07-01-2019 08:35 AM
07-01-2019 08:35 AM
When I create CA Policies for iOS, (All iOS devices on iOS 11+)
Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM Enrollment (via Intune)
I am essentially using this guide to set CA policies : https://www.easycloud365.com/blog/how-to-block-native-apple-mail-app-ios-with-conditional-access-par...
So far this works if I am setting up a new device, it will prompt me to sign into organisation and require me to enroll the device etc. - Works as it says on the tin. However....
A couple of things are apparent:
I am then able to get mail flowing in the native iOS mail app without the phone being required to go into MDM or adhere to the Conditional Access Policies and Compliance policies
Next is that any phones already with their mail configured in the default iOS App
I hope this all makes some sense - and looking for any guidance. i.e. perhaps I need to block via PowerShell?
Thanks for your time reading this.
07-02-2019 12:39 AM
@Adam Weldon-Ming Nature of Conditional Access is that it actually works only with Modern Auth. So, in your case you need to have 2 policies.
- One to block Legacy authentication.
- And one more following guide you used.
07-02-2019 01:15 AM
What does the sign-inn log in Azure AD say, choose to show the client app column?
Do you also block legacy authentication?
You could also add an App Protection Policy to make sure also nonregistered BYOD devices are forced to use Outlook, but this shouldn't be necessary for access control if you don't also want better management of company data.
07-02-2019 07:00 AM - edited 07-02-2019 07:15 AM
I have created two policies
1 Policy for Legacy and Native iOS App
1 Policy for Modern Authentication
Both Require device to be marked as compliant & Requires approved client app
But I am still able to get mail to flow in once configuring manually.
(unless while I am changing policies it may take some time before it takes affect)
These are my policies
Only applying to Exchange Online App
Only applying to iOS and Android devices.
[First is for native iOS / Legacy Auth]
[Second below is for Modern Auth - If setting up via outlook app this works fine and enrolls the device problem I think is the first policy above]
With the above set - I was able to manually configure mail on iOS device by adding the server: outlook.office365.com
I have turned policies on and off for the first one so maybe it will rake some time to apply(?)
I checked Sign-Ins on Azure AD monitoring but not showing anything with signing if I configure manually -
07-02-2019 11:11 AM - edited 07-02-2019 11:32 AMSolution
07-02-2019 03:02 PM
@jenstf- Many thanks - this has helped clarify some things in my head
1 last question on this if that's ok:
It's also recommended to make one policy for active sync and one for other clients.
Would you essential be creating 3 for this? i.e.
Or would you always combine, say, Exchange ActiveSync + Apply policy only to supported platforms in one policy?
07-02-2019 10:46 PM
@Adam Weldon-Ming In my policies I don't use "Apply policy only to supported platforms". The documentation isn't clear on what that choice actually is good for. i.e. Linux isn't a supported platform and will then bypass this policy.
I have one policy with "Exchange active sync clients" and one for "other clients".
07-03-2019 08:44 AM
Thanks a lot @jenstf
I've separated them out into 2 policies and this has forced my test iPhone's to get the message to enroll the phones. Rather than blocking the e-mail entirely and I cannot configure manually any more.
My main problem here was patience :)
10-17-2019 03:49 AM
@Adam Weldon-Ming could you summarize and provide us with the final conditional access policies?
I have the same problem. I push an E-Mail profile (via the Device Configuration Profile) to the devices. However, I want the native Mail app to be blocked.
11-01-2019 02:55 AM
Hey, sorry for the long wait - best thing I think to do here now is to use the :
"Baseline policy: Block Legacy authentication (Preview)"
Enable this Policy - However, there are no exceptions for this so therefore it would apply to all users, global admins etc.
If you need to have it more granular you can do a couple thinfs
1 - Build a custom Conditional Access Policy that BLOCKS legacy authentication.
2 - Create a authentication policy: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...
CA Is more recommended though.