Forum Discussion
Block e-mail configuration on IOS
I started configuring in my environment a group of policies to block users to use e-mail account in apps that are only authorized for me.
It worked as well on Android Devices but in IOS devices it's not working properly.
The user try to configure your e-mail in the native mail and receive a message that need to use outlook.
After install outlook the user receive a message that he needs to enroll the device to access your accout.
But after enroll the device and configure your account on outlook, the user tried configure your account on gmail app and he got it same using the conditional access rule saying that he only could use e-mail account on outlook.
why the condicional access don't block the configuration in gmail app like worked with the native app?
All users are in exchange online and the option in my conditional access "require approved client app" already is flagged.
9 Replies
Hi,
without any tests done I think Gmail app uses legacy auth and not modern auth to authenticate and therefore does not use Conditional Access.
To block legacy auth for applications you can follow this and use ADFS:
Block apps that do not use modern authentication (ADAL)
https://docs.microsoft.com/en-us/intune/app-modern-authentication-block
or wait for native implementation to block legacy auth into Conditional Access, its titled as "Coming soon":
Block legacy protocols Coming Soon (Premium) Hi Paulo
Edit: As I was typing this I've just tested this on my device and it seems that Gmail app on iOS does indeed allow users to set up their Office 365 mail, even if Conditional access requires the use of an approved app AND blocks ActiveSync connections. I'm going to raise this with Premier Support to investigate.
You want to take a look here and make sure your conditional access policies are set up correctly: https://docs.microsoft.com/en-us/intune/exchange-online-protect
Essentially, you need to set up one Conditional Access policy that forced iOS and Android users to use approved apps only (i.e. Outlook).
Then set up a second Conditional Access policy that blocks the use of Activesync on iOS and Android for accessing Exchange Online.
So long as you ensure that ActiveSync connections are blocked, then it should prevent the Gmail app on iOS devices from being used.
Hy Daniel,
I tried to create the second CA rule but I receive a message:
What could be ? the message don't have any link to explain why the configuration is not supported.
Thanks!
- Hi Paulo. Can you post what settings you configured?
