How to enforce usage of email apps on Android with Microsoft Intune

At first, thanks for Gerry Hampson’s and Jan Ketil Skanke’s challenges and tips about this topic.

In this post, I will show you how to enforce usage of email apps to access Office 365 email. My testing is done with OnePlus 5, I can’t be sure if all Android model behave in the same way.

• Scenario 1: Allow use both Android native email client or Outlook app, redirect install Microsoft Intune Company Portal app, and enforce enroll device to Intune.
• Scenario 2: Allow setup Android native email client but block sync emails, enforce/redirect use Outlook app. When setup email in Outlook, redirect install Microsoft Intune Company Portal app, and enforce enroll device to Intune.
• Scenario 3: Allow usage of Android native email client only, redirect install Microsoft Intune Company Portal app, and enforce enroll device to Intune. Block anything else.

Scenario 1: Allow both Android native email client or Outlook, enforce enroll device to Intune.

In this scenario, users can setup Android native email client or Outlook app to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune.

We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online modern authentication:

Conditional Access Policy for Exchange ActiveSync basic authentication

This is to control Exchange ActiveSync basic authentication, example Android native client. If a user is using native client with basic authentication to access Office 365 Exchange Online, it will require the device to be marked as compliant. When the device is not enrolled to Intune (device is not compliant), Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Microsoft Intune Company Portal app and enroll their device in order to access Exchange mail and other resources.

1. Go to Azure Portal : https://portal.azure.com/
2. Go to Intune and create new Conditional Access Policy
   
3. Fill information as bellow:
   Name: Exchange ActiveSync basic Auth
   Assignments – Users and groups: choose user groups that you wish to assign this policy
   Assignments – Cloud apps: Select apps – Office 365 Exchange Online
   Assignments – Conditions: Client apps – Exchange ActiveSync
   Access controls – Grant: Grant access – Required device to be marked as compliant
   

   

   

   

4. Enable policy

Conditional Access Policy for Exchange Online modern authentication

This is to control Exchange Online modern authentication. By configuring these settings as following, it will require the device to be enrolled to Intune and the usage of Outlook app to access Office 365 email. This setting doesn’t conflict with the basic authentication Condition Access policy, because it is using modern authentication.

1. Go to Azure Portal : https://portal.azure.com/
2. Go to Intune and create new Conditional Access Policy
3. Fill information as bellow:
   Name: Exchange Online Modern Auth (Android)
   Assignments – Users and groups: choose user groups that you wish to assign this policy
   Assignments – Cloud apps: Select apps – Office 365 Exchange Online
   Assignments – Conditions: Device platforms – Select device platforms – Android
   Access controls – Grant: Grant access – Require device to be marked as compliant
   Access controls – Grant: Grant access – Require approved client apps
   For multiple controls: Require all the selected controls

   

   

4. Enable policy

Scenario 2: Allow setup Android native email client but block sync emails, enforce/redirect use Outlook, enforce enroll device to Intune.

In this scenario, users can allow setup Android native email client for Office 365 email. The user will receive an email and will be redirected to download Outlook. When the user setup Outlook, it will enforce the download of the Microsoft Intune Company portal app and guide the user to enroll the device to Intune. The user will not be able to use Android native email client to sync Office 365 emails.

We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online with modern authentication:

Conditional Access Policy for Exchange ActiveSync basic authentication

This is to control Exchange ActiveSync basic authentication, example Android native client. If the user is using the native email client with basic authentication to access Office 365 Exchange Online, it will require the device to be marked as compliant and will require use an approved client app, in this case the approved email app is Outlook, so it will enforce usage of  Outlook app and will not allow to sync email with Android native email client. Intune Conditional Access leverages Exchange ActiveSync to quarantine these legacy clients and sends an email into their inbox indicating that the they need to install Outlook app and enroll their device to access Exchange mail and other resources.Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange ActiveSync basic authentication” setups.
The only changes are:

Access controls – Grant: Grant access – Require device to be marked as compliant
Access controls – Grant: Grant access – Require approved client apps
For multiple controls: Require all the selected controls

Conditional Access Policy for Exchange Online Modern authentication

Configurations are same as in “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange Online modern authentication” setups

Scenario 3: Allow usage of only Android native email client, block anything else.

In this scenario, users can setup Android native email client to access Office 365 email. User will receive an email redirecting them to download Microsoft Intune Company Portal, then guide them to enroll the device to Intune. User cannot access Office 365 email from any other method than native email client with basic authentication.

We will need to create two Conditional Access policies, one for Exchange ActiveSync basic authentication, another one for Exchange Online modern authentication:

Conditional Access Policy for Exchange ActiveSync basic authentication

Configurations are the same as in “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange ActiveSync basic authentication” setups

Conditional Access Policy for Exchange Online modern authentication

Configuration are quite similar as “Scenario 1: allow both Android native email client or Outlook – Conditional Access Policy for Exchange Online Modern authentication” setups.
Only changes is:
Access controls – Grant: Block access

NOTES:

If you have already setup your native email client before you created the Exchange ActiveSync basic authentication Conditional Access policy, you might have to wait 5-6 hours for those settings to apply. At the moment when I was writing this, I couldn’t find a working solution for this matter.

(1194)

Zeng Yinghua

Sandy has been working in the IT industry since 2009. Primarily dealing with SCCM, MDT, Group Policy, software packaging, workstation problem solving. Sandy currently works for a large Finnish company with several thousand endpoints. In 2016, Sandy founded the http://thesccm.com blog and is now a guest blogger on SCConfigMgr.