Howdy howdy howdy
Sorry, been watching a lot of Toy Story.
In today's post I want to spell out some of the changes that have been made to Conditional Access and the depreciation of the legacy policies, specifically around enforcing the Outlook App through Intune.
Before you were able to use a simple drop down box to enable this option
Apparently this method of blocking access to non approved apps is considered "legacy" now and the functionality has changed
On the back end this blocked Exchange Active-Sync as well as other client apps with just a flip of the switch. That appears to no longer be the case, at least in my own personal tenant and in a couple customer tenants I've had recently. Moving forward you should use the new condition of "Require approved client app"
Not to much of a change so far. The main thing I want to stress here is that you now need to create two policies with this conditional grant, one for EAS and one for all other protocols. This is done by creating one policy with the targeting condition of "Browser" and "Mobile apps and desktop clients" under the "Client Apps" setting
Then another with the "Client App" setting of Exchange Active-Sync. We also want to make sure the box for applying the policy only to supported platforms is NOT checked. We want this to apply to all platforms ideally, that way no sneaky Blackberrys can find their way in. I also ran into an issue where if this box was checked this rule would not filter down to Android For Work, not sure why on that one but no biggie in the grand scheme of things (I love comparing things to the "Grand Scheme" being everything, no matter how important just seems small! Its like a get outta consulting free card!)
Once this is set users will receive a message in their mailbox explaining that they now need to use the Outlook App moving forward.
Hope this helps someone out there.
I feel like I should have a sign off phrase, but I don't. Maybe that is it though
"I feel like I should have a sign off phrase, but I don't".