question

Dan-0645 avatar image
0 Votes"
Dan-0645 asked Jason-MSFT commented

Block unmanged Android and iOS devices native mail applications

Hello everyone!

I would like to know if there is a possible solution to our request.

We recently started using Microsoft Endpoint Manager (Intune) for managing companies and employees mobile devices (Android and iOS). We already enrolled more then 500 devices and device management is working super.
We would like to secure device management so that devices that are not managed by Microsoft Endpoint Manager (Intune) won't have any access to O365 services. We would like to achieve that users couldn't add mail profiles to unmanaged devices (not to allow adding mail profile to native iOS and Android applications). But at the same time we have a requirement for iOS users to use Apple Mail app for enrolled devices.

I have tested this with setting up App protection policies and conditional access. I was able to achieve that unmanaged devices are not able to add mail profile to native mail applications. But issue I have now is that if I enroll new device access to mail is not configured because conditional access policy.

Is this something that can be configured?

mem-intune-generalazure-ad-conditional-accessmem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

SimonBurbery-9608 avatar image
0 Votes"
SimonBurbery-9608 answered Jason-MSFT commented

You could try this:
1. Create an Azure AD group - dynamic membership.
2. Add a rule that adds all the enrolled iPhones to the group (use enrolment profile, device is 'managed' or 'compliant' or OS type - whatever works).
3. Exclude this group from your app protection policy.

Not perfect but once the device is in the group it would be able to use the Mail app, whereas an un-enrolled iPhone will not.



· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonBurbery-9608 avatar image SimonBurbery-9608 ·

And by the way I agree - the iPhone mail app supports modern auth and many users (especially execs) have used the Mail app and prefer it. I think MS should add it to the protected apps list. Why not? Forcing users who used the Mail app for years to use Outlook is a bit OTT IMO.

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT SimonBurbery-9608 ·

I think MS should add it to the protected apps list. Why not?

Because it's not a managed (aka enlightened) app so that doesn't make sense.

Forcing users who used the Mail app for years to use Outlook is a bit OTT IMO.

That's a choice for you and your org to make. If you want the advanced controls in Outlook, then that's what you need to use. We can't control what's in the built-in mail app and it does not have the same level of control as Outlook does.

0 Votes 0 ·
SimonBurbery-9608 avatar image SimonBurbery-9608 Jason-MSFT ·

Fair enough comment - what I should have said was "Apple and MS should work together to ensure the Mail app is supported with app protection policies in Intune'. I'm just pointing out that an IT decision that enforces Outlook upon it's iPhone users that have used and preferred the Mail app for years seems very draconian for 2022. I believe companies would rather give users a choice of 'safe apps' to use.

I definitely want to block dodgy 3rd party mail apps from accessing corporate data - just not one of the two most used and trusted mail apps in the world.

0 Votes 0 ·
Show more comments
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered

@Dan-0645, For app protection policy, only the Microsoft Intune protected apps can apply it.
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

In the Mcrosoft Intune protected apps list, the native mail is not included. So it can't apply app protection policy. We can see more details in the following link:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-supported-intune-apps

From your description, I find you were able to achieve that unmanaged devices are not able to add mail profile to native mail applications. Could you show the conditional access policy configuration to us?

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Dan-0645 avatar image
0 Votes"
Dan-0645 answered Jason-MSFT commented

Hi,
yes I was able to achieve that unmanaged devices are not able to add mail profile to native mail applications. But the issue is when I enroll the device and if I use combination of app protection policy and CA, then mail client can't access mail server even though device is marked as compliant after enrollment. As iOS users will use native mail app.


Here is my conditional access rule:

190399-image.png

190466-image.png
190452-image.png

190453-image.png



image.png (81.4 KiB)
image.png (72.5 KiB)
image.png (118.4 KiB)
image.png (116.2 KiB)
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT avatar image Crystal-MSFT ·

@Dan-0645, It seems we set "Require app protection policy" under Grant, That means the app needs to be applied app protection policy. As iOS mail app is not a protected app to apply the policy. So the access will be blocked. As a workaround, ask user to use outlook to access and deploy the app protection policy to outlook as a instead to see if it can work.

Hope it can help.

0 Votes 0 ·
Jason-MSFT avatar image Jason-MSFT Crystal-MSFT ·

There will be no prompts on an unmanaged device for an Intune unenlighted app like the built-in mail client.

Have you enabled OAuth for the built-in mail client on iOS (this is not possible on Android to my knowledge so there is no way to make this work on Android): https://vanyurikhin.blog/2018/11/26/ios-native-mail-app-oauth-and-conditional-access/

0 Votes 0 ·
Dan-0645 avatar image Dan-0645 Jason-MSFT ·

Hi @Jason-MSFT thanks for the replay.
I have iOS mail profile configured in a same way that is described in the article you have posted:

190996-image.png


0 Votes 0 ·
image.png (78.7 KiB)
Show more comments
Dan-0645 avatar image Dan-0645 Crystal-MSFT ·

Hi @Crystal-MSFT thanks for the replay.

I will test this on a test device. But getting iOS users to use something other then Apple mail will be impossible.

But definitely it would solve a lot of issues if they would use Outlook.

0 Votes 0 ·
Dan-0645 avatar image
0 Votes"
Dan-0645 answered

@SimonBurbery-9608 I tested your suggestion and it works perfect. Thanks for your post and for sharing the idea.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.