SOLVED

block attachments on outlook mobile application

Copper Contributor

I have ran the below command and this has blocked attachments from being downloaded on default mail app, however its not working on Outlook Mobile application. Users are still able to download attachments on Outlook mobile application.

 

Please assist

 

 

Set-ActiveSyncMailboxPolicy -Identity default -AttachmentsEnabled $false

10 Replies

Outlook mobile does not use ActiveSync (anymore), thus you cannot expect all the restrictions configured via active sync policies to apply.

Alright... thanks for telling me that

When you say no, you should mention alternative as well.

So now could you please tell me what policy should I apply to restrict users from not being able to download attachments on outlook mobile application


If there is no way, just say that abruptly
best response confirmed by Ashish Mangtani (Copper Contributor)
Solution

This can be done, but it will depend on your licensing.  You will have to control the app with MAM via Intune.  Then you can set policy for Outlook, SharePoint app, OneDrive, etc. 

 

https://www.microsoft.com/en-us/microsoft-365/blog/2015/06/18/new-intune-capabilities-for-outlook-on...

 

 

If you are looking for broader protection capabilities beyond what’s included in Office 365, you can subscribe to Microsoft Intune, which is part of the Microsoft Enterprise Mobility Suite. Intune provides mobile application management (MAM) capabilities for Outlook and other Office mobile apps in addition to the conditional access and device management capabilities outlined above. With Intune MAM, you can restrict actions such as cut, copy, paste, and “save as” of corporate data between Intune-managed apps and apps that are not managed by Intune. Additionally, the Intune-managed Outlook apps include a new multi-identity management feature that enables users to access both their personal and work email accounts in the same Outlook app while only applying the Intune MAM policies to the user’s work account – this provides a much more seamless user experience.

MAM policies do not allow you to deny or block access to email attachments.

Cut, copy, paste, and “save as” restrictions via App policies are working fine but they are useless on Outlook for iOS as you can just forward an email attachement to a gmail or else account and cut, copy save as from here.

Massive oversight!

 

 

Thanks for your response.  The answer is more than just a point product like Intune.  EMS will allow for what you want with a combination of:

  • Intune MAM policies 
  • Intune App Protection Properties and Windows Information Protection  (Prevent copy paste of business data to non-business apps
  • Azure AD Session Limits for Conditional Access (Prevent download in SharePoint, OneDrive and Exchange)

Some resources to help

I don't understand how Information Protection comes into play in that scenario.

The application protection policy is from what I understand replacing ActiveSyncMailboxPolicy for managed Apps such as Outlook.

I do also have conditional access policies set to only allow connections to Exchange from iOS & Android using a Managed Application only but this isn't enough we are still missing a setting to control email attachments.

Like I said have a policy disallowing users from saving an email or attachment is completely pointless if you can just forward it to another email account and do it from there.

 

 

 

Hi @fdebout ,

 

I have the same issue where I need to block forwarding of attachments from Outlook mobile app using Intune. I have opened a case with support but no solution yet.

 

Have you found any solution for it?

@Naveen_PandeyDid you end up finding a solution to this?

@ctgreen 

Microsoft says that we cannot currently block users from sending or forwarding emails with attachments from the Outlook app. The only thing that we would be able to edit in regards to the attachments included in emails is if the user can save it onto their device or not. You can block your users from doing so by using Conditional Access. Below I have attached further information on how you can use Conditional Access to block your users from downloading/saving attachments from Outlook on managed devices:

 

This includes the instructions on how to create App-based Conditional Access policies. Here you will be able to block your users from downloading attachments from the Outlook application:

 

https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune-create

 

To block the attachments specifically, you would need to go to the 'Session' blade when creating a new Conditional Access Policy and select 'User Conditional Access App Control'. From the drop-down menu, you need to select 'Block Downloads'. I have attached a screenshot of how it would appear below:

 

Naveen_Pandey_0-1711585173988.png

 

1 best response

Accepted Solutions
best response confirmed by Ashish Mangtani (Copper Contributor)
Solution

This can be done, but it will depend on your licensing.  You will have to control the app with MAM via Intune.  Then you can set policy for Outlook, SharePoint app, OneDrive, etc. 

 

https://www.microsoft.com/en-us/microsoft-365/blog/2015/06/18/new-intune-capabilities-for-outlook-on...

 

 

If you are looking for broader protection capabilities beyond what’s included in Office 365, you can subscribe to Microsoft Intune, which is part of the Microsoft Enterprise Mobility Suite. Intune provides mobile application management (MAM) capabilities for Outlook and other Office mobile apps in addition to the conditional access and device management capabilities outlined above. With Intune MAM, you can restrict actions such as cut, copy, paste, and “save as” of corporate data between Intune-managed apps and apps that are not managed by Intune. Additionally, the Intune-managed Outlook apps include a new multi-identity management feature that enables users to access both their personal and work email accounts in the same Outlook app while only applying the Intune MAM policies to the user’s work account – this provides a much more seamless user experience.

View solution in original post