cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Conditional Access native iOS mail app works - but not if manually configured or if mail already set

%3CLINGO-SUB%20id%3D%22lingo-sub-731669%22%20slang%3D%22en-US%22%3EConditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%20set%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731669%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20I%20create%20CA%20Policies%20for%20iOS%2C%26nbsp%3B%20(All%20iOS%20devices%20on%20iOS%2011%2B)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3A%20Client%20has%20existing%20iPhone's%20already%20in%20use%20-%2090%25%20use%20native%20iOS%20App%20-%20We%20want%20to%20force%20these%20devices%20into%20MDM%20Enrollment%20(via%20Intune)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20essentially%20using%20this%20guide%20to%20set%20CA%20policies%20%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.easycloud365.com%2Fblog%2Fhow-to-block-native-apple-mail-app-ios-with-conditional-access-part-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.easycloud365.com%2Fblog%2Fhow-to-block-native-apple-mail-app-ios-with-conditional-access-part-1%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ESo%20far%20this%20works%20if%20I%20am%20setting%20up%20a%20new%20device%2C%20it%20will%20prompt%20me%20to%20sign%20into%20organisation%20and%20require%20me%20to%20enroll%20the%20device%20etc.%20-%20Works%20as%20it%20says%20on%20the%20tin.%26nbsp%3B%20%3CSTRONG%3EHowever%3C%2FSTRONG%3E....%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EA%20couple%20of%20things%20are%20apparent%3A%3C%2FSTRONG%3E%3C%2FP%3E%3COL%3E%3CLI%3EWhen%20I%20setup%20a%20new%20phone%20-%20i%20click%20on%20the%20iOS%20mail%20app%20%26gt%3B%20Add%20Account%20%26gt%3B%20Exchange%20%26gt%3B%20type%20in%20username(email%20address)%20%26amp%3B%20password%26nbsp%3B%20and%20I%20receive%20a%20prompt%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E%22Sign%20in%20to%20your%20%22username%40tenant.onmicrosoft.com%22Exchange%20account%20using%20Microsoft%3F%22%3C%2FSTRONG%3E%3CBR%20%2F%3E1)%20Configure%20Manually%3CBR%20%2F%3E2)%20Sign%20In%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20I%20select%20%22%3CSTRONG%3ESign%20In%3C%2FSTRONG%3E%22%20then%20no%20drama%20-%20I%20go%20through%20the%20enrollment%20process%20normally%3CBR%20%2F%3EIf%20I%20select%20can%20also%20select%20%22%3CSTRONG%3ESet%20up%20manually%3C%2FSTRONG%3E%22%20and%20then%20proceed%20to%20set%20up%20the%20device%20using%26nbsp%3B%3COL%3E%3CLI%3E%3CSTRONG%3Eemail%20address%3A%26nbsp%3B%3C%2FSTRONG%3E(username%40tenant.onmicrosoft.com)%3C%2FLI%3E%3CLI%3E%3CSTRONG%3Eusername%20%26amp%3B%20Password%3C%2FSTRONG%3E%26nbsp%3B%20(username%40tenant.onmicrosoft.com)%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EServer%3C%2FSTRONG%3E%3A%20outlook.office365.com%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI%20am%20then%20able%20to%20get%20mail%20flowing%20in%20the%20native%20iOS%20mail%20app%20without%20the%20phone%20being%20required%20to%20go%20into%20MDM%20or%20adhere%20to%20the%20Conditional%20Access%20Policies%20and%20Compliance%20policies%3CBR%20%2F%3ENext%20is%20that%20any%20phones%20already%20with%20their%20mail%20configured%20in%20the%20default%20iOS%20App%3C%2FP%3E%3COL%3E%3CLI%3ENothing%20happens%20-%20you%20just%20continue%20to%20use%20the%20phone%20as%20normal%20and%20it%20does%20not%20block%20mail%20on%20the%20native%20iOS%20app%20sop%20that%20the%20users%20are%20forced%20to%20enroll%20their%20devices.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI%20hope%20this%20all%20makes%20some%20sense%20-%20and%20looking%20for%20any%20guidance.%20i.e.%20perhaps%20I%20need%20to%20block%20via%20PowerShell%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-exchange-online-mobile-device-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Foutlook-for-ios-and-android%2Fsecure-outlook-for-ios-and-android%23leveraging-exchange-online-mobile-device-policies%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20time%20reading%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-731669%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733610%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3BNature%20of%20Conditional%20Access%20is%20that%20it%20actually%20works%20only%20with%20Modern%20Auth.