• François Peroux

How-To block native Apple Mail App (iOS) with conditional access - Part 1

Updated: Jul 22, 2018

Next: how-to block Apple native mail app who uses ExchangeActive Sync (before iOS 11+).>>


Azure Conditional access policies can be leveraged to block native mail app (on iOS) devices.

Use Cases

The following procedure has to be applied for the following use cases:

  • iOS version 11+.


Since the iOS version 11+, the native Mail App support Modern Authentication. In the meantime, an Intune update improved the conditions to target only Modern Authentication flow within applications.

The following procedure explains how-to apply this control:

  • Under Azure Conditional Access blade, create a new policy.

  1. Chose a name for your policy - as an example, and to keep consistency with your CA policies, use the following nomenclature: Action-Platform-What'sImpacted.

  2. Select the user/group included.

  • Under Cloud Apps, select the cloud application who is targeted. In our case, it's Office 365 Exchange Online.

  • Under Conditions, select Device platforms.

  1. Click Yes to activate the condition.

  2. Click on Select device platforms.

  3. Select iOS.

  • Under Conditions, select Client apps (Preview).

  1. Click Yes to activate the condition.

  2. Select Mobile apps and desktop clients to target apps only.

  3. Finally select Modern authentication clients.

  • Under Access Controls, select Grant.

  1. Keep Grant access as default.

  2. Select Require approved client app.

User Experience

The conditional access can take few minutes to few hours to be applied. Application period is random and can't be really defined - depending of your environment, number of policies...

1. When the CA policy is applied, user is blocked on the Apple native mail app and he is asked to sign-in again.

2. By clicking Edit Settings, user is redirected to a Microsoft Modern Authentication page and he is invited to enter his password.

3. After the Sign in button clicked, the conditional access message explains that the application used to access email is not approved by the IT department.

Notice: The different messages are not customizable for the moment.


With the conditional access capabilities to focus on different authentication processes (modern authentication, basic authentication and ExchangeActive Sync), it offers a powerful way to control access to your company data.

By blocking the native mail app, you redirect user to use Application Protection supported app - Outlook for iOS. Then, you can control how the data transit between personal and corporate containers on mobile devices.

Next: how-to block Apple native mail app who uses ExchangeActive Sync (before iOS 11+).>>




Security Consultant

  • Twitter Icône sociale