Mar 01 2018 07:48 AM - edited Mar 02 2018 06:07 AM
Mar 01 2018 07:48 AM - edited Mar 02 2018 06:07 AM
I started configuring in my environment a group of policies to block users to use e-mail account in apps that are only authorized for me.
It worked as well on Android Devices but in IOS devices it's not working properly.
The user try to configure your e-mail in the native mail and receive a message that need to use outlook.
After install outlook the user receive a message that he needs to enroll the device to access your accout.
But after enroll the device and configure your account on outlook, the user tried configure your account on gmail app and he got it same using the conditional access rule saying that he only could use e-mail account on outlook.
why the condicional access don't block the configuration in gmail app like worked with the native app?
All users are in exchange online and the option in my conditional access "require approved client app" already is flagged.
Mar 07 2018 10:32 AM
Mar 10 2018 02:26 AM
Hi Paulo
Edit: As I was typing this I've just tested this on my device and it seems that Gmail app on iOS does indeed allow users to set up their Office 365 mail, even if Conditional access requires the use of an approved app AND blocks ActiveSync connections. I'm going to raise this with Premier Support to investigate.
You want to take a look here and make sure your conditional access policies are set up correctly: https://docs.microsoft.com/en-us/intune/exchange-online-protect
Essentially, you need to set up one Conditional Access policy that forced iOS and Android users to use approved apps only (i.e. Outlook).
Then set up a second Conditional Access policy that blocks the use of Activesync on iOS and Android for accessing Exchange Online.
So long as you ensure that ActiveSync connections are blocked, then it should prevent the Gmail app on iOS devices from being used.
Mar 10 2018 10:26 AM
Hy Daniel,
I tried to create the second CA rule but I receive a message:
What could be ? the message don't have any link to explain why the configuration is not supported.
Thanks!
Mar 10 2018 10:30 AM
Mar 10 2018 11:04 AM - edited Mar 10 2018 11:05 AM
Follow my settings:
Mar 11 2018 12:36 PM
Mar 30 2018 07:49 AM
One thing that you can do is disable IMAP/POP from exchange online and prevent any devices from connecting with IMAP.
Mar 30 2018 02:45 PM - edited Mar 30 2018 02:46 PM
Hi Tom,
We already tried it here, but I still can configure my company account in the Gmail app on IOS.
Apr 18 2018 01:01 AM
Hi,
without any tests done I think Gmail app uses legacy auth and not modern auth to authenticate and therefore does not use Conditional Access.
To block legacy auth for applications you can follow this and use ADFS:
Block apps that do not use modern authentication (ADAL)
https://docs.microsoft.com/en-us/intune/app-modern-authentication-block
or wait for native implementation to block legacy auth into Conditional Access, its titled as "Coming soon":
Block legacy protocols | Coming Soon (Premium) |