%20So%2C%20in%20your%20case%20you%20need%20to%20have%202%20policies.%3C%2FP%3E%3CP%3E-%20One%20to%20block%20Legacy%20authentication.%3C%2FP%3E%3CP%3E-%20And%20one%20more%20following%20guide%20you%20used.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733625%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733625%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWhat%20does%20the%20sign-inn%20log%20in%20Azure%20AD%20say%2C%20choose%20to%20show%20the%20client%20app%20column%3F%3C%2FP%3E%3CP%3EDo%20you%20also%20block%20legacy%20authentication%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EYou%20could%20also%20add%20an%20App%20Protection%20Policy%20to%20make%20sure%20also%20nonregistered%20BYOD%20devices%20are%20forced%20to%20use%20Outlook%2C%20but%20this%20shouldn't%20be%20necessary%20for%20access%20control%20if%20you%20don't%20also%20want%20better%20management%20of%20company%20data.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJT%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734424%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734424%22%20slang%3D%22en-US%22%3E%3CP%3Ethanks%20for%20your%20time%20going%20through%20my%20problem%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364308%22%20target%3D%22_blank%22%3E%40jenstf%3C%2FA%3E%26nbsp%3B%20%26amp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144823%22%20target%3D%22_blank%22%3E%40Alexander%20Vanyurikhin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20created%20two%20policies%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1%20Policy%20for%20Legacy%20and%20Native%20iOS%20App%3C%2FP%3E%3CP%3E1%20Policy%20for%20Modern%20Authentication%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBoth%20%3CSTRONG%3ERequire%20device%20to%20be%20marked%20as%20compliant%3C%2FSTRONG%3E%26nbsp%3B%20%26amp%3B%20%3CSTRONG%3ERequires%20approved%20client%20app%3C%2FSTRONG%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20am%20still%20able%20to%20get%20mail%20to%20flow%20in%20once%20configuring%20manually.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(unless%20while%20I%20am%20changing%20policies%20it%20may%20take%20some%20time%20before%20it%20takes%20affect)%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThese%20are%20my%20policies%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%20applying%20to%20Exchange%20Online%20App%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%20applying%20to%20iOS%20and%20Android%20devices.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3E%5BFirst%20is%20for%20native%20iOS%20%2F%20Legacy%20Auth%5D%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20632px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121910iEFEC5D21E99D959A%2Fimage-dimensions%2F632x462%3Fv%3D1.0%22%20width%3D%22632%22%20height%3D%22462%22%20alt%3D%22Policy%201%20-%20Conditions.jpg%22%20title%3D%22Policy%201%20-%20Conditions.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20554px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121909i1D68A477D3A3CF06%2Fimage-dimensions%2F554x594%3Fv%3D1.0%22%20width%3D%22554%22%20height%3D%22594%22%20alt%3D%22Policy%201%20-%20GrantAccess.jpg%22%20title%3D%22Policy%201%20-%20GrantAccess.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3E1%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%5BSecond%20below%20is%20for%20Modern%20Auth%20-%20If%20setting%20up%20via%20outlook%20app%20this%20works%20fine%20and%20enrolls%20the%20device%26nbsp%3Bproblem%20I%20think%20is%20the%20first%20policy%20above%5D%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20946px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121912i38FC8ADA8CBE9183%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Policy%202%20-%20Conditions%20.jpg%22%20title%3D%22Policy%202%20-%20Conditions%20.