question

CookPhilIT-9873 avatar image
0 Votes"
CookPhilIT-9873 asked ·

Lack of device info causing Conditional Access rule bypass

Some of our Windows mobile devices are quite old and can't install the current version of Outlook application so rely on ActiveSync and native mail apps. Whilst we update these we created a conditional access rule that blocks ActiveSync on Android and iOS devices but doesn't apply to Windows Mobile, Windows or macOS. We're using Intune Application Protection policies, not full enrollment to allow BYOD devices. Where a device doesn't report it's device type during sign-in we're finding it can continue to use ActiveSync as the Conditional Access rule isn't triggered. This is allowing Android and iOS devices to continue using native email apps and therefore bypass the Intune app protection policy that requires an approved application. Any idea how to enforce all Android and iOS devices to only be allowed to use the Outlook app for email access without using full device enrollment in Intune?

azure-active-directoryazure-ad-authenticationazure-ad-authentication-protocols
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
0 Votes"
michev answered ·

You can block other apps/allow only the Outlook app by using the Exchange Online controls: ActiveSync device rules or block the relevant protocols via Set-CasMailbox. It's all detailed in the documentation: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/secure-outlook-for-ios-and-android#option-1-block-all-email-apps-except-outlook-for-ios-and-android

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, we'll investigate this, sounds like just what we need as the device type is reported when reviewing mobile devices accessing a mailbox, just not in the Azure sign in logs, hence CA rule not triggering.

0 Votes 0 · ·