Forum Discussion

Brett Lindsey's avatar
Brett Lindsey
Copper Contributor
Dec 12, 2017

Block 3rd Party Mail/Calendar Apps

Hi all,

Is it possible to block users from logging into their Office 365 accounts via 3rd party iOS apps such as MyMail which is found on the Appstore/Play Store ? 

 

Link to MyMail:
https://itunes.apple.com/us/app/mymail-email-app/id722120997?mt=8

 

We're in the process of migrating all users to Outlook for iOS/Android. If corporate owned, they will enroll via the Company Portal app and have Outlook, Work, Excel, PowerPoint, Teams, OneDrive & Authenticator auto installed/pushed. If they are BYOD, I need them to only use Outlook for iOS/Android with an app password forced via Intune App Protection Policy.

 

I've attempted disabling ActiveSync, + OWA for Devices within O365. No luck.

 

Appreciate any input. 

 

Cheers
Brett

block
Intune
mail
mymail

4 Replies

Sort By
  • jenstf's avatar
    jenstf
    Copper Contributor
    Jul 02, 2019

    Brett Lindsey You should block legacy authentication anyway with conditional access. With that you get rid of most 3rd party apps. As far as I know, only the native iOS email application supports modern authentication.

    Two policies with block as action control, one for other clients and one for active sync under client apps.

    In combination with approved client app cond acc. and eventually App Protection policy you should be able to force the users to use Outlook

  • Alexander Vanyurikhin's avatar
    Alexander Vanyurikhin
    Iron Contributor
    Jul 02, 2019

    Brett Lindsey 
    If Outlook mobile is the only app, you need to create few Conditional Access policies.
    - Policy to block apps with legacy auth.

    - Policy to require "Approved client app" to connect to Exchange. Because only MS apps are "Approved" it will limit everyone to Outlook only.

  • AndrewX's avatar
    AndrewX
    Iron Contributor
    Jul 01, 2019
    I had a similar situation, we blocked IMAP and POP using Set-CASMailbox, and now the new Set-Mailbox -AuthenticationPolicy. This doesn't strictly bind them to Outlook, but it prevents them from going out there and using non OIDC/OAuth based apps (like MyMail).

    Like the other reply, you can use Conditional Access to to achieve a similar result and block the way apps like MyMail connect, but it won't lock your users choice down to Outlook only.

    You can also use Cloud App security (license needed) to control business sanctioned apps.

Resources