Block e-mail configuration on IOS

Deleted
Not applicable

I started configuring in my environment a group of policies to block users to use e-mail account in apps that are only authorized for me.

It worked as well on Android Devices but in IOS devices it's not working properly.

The user try to configure your e-mail in the native mail and receive a message that need to use outlook.

After install outlook the user receive a message that he needs to enroll the device to access your accout.

But after enroll the device and configure your account on outlook, the user tried configure your account on gmail app and he got it same using the conditional access rule saying that he only could use e-mail account on outlook.

why the condicional access don't block the configuration in gmail app like worked with the native app?

All users are in exchange online and the option in my conditional access "require approved client app" already is flagged.

9 Replies

Nobody ?

Hi Paulo

 

Edit: As I was typing this I've just tested this on my device and it seems that Gmail app on iOS does indeed allow users to set up their Office 365 mail, even if Conditional access requires the use of an approved app AND blocks ActiveSync connections. I'm going to raise this with Premier Support to investigate.

 

You want to take a look here and make sure your conditional access policies are set up correctly: https://docs.microsoft.com/en-us/intune/exchange-online-protect

 

Essentially, you need to set up one Conditional Access policy that forced iOS and Android users to use approved apps only (i.e. Outlook).

 

Then set up a second Conditional Access policy that blocks the use of Activesync on iOS and Android for accessing Exchange Online.

 

So long as you ensure that ActiveSync connections are blocked, then it should prevent the Gmail app on iOS devices from being used.

Hy Daniel,

I tried to create the second CA rule but I receive a message:

What could be ? the message don't have any link to explain why the configuration is not supported.

Thanks!


Hi Paulo. Can you post what settings you configured?

Follow my settings:

1.JPG2.JPG3.JPG4.JPG5.JPG

Hi Paulo

Yup, all looks good to me. I've got the same settings (except we allow users to access email without enrollment so devices don't need to be marked as compliant for us).

After further investigation, it appears that Gmail is using IMAP to access Exchange Online, which would explain why this policy doesn't pick it up.

At that point I'm not sure what can be done. I'm waiting to hear back from Premier Support on the issue to see what the official advice is.

One thing that you can do is disable IMAP/POP from exchange online and prevent any devices from connecting with IMAP. 

Hi Tom,

 

We already tried it here, but I still can configure my company account in the Gmail app on IOS.

 

Hi,

 

without any tests done I think Gmail app uses legacy auth and not modern auth to authenticate and therefore does not use Conditional Access.

To block legacy auth for applications you can follow this and use ADFS:

 

Block apps that do not use modern authentication (ADAL)

https://docs.microsoft.com/en-us/intune/app-modern-authentication-block

 

or wait for native implementation to block legacy auth into Conditional Access, its titled as "Coming soon":

https://blogs.msdn.microsoft.com/samueld/2017/06/13/choosing-the-right-sign-in-option-to-connect-to-...

 

Block legacy protocolsComing Soon (Premium)