Some of our Windows mobile devices are quite old and can't install the current version of Outlook application so rely on ActiveSync and native mail apps. Whilst we update these we created a conditional access rule that blocks ActiveSync on Android and iOS devices but doesn't apply to Windows Mobile, Windows or macOS. We're using Intune Application Protection policies, not full enrollment to allow BYOD devices.
Where a device doesn't report it's device type during sign-in we're finding it can continue to use ActiveSync as the Conditional Access rule isn't triggered. This is allowing Android and iOS devices to continue using native email apps and therefore bypass the Intune app protection policy that requires an approved application. Any idea how to enforce all Android and iOS devices to only be allowed to use the Outlook app for email access without using full device enrollment in Intune?