SOLVED
Home

block attachments on outlook mobile application

%3CLINGO-SUB%20id%3D%22lingo-sub-193966%22%20slang%3D%22en-US%22%3Eblock%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193966%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20ran%20the%20below%20command%20and%20this%20has%20blocked%20attachments%20from%20being%20downloaded%20on%20default%20mail%20app%2C%20however%20its%20not%20working%20on%20Outlook%20Mobile%20application.%20Users%20are%20still%20able%20to%20download%20attachments%20on%20Outlook%20mobile%20application.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20assist%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESet-ActiveSyncMailboxPolicy%20-Identity%20default%20-AttachmentsEnabled%20%24false%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-193966%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Ignite%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332771%22%20slang%3D%22en-US%22%3ERe%3A%20block%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332771%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20understand%20how%20Information%20Protection%20comes%20into%20play%20in%20that%20scenario.%3C%2FP%3E%3CP%3EThe%20application%20protection%20policy%20is%20from%20what%20I%20understand%20replacing%20ActiveSyncMailboxPolicy%20for%20managed%20Apps%20such%20as%20Outlook.%3C%2FP%3E%3CP%3EI%20do%20also%20have%20conditional%20access%20policies%20set%20to%20only%20allow%20connections%20to%20Exchange%20from%20iOS%20%26amp%3B%20Android%20using%20a%20Managed%20Application%20only%20but%20this%20isn't%20enough%20we%20are%20still%20missing%20a%20setting%20to%20control%20email%20attachments.%3C%2FP%3E%3CP%3ELike%20I%20said%20have%20a%20policy%20disallowing%20users%20from%20saving%20an%20email%20or%20attachment%20is%20completely%20pointless%20if%20you%20can%20just%20forward%20it%20to%20another%20email%20account%20and%20do%20it%20from%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332399%22%20slang%3D%22en-US%22%3ERe%3A%20block%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332399%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20your%20response.%26nbsp%3B%20The%20answer%20is%20more%20than%20just%20a%20point%20product%20like%20Intune.%26nbsp%3B%20EMS%20will%20allow%20for%20what%20you%20want%20with%20a%20combination%20of%3A%3C%2FP%3E%0A%3CUL%20style%3D%22list-style-position%3A%20inside%3B%22%3E%0A%3CLI%3EIntune%20MAM%20policies%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3EIntune%20App%20Protection%20Properties%20and%20Windows%20Information%20Protection%26nbsp%3B%20(Prevent%20copy%20paste%20of%20business%20data%20to%20non-business%20apps%3C%2FLI%3E%0A%3CLI%3EAzure%20AD%20Session%20Limits%20for%20Conditional%20Access%20(Prevent%20download%20in%20SharePoint%2C%20OneDrive%20and%20Exchange)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ESome%20resources%20to%20help%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fcbernier%2F2017%2F09%2F11%2Fazure-ad-premium-conditional-access-and-session-controls%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Premium%20Conditional%20Access%20and%20Session%20Controls%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F64283%23ignite-html-anchor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBRK3009%20-%20Accelerate%20deployment%20and%20adoption%20of%20Microsoft%20Information%20Protection%20solutions%20(Video)%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fmyignite.techcommunity.microsoft.com%2Fsessions%2F64299%23ignite-html-anchor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EBRK3002%20-%20Understanding%20how%20Microsoft%20Information%20Protection%20capabilities%20work%20together%20to%20protect%20sensitive%20information%20across%20devices%2C%20apps%2C%20and%20services%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-332144%22%20slang%3D%22en-US%22%3ERe%3A%20block%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-332144%22%20slang%3D%22en-US%22%3E%3CP%3EMAM%20policies%20do%20not%20allow%20you%20to%20deny%20or%20block%20access%20to%20email%20attachments.%3C%2FP%3E%3CP%3ECut%2C%20copy%2C%20paste%2C%20and%20%E2%80%9Csave%20as%E2%80%9D%20restrictions%20via%20App%20policies%20are%20working%20fine%20but%20they%20are%20useless%20on%20Outlook%20for%20iOS%20as%20you%20can%20just%20forward%20an%20email%20attachement%20to%20a%20gmail%20or%20else%20account%20and%20cut%2C%20copy%20save%20as%20from%20here.%3C%2FP%3E%3CP%3EMassive%20oversight!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194034%22%20slang%3D%22en-US%22%3ERe%3A%20block%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194034%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20can%20be%20done%2C%20but%20it%20will%20depend%20on%20your%20licensing.%26nbsp%3B%20You%20will%20have%20to%20control%20the%20app%20with%20MAM%20via%20Intune.%26nbsp%3B%20Then%20you%20can%20set%20policy%20for%20Outlook%2C%20SharePoint%20app%2C%20OneDrive%2C%20etc.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fblog%2F2015%2F06%2F18%2Fnew-intune-capabilities-for-outlook-on-ios-and-android%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fblog%2F2015%2F06%2F18%2Fnew-intune-capabilities-for-outlook-on-ios-and-android%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EIf%20you%20are%20looking%20for%20broader%20protection%20capabilities%20beyond%20what%E2%80%99s%20included%20in%20%3CSPAN%20class%3D%22brand%22%3EOffice%20365%3C%2FSPAN%3E%2C%20you%20can%20subscribe%20to%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fserver-cloud%2Fproducts%2Fmicrosoft-intune%2Fdefault.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Intune%3C%2FA%3E%2C%20which%20is%20part%20of%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fserver-cloud%2Fenterprise-mobility%2Foverview.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Enterprise%20Mobility%20Suite%3C%2FA%3E.%20Intune%20provides%20mobile%20application%20management%20(MAM)%20capabilities%20for%20Outlook%20and%20other%20Office%20mobile%20apps%20in%20addition%20to%20the%20conditional%20access%20and%20device%20management%20capabilities%20outlined%20above.%20With%20Intune%20MAM%2C%20you%20can%20restrict%20actions%20such%20as%20cut%2C%20copy%2C%20paste%2C%20and%20%E2%80%9Csave%20as%E2%80%9D%20of%20corporate%20data%20between%20Intune-managed%20apps%20and%20apps%20that%20are%20not%20managed%20by%20Intune.%20Additionally%2C%20the%20Intune-managed%20Outlook%20apps%20include%20a%20new%20multi-identity%20management%20feature%20that%20enables%20users%20to%20access%20both%20their%20personal%20and%20work%20email%20accounts%20in%20the%20same%20Outlook%20app%20while%20only%20applying%20the%20Intune%20MAM%20policies%20to%20the%20user%E2%80%99s%20work%20account%20%E2%80%93%3CWBR%20%2F%3E%20this%20provides%20a%20much%20more%20seamless%20user%20experience.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194003%22%20slang%3D%22en-US%22%3ERe%3A%20block%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194003%22%20slang%3D%22en-US%22%3EAlright...%20thanks%20for%20telling%20me%20that%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20you%20say%20no%2C%20you%20should%20mention%20alternative%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20now%20could%20you%20please%20tell%20me%20what%20policy%20should%20I%20apply%20to%20restrict%20users%20from%20not%20being%20able%20to%20download%20attachments%20on%20outlook%20mobile%20application%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20there%20is%20no%20way%2C%20just%20say%20that%20abruptly%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193990%22%20slang%3D%22en-US%22%3ERe%3A%20block%20attachments%20on%20outlook%20mobile%20application%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193990%22%20slang%3D%22en-US%22%3E%3CP%3EOutlook%20mobile%20does%20not%20use%20ActiveSync%20(anymore)%2C%20thus%20you%20cannot%20expect%20all%20the%20restrictions%20configured%20via%20active%20sync%20policies%20to%20apply.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Ashish Mangtani
New Contributor

