SOLVED

Conditional Access question - Native email (iOS) and Block Exchange Active Sync

%3CLINGO-SUB%20id%3D%22lingo-sub-1850492%22%20slang%3D%22en-US%22%3EConditional%20Access%20question%20-%20Native%20email%20(iOS)%20and%20Block%20Exchange%20Active%20Sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1850492%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20Conditional%20Access%20policy%20that%20blocks%20Exchange%20Active%20Sync%20Clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEarlier%20I%20experienced%20that%20the%20native%20mail%20on%20iOS%20was%20blocked%2C%20but%20these%20days%20the%20native%20mail%20works%20fine%20even%20though%20this%20CAP%20(Active%20Sync%20-%20Block)%20is%20active.%20Is%20that%20because%20the%20native%20email-app%20in%20iOS%20got%20support%20for%20Oauth%20in%20iOS12%2B%3F%20Is%20it%20correct%20to%20state%20that%20the%20%22Block%20Active%20Sync%22-CAP%20only%20blocks%20Active%20Sync%20when%20the%20client%20uses%20Basic%20Authentication%3F%20Which%20means%20that%20if%20the%20email%20client%20is%20using%20active%20sync%20as%20a%20mail%20protocol%20but%20modern%20auth%20as%20authentication%2C%20it%20will%20not%20become%20blocked%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20we%20really%20want%20to%20turn%20off%20Active%20Sync%20(even%20though%20it's%20modern%20authentication)%20we%20need%20to%20use%20this%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20way%20would%20be%20using%20supported%20app%20and%20or%20app%20protection%20(since%20none%20of%20that%20is%20supported%20for%20the%20native%20mail)%20but%20I%20thought%20that%20%22Block%20Active%20Sync%22%20should%20disable%20the%20native%20mail%20app%2C%20but%20I%20guess%20I%20haven't%20been%20keeping%20up.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1850492%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%20Conditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1864040%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20question%20-%20Native%20email%20(iOS)%20and%20Block%20Exchange%20Active%20Sync%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1864040%22%20slang%3D%22en-US%22%3EThis%20is%20true.%20Apple%20now%20supports%20OAuth%20and%20is%20being%20recognized%20as%20'Modern%20desktop%20application'.%3CBR%20%2F%3EIn%20order%20to%20block%20the%20iOS%20app%20you%20have%20two%20options%3A%3CBR%20%2F%3E-%20Require%20an%20approved%20app%2Fapp%20protection%20policy%20like%20you%20mentioned%3CBR%20%2F%3E-%20Disable%20the%20'enterprise%20application'%20'iOS%20accounts'%20which%20iOS%20uses%20in%20the%20background%3C%2FLINGO-BODY%3E
Occasional Contributor

I have a Conditional Access policy that blocks Exchange Active Sync Clients.

 

Earlier I experienced that the native mail on iOS was blocked, but these days the native mail works fine even though this CAP (Active Sync - Block) is active. Is that because the native email-app in iOS got support for Oauth in iOS12+? Is it correct to state that the "Block Active Sync"-CAP only blocks Active Sync when the client uses Basic Authentication? Which means that if the email client is using active sync as a mail protocol but modern auth as authentication, it will not become blocked?

 

So if we really want to turn off Active Sync (even though it's modern authentication) we need to use this? https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

 

Another way would be using supported app and or app protection (since none of that is supported for the native mail) but I thought that "Block Active Sync" should disable the native mail app, but I guess I haven't been keeping up. 

2 Replies
Best Response confirmed by Simon Håkansson (Occasional Contributor)
Solution
This is true. Apple now supports OAuth and is being recognized as 'Modern desktop application'.
In order to block the iOS app you have two options:
- Require an approved app/app protection policy like you mentioned
- Disable the 'enterprise application' 'iOS accounts' which iOS uses in the background