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3E2%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20526px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121911iF1205F2A0F225E38%2Fimage-dimensions%2F526x564%3Fv%3D1.0%22%20width%3D%22526%22%20height%3D%22564%22%20alt%3D%22Policy%202%20-%20GrantAccess.jpg%22%20title%3D%22Policy%202%20-%20GrantAccess.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3E2%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20above%20set%20-%20I%20was%20able%20to%20manually%20configure%20mail%20on%20iOS%20device%20by%20adding%20the%20server%3A%20outlook.office365.com%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20turned%20policies%20on%20and%20off%20for%20the%20first%20one%20so%20maybe%20it%20will%20rake%20some%20time%20to%20apply(%3F)%3CBR%20%2F%3E%3CBR%20%2F%3EI%20checked%20Sign-Ins%20on%20Azure%20AD%20monitoring%20but%20not%20showing%20anything%20with%20signing%20if%20I%20configure%20manually%26nbsp%3B%20-%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734976%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734976%22%20slang%3D%22en-US%22%3EThe%20first%20policy%20(legacy)%20should%20block%20access.%20It's%20also%20recommended%20to%20make%20one%20policy%20for%20active%20sync%20and%20one%20for%20other%20clients.%20Make%20sure%20to%20exclude%20service%20accounts%20that%20doesn't%20support%20modern%20authentication.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20monitor%20the%20sign-in%20log%20and%20look%20for%20logins%20from%20other%20client%20and%20active%20sync%20(unsupported)%20before%20doing%20this%20in%20production.%3CBR%20%2F%3E%3CBR%20%2F%3EJT%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-735299%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-735299%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364308%22%20target%3D%22_blank%22%3E%40jenstf%3C%2FA%3E-%20Many%20thanks%20-%20this%20has%20helped%20clarify%20some%20things%20in%20my%20head%3CBR%20%2F%3E%3CBR%20%2F%3E1%20last%20question%20on%20this%20if%20that's%20ok%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EIt's%20also%20recommended%20to%20make%20one%20policy%20for%20active%20sync%20and%20one%20for%20other%20clients.%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EWould%20you%20essential%20be%20creating%203%20for%20this%3F%20i.e.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20162px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121991iF4D7CEDCA5984FA1%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22Pol1.png%22%20title%3D%22Pol1.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20163px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121992i8C040239C5C35EAF%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22Pol2.png%22%20title%3D%22Pol2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20171px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121993i5C08609F31F2A53D%2Fimage-size%2Fsmall%3Fv%3D1.0%26amp%3Bpx%3D200%22%20alt%3D%22Pol3.png%22%20title%3D%22Pol3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EOr%20would%20you%20always%20combine%2C%20say%2C%20%3CSTRONG%3EExchange%20ActiveSync%20%2B%20Apply%20policy%20only%20to%20supported%20platforms%20%3C%2FSTRONG%3Ein%20one%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-735594%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-735594%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3BIn%20my%20policies%20I%20don't%20use%20%22Apply%20policy%20only%20to%20supported%20platforms%22.%20The%20documentation%20isn't%20clear%20on%20what%20that%20choice%20actually%20is%20good%20for.%20i.e.%20Linux%20isn't%20a%20supported%20platform%20and%20will%20then%20bypass%20this%20policy.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EI%20have%20one%20policy%20with%20%22Exchange%20active%20sync%20clients%22%20and%20one%20for%20%22other%20clients%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-736610%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736610%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20a%20lot%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364308%22%20target%3D%22_blank%22%3E%40jenstf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20separated%20them%20out%20into%202%20policies%20and%20this%20has%20forced%20my%20test%20iPhone's%20to%20get%20the%20message%20to%20enroll%20the%20phones.