May 15 2018 10:17 AM
I have ran the below command and this has blocked attachments from being downloaded on default mail app, however its not working on Outlook Mobile application. Users are still able to download attachments on Outlook mobile application.
Please assist
Set-ActiveSyncMailboxPolicy -Identity default -AttachmentsEnabled $false
May 15 2018 10:33 AM
Outlook mobile does not use ActiveSync (anymore), thus you cannot expect all the restrictions configured via active sync policies to apply.
May 15 2018 10:48 AM
May 15 2018 11:44 AM
SolutionThis can be done, but it will depend on your licensing. You will have to control the app with MAM via Intune. Then you can set policy for Outlook, SharePoint app, OneDrive, etc.
If you are looking for broader protection capabilities beyond what’s included in Office 365, you can subscribe to Microsoft Intune, which is part of the Microsoft Enterprise Mobility Suite. Intune provides mobile application management (MAM) capabilities for Outlook and other Office mobile apps in addition to the conditional access and device management capabilities outlined above. With Intune MAM, you can restrict actions such as cut, copy, paste, and “save as” of corporate data between Intune-managed apps and apps that are not managed by Intune. Additionally, the Intune-managed Outlook apps include a new multi-identity management feature that enables users to access both their personal and work email accounts in the same Outlook app while only applying the Intune MAM policies to the user’s work account –
Feb 06 2019 11:17 PM
MAM policies do not allow you to deny or block access to email attachments.
Cut, copy, paste, and “save as” restrictions via App policies are working fine but they are useless on Outlook for iOS as you can just forward an email attachement to a gmail or else account and cut, copy save as from here.
Massive oversight!
Feb 07 2019 08:15 AM
Thanks for your response. The answer is more than just a point product like Intune. EMS will allow for what you want with a combination of:
Some resources to help
Feb 07 2019 10:34 PM
I don't understand how Information Protection comes into play in that scenario.
The application protection policy is from what I understand replacing ActiveSyncMailboxPolicy for managed Apps such as Outlook.
I do also have conditional access policies set to only allow connections to Exchange from iOS & Android using a Managed Application only but this isn't enough we are still missing a setting to control email attachments.
Like I said have a policy disallowing users from saving an email or attachment is completely pointless if you can just forward it to another email account and do it from there.
Mar 23 2020 08:45 AM
Hi @fdebout ,
I have the same issue where I need to block forwarding of attachments from Outlook mobile app using Intune. I have opened a case with support but no solution yet.
Have you found any solution for it?
Nov 03 2023 07:20 AM
@Naveen_PandeyDid you end up finding a solution to this?
Mar 27 2024 05:25 PM
Microsoft says that we cannot currently block users from sending or forwarding emails with attachments from the Outlook app. The only thing that we would be able to edit in regards to the attachments included in emails is if the user can save it onto their device or not. You can block your users from doing so by using Conditional Access. Below I have attached further information on how you can use Conditional Access to block your users from downloading/saving attachments from Outlook on managed devices:
This includes the instructions on how to create App-based Conditional Access policies. Here you will be able to block your users from downloading attachments from the Outlook application:
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create
To block the attachments specifically, you would need to go to the 'Session' blade when creating a new Conditional Access Policy and select 'User Conditional Access App Control'. From the drop-down menu, you need to select 'Block Downloads'. I have attached a screenshot of how it would appear below:
Mar 27 2024 05:57 PM
May 15 2018 11:44 AM
SolutionThis can be done, but it will depend on your licensing. You will have to control the app with MAM via Intune. Then you can set policy for Outlook, SharePoint app, OneDrive, etc.
If you are looking for broader protection capabilities beyond what’s included in Office 365, you can subscribe to Microsoft Intune, which is part of the Microsoft Enterprise Mobility Suite. Intune provides mobile application management (MAM) capabilities for Outlook and other Office mobile apps in addition to the conditional access and device management capabilities outlined above. With Intune MAM, you can restrict actions such as cut, copy, paste, and “save as” of corporate data between Intune-managed apps and apps that are not managed by Intune. Additionally, the Intune-managed Outlook apps include a new multi-identity management feature that enables users to access both their personal and work email accounts in the same Outlook app while only applying the Intune MAM policies to the user’s work account –