mail is not included. So it can't apply app protection policy. We can see more details in the following link:
    https://learn.microsoft.com/en-us/mem/intune/apps/apps-supported-intune-apps

    From your description, I find you were able to achieve that unmanaged devices are not able to add mail profile to native mail applications. Could you show the conditional access policy configuration to us?


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Dan 81 Reputation points
    2022-04-06T07:10:09.707+00:00

    Hi,
    yes I was able to achieve that unmanaged devices are not able to add mail profile to native mail applications. But the issue is when I enroll the device and if I use combination of app protection policy and CA, then mail client can't access mail server even though device is marked as compliant after enrollment. As iOS users will use native mail app.

    Here is my conditional access rule:

    190399-image.png

    190466-image.png
    190452-image.png

    190453-image.png


  3. Dan 81 Reputation points
    2022-04-08T13:21:25.08+00:00

    @Simon Burbery I tested your suggestion and it works perfect. Thanks for your post and for sharing the idea.

    0 comments No comments