question

dilannanayakkara-8008 avatar image
0 Votes"
dilannanayakkara-8008 asked KarimZaki-9670 commented

Block Gmail app to connect to EXO on iOS

Hi All,

I have followed below 3 steps to force end users to access only Microsoft outlook for email which we are published app protection policies. our device are using MAM (Not enrolled). however everything seems working fine with Android but Gmail app on iOS is still connecting to EXO.

appreciate the help!

1) First, Followed steps 1 and 2 from from below link ( scenario1: Microsoft 365 apps require approved apps with app protection policies)

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-conditional-access#scenario-1-microsoft-365-apps-require-approved-apps-with-app-protection-policies

below screenshot Gmail on iOS

2) second, followed the below link.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication

The policy has targeted only Office 365 Exchange Online and iOS, Android device platforms and Other Clients.

below screenshot Gmail on iOS

98719-image01.jpeg


below screenshot Gmail on Andriod

98720-image03.jpeg


PS: further I have found third party app called "Email for Outlook" is also not adhere with CA policies on both Android and iOS. below screenshot took from Andriod.


98670-image02.jpeg



Thanks,
Dilan


mem-intune-generalazure-ad-conditional-accessmem-intune-conditional-access
image01.jpeg (67.5 KiB)
image03.jpeg (81.6 KiB)
image02.jpeg (84.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered dilannanayakkara-8008 commented

Are you disabling activesync as well? Look at azure sign-in to verify for client app.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RahulJindal-2267

Thanks for the reply. below are my settings for you info.

1st CA:
Cloud App: O365
Device platforms: iOS and Android
Location: Any
Client apps: Browser, Mobile apps and desktop clients
Access controls > Grant with the following options
Require approved client app
Require app protection policy
Require all the selected controls


2nd CA:
Cloud App: Exchange online
Device platforms: Not Configured
Location: Any
Client apps: Exchange ActiveSync clients
Access controls > Grant with the following options
Require app protection policy


3rd CA:
Device platforms: iOS and Android
Cloud App: Exchange online
Location: Any
Client apps: Other
Access controls > Block

Gmail app block is working on Android without an issue but no luck with iOS yet.
Email for Outlook is not working (Not blocking) on both Android and iOS.

Thanks,
Dilan

0 Votes 0 ·

@RahulJindal-2267

Further I have check sign-in activities and below are the screenshot of them.


login from Android.

when login from Android it will be showing app name as Gmail and CA has applied.


98729-2021-05-22-12-49-39.jpg




login from iOS

when login from iOS it will be showing app name as IMAP4 and CA hasn't applied.


98750-2021-05-22-12-52-30.jpg





Below are application settings of iOS which I am using login in.


98708-2021-05-22-13-01-46.jpg




0 Votes 0 ·
EswarKoneti-MVP avatar image
0 Votes"
EswarKoneti-MVP answered dilannanayakkara-8008 commented

Are you using conditional access?
This post will help you to block gmail app on ios https://techcommunity.microsoft.com/t5/microsoft-intune/block-gmail-app-to-connect-to-exo/m-p/1224365

Thanks,
Eswar

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EswarKoneti-MVP

Yes I am using Conditional Access.

I have followed exact steps on the post which were you shared. However in that post, they didn't mention what is the platform. I was wondering are there referring to Android since mine also working fine with Android.

I have double check it looks like everything is crossed match. appreciate if you could point out anything i missed on the post which you shared.

Thanks,
Dilan

0 Votes 0 ·
RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered KarimZaki-9670 commented

I think there are issues with APP and blocking legacy authentication. Maybe set a CA to grant against ‘require approved app’ and client apps selected as exchange activesync only. Select cloud app as EXO and then test. Run Whatif to simulate the behaviour.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you tell me more about what u saying please

0 Votes 0 ·
dilannanayakkara-8008 avatar image
0 Votes"
dilannanayakkara-8008 answered

@RahulJindal-2267 thanks for the guiding to looking at sign in activities.

I have noticed Conditional Access policy(3rd CA) has bypassing since it not identifying proper device platform. Then I check the device info on signing activity there wasn't any device platform displayed. so now I have cleared Device platforms settings from my 3rd CA in order to block whiteout checking the device platform.

let me check the status sometime later and share with you guys.


below are the screenshots on signing activities.


98788-2021-05-22-18-49-21.jpg


98789-2021-05-22-18-49-42.jpg



Thanks,
Dilan


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

dilannanayakkara-8008 avatar image
0 Votes"
dilannanayakkara-8008 answered

Hi All,

After configured not to checked device platform, it seems working fine, Thanks all.

Thanks,
Dilan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarimZaki-9670 avatar image
0 Votes"
KarimZaki-9670 answered

I m having the same problem i really dont understand why the device info is empty cause thats the reason why mobile bypass the conditional access. Any one have any ideas? Or is this relatedot adfs authentication

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.