Forum Discussion

Adam Weldon-Ming's avatar
Adam Weldon-Ming
Brass Contributor
Jul 01, 2019
Solved

Conditional Access native iOS mail app works - but not if manually configured or if mail already set

Hello When I create CA Policies for iOS,  (All iOS devices on iOS 11+)   Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM ...
Conditional Access
Intune
Mobile Application Management (MAM)
mobile device management (mdm)
  • jenstf's avatar
    jenstf
    Jul 02, 2019
    The first policy (legacy) should block access. It's also recommended to make one policy for active sync and one for other clients. Make sure to exclude service accounts that doesn't support modern authentication.

    I would monitor the sign-in log and look for logins from other client and active sync (unsupported) before doing this in production.

    JT
Adam Weldon-Ming's avatar
Adam Weldon-Ming
Brass Contributor
Jul 02, 2019

thanks for your time going through my problem  jenstf  & Alexander Vanyurikhin 

 

I have created two policies 

 

1 Policy for Legacy and Native iOS App

1 Policy for Modern Authentication 

 

Both Require device to be marked as compliant  & Requires approved client app  

 

But I am still able to get mail to flow in once configuring manually. 

 

(unless while I am changing policies it may take some time before it takes affect)  

 

These are my policies 

Only applying to Exchange Online App 

Only applying to iOS and Android devices. 

[First is for native iOS / Legacy Auth]

1

 

[Second below is for Modern Auth - If setting up via outlook app this works fine and enrolls the device problem I think is the first policy above]

 

2

2

 

With the above set - I was able to manually configure mail on iOS device by adding the server: outlook.office365.com 

 

I have turned policies on and off for the first one so maybe it will rake some time to apply(?)

I checked Sign-Ins on Azure AD monitoring but not showing anything with signing if I configure manually  - 

jenstf's avatar
jenstf
Brass Contributor
Jul 02, 2019
The first policy (legacy) should block access. It's also recommended to make one policy for active sync and one for other clients. Make sure to exclude service accounts that doesn't support modern authentication.

I would monitor the sign-in log and look for logins from other client and active sync (unsupported) before doing this in production.

JT
  • Adam Weldon-Ming's avatar
    Adam Weldon-Ming
    Brass Contributor
    Jul 02, 2019

    jenstf- Many thanks - this has helped clarify some things in my head

    1 last question on this if that's ok:

    It's also recommended to make one policy for active sync and one for other clients.

    Would you essential be creating 3 for this? i.e.

     

     

     

     

     

     

     



    Or would you always combine, say, Exchange ActiveSync + Apply policy only to supported platforms in one policy?

     

    Adam

    • jenstf's avatar
      jenstf
      Brass Contributor
      Jul 03, 2019

      Adam Weldon-Ming In my policies I don't use "Apply policy only to supported platforms". The documentation isn't clear on what that choice actually is good for. i.e. Linux isn't a supported platform and will then bypass this policy.


      I have one policy with "Exchange active sync clients" and one for "other clients".

      • Adam Weldon-Ming's avatar
        Adam Weldon-Ming
        Brass Contributor
        Jul 03, 2019

        Thanks a lot jenstf 

         

        I've separated them out into 2 policies and this has forced my test iPhone's to get the message to enroll the phones.  Rather than blocking the e-mail entirely and I cannot configure manually any more. 

         

        My main problem here was patience :) 

Resources