%26nbsp%3B%20Rather%20than%20blocking%20the%20e-mail%20entirely%20and%20I%20cannot%20configure%20manually%20any%20more.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20main%20problem%20here%20was%20patience%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-917497%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-917497%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3Bcould%20you%20summarize%20and%20provide%20us%20with%20the%20final%20conditional%20access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20problem.%20I%20push%20an%20E-Mail%20profile%20(via%20the%20Device%20Configuration%20Profile)%20to%20the%20devices.%20However%2C%20I%20want%20the%20native%20Mail%20app%20to%20be%20blocked.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ELabinot%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-970619%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-970619%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146090%22%20target%3D%22_blank%22%3E%40Labinot%20Jashanica%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%2C%20sorry%20for%20the%20long%20wait%20-%20best%20thing%20I%20think%20to%20do%20here%20now%20is%20to%20use%20the%20%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%22Baseline%20policy%3A%20Block%20Legacy%20authentication%20(Preview)%22%3CBR%20%2F%3E%3CBR%20%2F%3EEnable%20this%20Policy%20-%20However%2C%20there%20are%20no%20exceptions%20for%20this%20so%20therefore%20it%20would%20apply%20to%20all%20users%2C%20global%20admins%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20need%20to%20have%20it%20more%20granular%20you%20can%20do%20a%20couple%20thinfs%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E1%20-%20Build%20a%20custom%20Conditional%20Access%20Policy%20that%20BLOCKS%20legacy%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ECreate%20a%20no%20CA%20policy%20-%20Include%20All%20apps%20(or%20ones%20you%20want)%3C%2FLI%3E%3CLI%3EUnder%3A%20Conditions%20%26gt%3B%20Client%20Apps%20%26gt%3B%20Select%20YES%3C%2FLI%3E%3CLI%3ESelect%3A%20Mobile%20Apps%20and%20Desktop%20Clients%20%26gt%3B%20Other%20(Choose%20Exchange%20ActiveSync%20if%20you%20want%20to%20block%20native%20mail%20apps.%3C%2FLI%3E%3CLI%3EThen%20on%20Access%20Control%20%26gt%3B%20Grant%3A%20Select%20Block%20Access%3C%2FLI%3E%3CLI%3ESave%20and%20Enable.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CBR%20%2F%3E2%20-%20Create%20a%20authentication%20policy%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%26nbsp%3B%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ECA%20Is%20more%20recommended%20though.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1516899%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516899%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20to%20enable%20this%26nbsp%3B%3CSPAN%3EBaseline%20policy%3A%20Block%20Legacy%20authentication%20(Preview)%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAs%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1517107%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1517107%22%20slang%3D%22en-US%22%3EThe%20Baseline%20Policies%20are%20deprecated%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20have%20AAD%20P1%2C%20you%20should%20create%20your%20own%20conditional%20access%20policies%3CBR%20%2F%3EOtherwise%2C%20use%20security%20defaults%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1518264%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20native%20iOS%20mail%20app%20works%20-%20but%20not%20if%20manually%20configured%20or%20if%20mail%20already%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%20Thanks%2C%20I'm%20also%20looking%20for%20the%20solution%20for%26nbsp%3B%20following%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EScenario%3C%2FSTRONG%3E%3CSPAN%3E%3A%20Client%20has%20existing%20iPhone's%20already%20in%20use%20-%2090%25%20use%20native%20iOS%20App%20-%20We%20want%20to%20force%20these%20devices%20into%20MDM%20Enrollment%20(via%20Intune)%20and%20forced%20to%20use%20MS%20Outlook%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Adam Weldon-Ming
Contributor

‎Jul 01 2019 08:35 AM

‎Jul 01 2019 08:35 AM

Conditional Access native iOS mail app works - but not if manually configured or if mail already set

Hello

When I create CA Policies for iOS,  (All iOS devices on iOS 11+)

 

Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM Enrollment (via Intune)

 

I am essentially using this guide to set CA policies : https://www.easycloud365.com/blog/how-to-block-native-apple-mail-app-ios-with-conditional-access-par...


So far this works if I am setting up a new device, it will prompt me to sign into organisation and require me to enroll the device etc. - Works as it says on the tin.  However....

A couple of things are apparent:

  1. When I setup a new phone - i click on the iOS mail app > Add Account > Exchange > type in username(email address) & password  and I receive a prompt:

    "Sign in to your "username@tenant.onmicrosoft.com"Exchange account using Microsoft?"
    1) Configure Manually
    2) Sign In

    If I select "Sign In" then no drama - I go through the enrollment process normally
    If I select can also select "Set up manually" and then proceed to set up the device using 
    1. email address: (username@tenant.onmicrosoft.com)
    2. username & Password  (username@tenant.onmicrosoft.com)
    3. Server: outlook.office365.com

I am then able to get mail flowing in the native iOS mail app without the phone being required to go into MDM or adhere to the Conditional Access Policies and Compliance policies
Next is that any phones already with their mail configured in the default iOS App

  1. Nothing happens - you just continue to use the phone as normal and it does not block mail on the native iOS app sop that the users are forced to enroll their devices. 


I hope this all makes some sense - and looking for any guidance. i.e. perhaps I need to block via PowerShell? 

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-...

 

Thanks for your time reading this. 

15.5K Views
0 Likes
17 Replies
Reply
17 Replies
Alexander Vanyurikhin

‎Jul 02 2019 12:39 AM

‎Jul 02 2019 12:39 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Adam Weldon-Ming Nature of Conditional Access is that it actually works only with Modern Auth. So, in your case you need to have 2 policies.

- One to block Legacy authentication.

- And one more following guide you used.

1 Like
Reply
jenstf

‎Jul 02 2019 01:15 AM

‎Jul 02 2019 01:15 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Adam Weldon-Ming 

What does the sign-inn log in Azure AD say, choose to show the client app column?

Do you also block legacy authentication?

You could also add an App Protection Policy to make sure also nonregistered BYOD devices are forced to use Outlook, but this shouldn't be necessary for access control if you don't also want better management of company data.

 

JT

1 Like
Reply
Adam Weldon-Ming

‎Jul 02 2019 07:00 AM - edited ‎Jul 02 2019 07:15 AM

‎Jul 02 2019 07:00 AM - edited ‎Jul 02 2019 07:15 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

thanks for your time going through my problem  @jenstf  & @Alexander Vanyurikhin 

 

I have created two policies 

 

1 Policy for Legacy and Native iOS App

1 Policy for Modern Authentication 

 

Both Require device to be marked as compliant  & Requires approved client app  

 

But I am still able to get mail to flow in once configuring manually. 

 

(unless while I am changing policies it may take some time before it takes affect)  

 

These are my policies 

Only applying to Exchange Online App 

Only applying to iOS and Android devices. 

[First is for native iOS / Legacy Auth]

Policy 1 - Conditions.jpg

11

 

[Second below is for Modern Auth - If setting up via outlook app this works fine and enrolls the device problem I think is the first policy above]

 

22

22

 

With the above set - I was able to manually configure mail on iOS device by adding the server: outlook.office365.com 

 

I have turned policies on and off for the first one so maybe it will rake some time to apply(?)

I checked Sign-Ins on Azure AD monitoring but not showing anything with signing if I configure manually  - 

0 Likes
Reply
best response confirmed by Adam Weldon-Ming (Contributor)
jenstf

‎Jul 02 2019 11:11 AM - edited ‎Jul 02 2019 11:32 AM

‎Jul 02 2019 11:11 AM - edited ‎Jul 02 2019 11:32 AM

Solution

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

The first policy (legacy) should block access. It's also recommended to make one policy for active sync and one for other clients. Make sure to exclude service accounts that doesn't support modern authentication.

I would monitor the sign-in log and look for logins from other client and active sync (unsupported) before doing this in production.

JT
1 Like
Reply
Adam Weldon-Ming

‎Jul 02 2019 03:02 PM

‎Jul 02 2019 03:02 PM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@jenstf- Many thanks - this has helped clarify some things in my head

1 last question on this if that's ok:

It's also recommended to make one policy for active sync and one for other clients.

Would you essential be creating 3 for this? i.e.

Pol1.pngPol2.png

Pol3.png

 

 

 

 

 

 

 



Or would you always combine, say, Exchange ActiveSync + Apply policy only to supported platforms in one policy?

 

Adam

1 Like
Reply
jenstf

‎Jul 02 2019 10:46 PM

‎Jul 02 2019 10:46 PM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Adam Weldon-Ming In my policies I don't use "Apply policy only to supported platforms". The documentation isn't clear on what that choice actually is good for. i.e. Linux isn't a supported platform and will then bypass this policy.


I have one policy with "Exchange active sync clients" and one for "other clients".

0 Likes
Reply
Adam Weldon-Ming

‎Jul 03 2019 08:44 AM

‎Jul 03 2019 08:44 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

Thanks a lot @jenstf 

 

I've separated them out into 2 policies and this has forced my test iPhone's to get the message to enroll the phones.  Rather than blocking the e-mail entirely and I cannot configure manually any more. 

 

My main problem here was patience :) 

0 Likes
Reply
Labinot Jashanica

‎Oct 17 2019 03:49 AM

‎Oct 17 2019 03:49 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Adam Weldon-Ming could you summarize and provide us with the final conditional access policies?

 

I have the same problem. I push an E-Mail profile (via the Device Configuration Profile) to the devices. However, I want the native Mail app to be blocked. 

 

Best regards,

Labinot

0 Likes
Reply
Adam Weldon-Ming

‎Nov 01 2019 02:55 AM

‎Nov 01 2019 02:55 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Labinot Jashanica 

 

Hey, sorry for the long wait - best thing I think to do here now is to use the :

"Baseline policy: Block Legacy authentication (Preview)"

Enable this Policy - However, there are no exceptions for this so therefore it would apply to all users, global admins etc.

If you need to have it more granular you can do a couple thinfs


1 - Build a custom Conditional Access Policy that BLOCKS legacy authentication.

 

 

  • Create a no CA policy - Include All apps (or ones you want)
  • Under: Conditions > Client Apps > Select YES
  • Select: Mobile Apps and Desktop Clients > Other (Choose Exchange ActiveSync if you want to block native mail apps.
  • Then on Access Control > Grant: Select Block Access
  • Save and Enable.


2 - Create a authentication policy: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

CA Is more recommended though.

 

 

0 Likes
Reply
aussupport

‎Jul 12 2020 04:07 AM

‎Jul 12 2020 04:07 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Adam Weldon-Ming 

 

How to enable this Baseline policy: Block Legacy authentication (Preview) ?

 

As

0 Likes
Reply
Thijs Lecomte

‎Jul 12 2020 08:57 AM

‎Jul 12 2020 08:57 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

The Baseline Policies are deprecated

If you have AAD P1, you should create your own conditional access policies
Otherwise, use security defaults https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...
0 Likes
Reply
aussupport

‎Jul 13 2020 01:34 AM

‎Jul 13 2020 01:34 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Thijs Lecomte  Thanks, I'm also looking for the solution for  following

 

Scenario: Client has existing iPhone's already in use - 90% use native iOS App - We want to force these devices into MDM Enrollment (via Intune) and forced to use MS Outlook 

 

 

0 Likes
Reply
natpascual1330

‎Feb 02 2021 09:48 PM

‎Feb 02 2021 09:48 PM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

So were you able to block the manual sign-in? I'm at this stage too.
0 Likes
Reply
Thijs Lecomte

‎Feb 03 2021 02:47 AM

‎Feb 03 2021 02:47 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

You need to block legacy authentication in order to fully make use of Conditional Access
0 Likes
Reply
natpascual1330

‎Feb 03 2021 04:25 PM

‎Feb 03 2021 04:25 PM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Thijs Lecomte 

 

Block it from where exactly? 

0 Likes
Reply
natpascual1330

‎Feb 08 2021 12:47 AM

‎Feb 08 2021 12:47 AM

Re: Conditional Access native iOS mail app works - but not if manually configured or if mail already

@Thijs Lecomte 

 

Yup was able to do it via Conditional Access already. Had issues mainly with my patience haha. Took it more than a day till my expected outcome were observed.

 

Thank you!

0 Likes
Reply