Intune - Conditional Access - Exchange Online and WP8

Recently I ran into an issue with Intune Conditional Access and Exchange Online. This might get slightly confusing so here is the situation for the start.

  • Conditional Access must be enabled, to prevent unauthorised mobile devices (IOS, Android, WP) accessing company email.
  • All mobile devices must use the Outlook Mobile application to access email. This was so we could enforce Mobile Application Management (MAM) policies restricting what functions are available to users such as save, copy, paste etc within the application.

Point 1 above, was achieved by configuring a Conditional Access policy for Exchange Online. here is my configuration of said policy:

Following the deployment of the policy, access to the mailboxes are blocked as expected.

The user is then prompted to download the company portal application to enroll the device:

Point 2 above, restricting Mobile device access to the Outlook application only. This was achieved by configuring an Intune App Protection Policy for Exchange online. here is my configuration of said policy:

Then we found an issue...

There is no Outlook application for Windows 8.1 phones so following the deployment of the Intune App Protection Policy, the native Mail client could no long be used on WP 8.1.

The way we got around this was to create Dynamic Groups for IPhone, IPad, Android and WindowsPhone devices. Using the DeviceOSType, Contains the following (these are case sensitive):

Android - Android 
iPad - IPad
iPhone - IPhone
Windows Phone - WindowsPhone

After you have created the groups ensure that the members are being populated:

All but the WindowsPhone group were added to the 'Restricted user groups' which was added to the 'Exempt user groups' to allow Windows devices to use the native mail client.

As the Windows Phone device requires Workplace Join as part of the enrolment process the device can still be managed without MAM policies.

Windows 10 Mobiles (and clients) can be protected using Windows Information Protection but this was out of scope of this project. (See for more informaiton regarding this.)