Home

Block 3rd Party Mail/Calendar Apps

%3CLINGO-SUB%20id%3D%22lingo-sub-136575%22%20slang%3D%22en-US%22%3EBlock%203rd%20Party%20Mail%2FCalendar%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20all%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIs%20it%20possible%20to%20block%20users%20from%20logging%20into%20their%20Office%20365%20accounts%20via%203rd%20party%20iOS%20apps%20such%20as%20MyMail%20which%20is%20found%20on%20the%20Appstore%2FPlay%20Store%26nbsp%3B%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ELink%20to%20MyMail%3A%3CBR%20%2F%3E%3CA%20title%3D%22MyMail%20iOS%20AppStore%20link%22%20href%3D%22https%3A%2F%2Fitunes.apple.com%2Fus%2Fapp%2Fmymail-email-app%2Fid722120997%3Fmt%3D8%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fitunes.apple.com%2Fus%2Fapp%2Fmymail-email-app%2Fid722120997%3Fmt%3D8%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe're%20in%20the%20process%20of%20migrating%20all%20users%20to%20Outlook%20for%20iOS%2FAndroid.%20If%20corporate%20owned%2C%20they%20will%20enroll%20via%20the%20Company%20Portal%20app%20and%20have%20Outlook%2C%20Work%2C%20Excel%2C%20PowerPoint%2C%20Teams%2C%20OneDrive%20%26amp%3B%20Authenticator%26nbsp%3Bauto%20installed%2Fpushed.%20If%20they%20are%20BYOD%2C%20I%20need%20them%20to%20only%20use%20Outlook%20for%20iOS%2FAndroid%20with%20an%20app%20password%20forced%20via%20Intune%20App%20Protection%20Policy.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI've%20attempted%20disabling%20ActiveSync%2C%20%2B%20OWA%20for%20Devices%20within%20O365.%20No%20luck.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAppreciate%3CSPAN%3E%26nbsp%3Bany%20input.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECheers%3CBR%20%2F%3EBrett%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-136575%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eblock%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Email%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emymail%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-139035%22%20slang%3D%22en-US%22%3ERe%3A%20Block%203rd%20Party%20Mail%2FCalendar%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-139035%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20may%20be%20able%20to%20achieve%20this%20by%20using%20Conditional%20access%20with%20Intune.%20There%20is%20an%20option%20to%20restrict%20access%20to%20Approved%20app.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapp-based-conditional-access-intune-create%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapp-based-conditional-access-intune-create%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-732851%22%20slang%3D%22en-US%22%3ERe%3A%20Block%203rd%20Party%20Mail%2FCalendar%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-732851%22%20slang%3D%22en-US%22%3EI%20had%20a%20similar%20situation%2C%20we%20blocked%20IMAP%20and%20POP%20using%20Set-CASMailbox%2C%20and%20now%20the%20new%20Set-Mailbox%20-AuthenticationPolicy.%20This%20doesn't%20strictly%20bind%20them%20to%20Outlook%2C%20but%20it%20prevents%20them%20from%20going%20out%20there%20and%20using%20non%20OIDC%2FOAuth%20based%20apps%20(like%20MyMail).%3CBR%20%2F%3E%3CBR%20%2F%3ELike%20the%20other%20reply%2C%20you%20can%20use%20Conditional%20Access%20to%20to%20achieve%20a%20similar%20result%20and%20block%20the%20way%20apps%20like%20MyMail%20connect%2C%20but%20it%20won't%20lock%20your%20users%20choice%20down%20to%20Outlook%20only.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20also%20use%20Cloud%20App%20security%20(license%20needed)%20to%20control%20business%20sanctioned%20apps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733607%22%20slang%3D%22en-US%22%3ERe%3A%20Block%203rd%20Party%20Mail%2FCalendar%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733607%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102094%22%20target%3D%22_blank%22%3E%40Brett%20Lindsey%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EIf%20Outlook%20mobile%20is%20the%20only%20app%2C%20you%20need%20to%20create%20few%20Conditional%20Access%20policies.%3CBR%20%2F%3E-%20Policy%20to%20block%20apps%20with%20legacy%20auth.%3C%2FP%3E%3CP%3E-%20Policy%20to%20require%20%22Approved%20client%20app%22%20to%20connect%20to%20Exchange.%20Because%20only%20MS%20apps%20are%20%22Approved%22%20it%20will%20limit%20everyone%20to%20Outlook%20only.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733614%22%20slang%3D%22en-US%22%3ERe%3A%20Block%203rd%20Party%20Mail%2FCalendar%20Apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102094%22%20target%3D%22_blank%22%3E%40Brett%20Lindsey%3C%2FA%3E%26nbsp%3BYou%20should%20block%20legacy%20authentication%20anyway%20with%20conditional%20access.%20With%20that%20you%20get%20rid%20of%20most%203rd%20party%20apps.%20As%20far%20as%20I%20know%2C%20only%20the%20native%20iOS%20email%20application%20supports%20modern%20authentication.%3CBR%20%2F%3E%3CBR%20%2F%3ETwo%20policies%20with%20block%20as%20action%20control%2C%20one%20for%20other%20clients%20and%20one%20for%20active%20sync%20under%20client%20apps.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20combination%20with%20approved%20client%20app%20cond%20acc.%20and%20eventually%20App%20Protection%20policy%20you%20should%20be%20able%20to%20force%20the%20users%20to%20use%20Outlook%3C%2FP%3E%3C%2FLINGO-BODY%3E
Brett Lindsey
Occasional Contributor

Hi all,

Is it possible to block users from logging into their Office 365 accounts via 3rd party iOS apps such as MyMail which is found on the Appstore/Play Store ? 

 

Link to MyMail:
https://itunes.apple.com/us/app/mymail-email-app/id722120997?mt=8

 

We're in the process of migrating all users to Outlook for iOS/Android. If corporate owned, they will enroll via the Company Portal app and have Outlook, Work, Excel, PowerPoint, Teams, OneDrive & Authenticator auto installed/pushed. If they are BYOD, I need them to only use Outlook for iOS/Android with an app password forced via Intune App Protection Policy.

 

I've attempted disabling ActiveSync, + OWA for Devices within O365. No luck.

 

Appreciate any input. 

 

Cheers
Brett

4 Replies

You may be able to achieve this by using Conditional access with Intune. There is an option to restrict access to Approved app. 

https://docs.microsoft.com/en-us/intune/app-based-conditional-access-intune-create

 

I had a similar situation, we blocked IMAP and POP using Set-CASMailbox, and now the new Set-Mailbox -AuthenticationPolicy. This doesn't strictly bind them to Outlook, but it prevents them from going out there and using non OIDC/OAuth based apps (like MyMail).

Like the other reply, you can use Conditional Access to to achieve a similar result and block the way apps like MyMail connect, but it won't lock your users choice down to Outlook only.

You can also use Cloud App security (license needed) to control business sanctioned apps.

@Brett Lindsey 
If Outlook mobile is the only app, you need to create few Conditional Access policies.
- Policy to block apps with legacy auth.

- Policy to require "Approved client app" to connect to Exchange. Because only MS apps are "Approved" it will limit everyone to Outlook only.

@Brett Lindsey You should block legacy authentication anyway with conditional access. With that you get rid of most 3rd party apps. As far as I know, only the native iOS email application supports modern authentication.

Two policies with block as action control, one for other clients and one for active sync under client apps.

In combination with approved client app cond acc. and eventually App Protection policy you should be able to force the users to use Outlook

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies