How-To block native Apple Mail App (iOS) with conditional access - Part 2
Updated: Jul 25, 2018
Azure Conditional access policies can be leveraged to block native mail app (on iOS) devices.
The following procedure has to be applied for the following use cases:
iOS is under 11+.
The Exchange account has been configured manually on the phone.
Before iOS 11+, the native Mail App didn't support Modern Authentication. The way to proceed is to block Exchange ActiveSync with Azure conditional access.
The following procedure explains how-to apply this control:
Under Azure Conditional Access blade, create a new policy.
1. Chose a name for your policy - as an example, and to keep consistency with your CA policies, use the following nomenclature: Action-Platform-What'sImpacted.
2. Select the user/group included.
Under Cloud Apps, select the cloud application who is targeted. In our case, it's Office 365 Exchange Online.
Under Conditions, select Client apps (Preview).
1. Click on Yes to activate the condition.
2. Select Mobile apps and desktop clients to target apps only.
3. Finally select Exchange ActiveSync
Under Access Controls, select Grant.
1. Keep Grant access as default.
2. Select Require approved client app.
The conditional access can take few minutes to few hours to be applied. Application period is random and can't be really defined - depending of your environment, number of policies...
1. When the CA policy is applied, user is blocked on the Apple native mail app and he is invited to use supported app, Outlook for iOS. Below, the email received by users.
2. By clicking Get started now, user is automatically redirected to a Microsoft page and he is invited to get the application - if it's already installed, he has just to click OPEN at the top of the page.
3. In the meantime, if the user tries to send any email from the iOS native mail app, the user is notifies that he can't reach the server as in the image below.
Notice: The different messages are not customizable for the moment.
Once again, Azure conditional access lets you control easily which application you would like to allow in your company.
By this way, the security control is containerized within the supported application where you can apply protection policies.