Forum Discussion

keshavadmin's avatar
keshavadmin
Copper Contributor
Oct 04, 2020

Restrict mobile access to email for specific users

I would like to block mobile access to emails for specific users in my organization. This includes the native mail app on the phone, any other mail app on the phone (including Outlook), as well as any browser on the phone.  This is because these users have access to sensitive information about the company. All other users should be able to access mobile emails.

I tried using the quarantine policy, from the exchange admin, however, that does not prevent the users from using the web browser to access the emails via outlook.com on their mobile.

admin
exchange online
Exchange Server
office 365

6 Replies

Sort By
  • lance-aughey's avatar
    lance-aughey
    Iron Contributor
    Oct 05, 2020

    keshavadmin 

     

    To expand on what @hidmov suggests, you'll also want to "Disable Exchange ActiveSync" and "Disable OWA for Devices" under the Mobile Devices Section (via EAC). If you're using the New EAC, the language is a bit different, but the process is the same. 

    • keshavadmin's avatar
      keshavadmin
      Copper Contributor
      Oct 05, 2020
      lance-aughey

      So, if I’m not wrong, this allows me to:
      1. Block Outlook Web App access on mobile
      2. Block Outlook App access on mobile
      3. Block Native Mail App access via Exchange Active Sync (Can they still use IMAP or POP for this?)
      4. Allows them access to Outlook Web App on a PC.
      5. Allows them access to Outlook Desktop app.
      Please suggest if this is the case. It seems to be my ideal situation.
      • Dean_Gross's avatar
        Dean_Gross
        Silver Contributor
        Dec 01, 2020

        keshavadmin An alternative approach would be to use Sensitivity Labels and DLP policies to block the access to sensitive information while providing access to other information. This would be a much better user experience and would provide many other benefits. 

  • JTOLW's avatar
    JTOLW
    Copper Contributor
    Oct 05, 2020

    The setup may change depending if the devices are managed or not. If they are managed in Intune, you may be able to configure device restrictions to block the in-built apps to achieve what you're after. 

    https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

     

    If you're running Microsoft365 and have access to Cloud App Security, creating a conditional access policy that targets those users and/or devices may achieve what you're after. 

    https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-access

     

    You can also setup session policies which give you real-time session-level monitoring, with the ability to take different actions depending on the policy you set for the user session.

    https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad#block-activities

     

    keshavadmin 

  • HidMov's avatar
    HidMov
    Steel Contributor
    Oct 04, 2020

    Hi keshavadmin 

     

    In the Exchange Admin Centre, find the recipients and edit the mailbox - in Mailbox Features you should see an option to disable OWA.

     

     

    The wording/location may be different depending on your version of Exchange, disabling will stop those specific users from being able to log onto OWA.

Resources