Oct 17 2019 06:40 AM
Oct 17 2019 06:40 AM
I'm trying to figure out how I can disable a user's mobile device from syncing with Outlook if it's already syncing now.
What can I do if I need to stop someone from accessing their email on their phone? Preferably something through Powershell since I need to do this for a number of people but if I have to click through the GUI, I can make that work.
Oct 17 2019 08:51 AM
Disabling ActiveSync should not have any effect, as the Outlook app now uses a new protocol. OWA doesn't relate to the mobile Outlook app. The -OutlookMobileEnabled parameter is what you should use.
Removing the device should work however, perhaps with some delay due to token expiration and stuff (you can try revoking tokens to speed it up). Other than that, you can use device access rule or blacklist the client for EWS.
All this and more is summarized here: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...
Oct 17 2019 09:38 AM
@Vasil MichevI set my own account to OutlookMobileEnabled: False but am still able to send and receive from my phone. Maybe it takes a bit to take effect so I'll try again in a bit.
The reason we are doing this is we have an internal Mobile Device Policy that everyone has to agree to if they want to sync their email to their phone. We want to disable the ability to get email on their phones by default and then we can enable it for people as they sign the policy form. Is there a good way to do that? I thought I saw something you could set so all device go into quarantine as soon as they try to connect and then we could Allow the device for people once they've agreed to the policy.
Oct 17 2019 11:44 AM
Ok so here's the update.
After a while, my Outlook app did come up and tell me I was blocked so it appears that setting the OutlookMobileEnabled setting does prevent people from getting into Outlook.
I also found these instructions that will push every phone into Quarantine when it connects:
If I use the OutlookMobileEnabled setting, I can set that to False for all users and then set it to True once someone signs our policy document. Pro is that it's on the user's account and not phone specific. Con is that it has to be done through Powershell and I don't know if there's a way to make False be the default for all new users that get created.
If I use the Quarantine method, I can make this the default so all phones get blocked by default. Pro is that it's automatic, it can send an email when a phone goes in quarantine, and it can be released through the GUI. Con is that it's per device so any time a user gets a new phone, we'll have to release it.
Is there any setting that applies at the user lever, can be made defaulted to off for all users, and can be turned on/off from within the Admin portal?
Oct 17 2019 11:39 PM
There isn't one. The OutlookMobileEnabled is client-specific, it will not block clients other than Outlook, so you might want to combine that with the additional ActiveSync controls. It's very easy to automate via PowerShell, so you can just provide a script instead of the UI option.