Lack of device info causing Conditional Access rule bypass

Cook, Phil (IT) 1 Reputation point
2020-01-08T14:04:23.26+00:00

Some of our Windows mobile devices are quite old and can't install the current version of Outlook application so rely on ActiveSync and native mail apps. Whilst we update these we created a conditional access rule that blocks ActiveSync on Android and iOS devices but doesn't apply to Windows Mobile, Windows or macOS. We're using Intune Application Protection policies, not full enrollment to allow BYOD devices.
Where a device doesn't report it's device type during sign-in we're finding it can continue to use ActiveSync as the Conditional Access rule isn't triggered. This is allowing Android and iOS devices to continue using native email apps and therefore bypass the Intune app protection policy that requires an approved application. Any idea how to enforce all Android and iOS devices to only be allowed to use the Outlook app for email access without using full device enrollment in Intune?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 94,911 Reputation points MVP
    2020-01-08T17:27:07.187+00:00

    You can block other apps/allow only the Outlook app by using the Exchange Online controls: ActiveSync device rules or block the relevant protocols via Set-CasMailbox. It's all detailed in the documentation: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android#option-1-block-all-email-apps-except-outlook-for-ios-and-android