I have ran the below command and this has blocked attachments from being downloaded on default mail app, however its not working on Outlook Mobile application. Users are still able to download attachments on Outlook mobile application.

 

Please assist

 

 

Set-ActiveSyncMailboxPolicy -Identity default -AttachmentsEnabled $false

6 Replies

Outlook mobile does not use ActiveSync (anymore), thus you cannot expect all the restrictions configured via active sync policies to apply.

Alright... thanks for telling me that

When you say no, you should mention alternative as well.

So now could you please tell me what policy should I apply to restrict users from not being able to download attachments on outlook mobile application


If there is no way, just say that abruptly
Solution

This can be done, but it will depend on your licensing.  You will have to control the app with MAM via Intune.  Then you can set policy for Outlook, SharePoint app, OneDrive, etc. 

 

https://www.microsoft.com/en-us/microsoft-365/blog/2015/06/18/new-intune-capabilities-for-outlook-on...

 

 

If you are looking for broader protection capabilities beyond what’s included in Office 365, you can subscribe to Microsoft Intune, which is part of the Microsoft Enterprise Mobility Suite. Intune provides mobile application management (MAM) capabilities for Outlook and other Office mobile apps in addition to the conditional access and device management capabilities outlined above. With Intune MAM, you can restrict actions such as cut, copy, paste, and “save as” of corporate data between Intune-managed apps and apps that are not managed by Intune. Additionally, the Intune-managed Outlook apps include a new multi-identity management feature that enables users to access both their personal and work email accounts in the same Outlook app while only applying the Intune MAM policies to the user’s work account – this provides a much more seamless user experience.

MAM policies do not allow you to deny or block access to email attachments.

Cut, copy, paste, and “save as” restrictions via App policies are working fine but they are useless on Outlook for iOS as you can just forward an email attachement to a gmail or else account and cut, copy save as from here.

Massive oversight!

 

 

Thanks for your response.  The answer is more than just a point product like Intune.  EMS will allow for what you want with a combination of:

  • Intune MAM policies 
  • Intune App Protection Properties and Windows Information Protection  (Prevent copy paste of business data to non-business apps
  • Azure AD Session Limits for Conditional Access (Prevent download in SharePoint, OneDrive and Exchange)

Some resources to help

I don't understand how Information Protection comes into play in that scenario.

The application protection policy is from what I understand replacing ActiveSyncMailboxPolicy for managed Apps such as Outlook.

I do also have conditional access policies set to only allow connections to Exchange from iOS & Android using a Managed Application only but this isn't enough we are still missing a setting to control email attachments.

Like I said have a policy disallowing users from saving an email or attachment is completely pointless if you can just forward it to another email account and do it from there.