Forum Discussion

Adam Weldon-Ming's avatar
Adam Weldon-Ming
Brass Contributor
Jul 01, 2019

Conditional Access native iOS mail app works - but not if manually configured or if mail already set

Hello When I create CA Policies for iOS,  (All iOS devices on iOS 11+)   Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM ...
Conditional Access
Intune
Mobile Application Management (MAM)
Mobile Device Management (MDM)
  • jenstf's avatar
    jenstf
    Jul 02, 2019
    The first policy (legacy) should block access. It's also recommended to make one policy for active sync and one for other clients. Make sure to exclude service accounts that doesn't support modern authentication.

    I would monitor the sign-in log and look for logins from other client and active sync (unsupported) before doing this in production.

    JT
Adam Weldon-Ming's avatar
Adam Weldon-Ming
Brass Contributor

Thanks a lot jenstf 

 

I've separated them out into 2 policies and this has forced my test iPhone's to get the message to enroll the phones.  Rather than blocking the e-mail entirely and I cannot configure manually any more. 

 

My main problem here was patience :) 

ljasha's avatar
ljasha
Copper Contributor
Oct 17, 2019

Adam Weldon-Ming could you summarize and provide us with the final conditional access policies?

 

I have the same problem. I push an E-Mail profile (via the Device Configuration Profile) to the devices. However, I want the native Mail app to be blocked. 

 

Best regards,

Labinot

  • aussupport's avatar
    aussupport
    Brass Contributor
    Jul 13, 2020

    Thijs Lecomte  Thanks, I'm also looking for the solution for  following

     

    Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM Enrollment (via Intune) and forced to use MS Outlook 

     

     

  • aussupport's avatar
    aussupport
    Brass Contributor
    Jul 12, 2020

    Adam Weldon-Ming 

     

    How to enable this Baseline policy: Block Legacy authentication (Preview) ?

     

    As

  • Adam Weldon-Ming's avatar
    Adam Weldon-Ming
    Brass Contributor
    Nov 01, 2019

    ljasha 

     

    Hey, sorry for the long wait - best thing I think to do here now is to use the :

    "Baseline policy: Block Legacy authentication (Preview)"

    Enable this Policy - However, there are no exceptions for this so therefore it would apply to all users, global admins etc.

    If you need to have it more granular you can do a couple thinfs


    1 - Build a custom Conditional Access Policy that BLOCKS legacy authentication.

     

     

    • Create a no CA policy - Include All apps (or ones you want)
    • Under: Conditions > Client Apps > Select YES
    • Select: Mobile Apps and Desktop Clients > Other (Choose Exchange ActiveSync if you want to block native mail apps.
    • Then on Access Control > Grant: Select Block Access
    • Save and Enable.


    2 - Create a authentication policy: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online 

    CA Is more recommended though.

     

     

Resources