How to prevent users from circumventing MAM by going through OWA on mobile devicesAlex Fields
One of my smart co-workers pointed out that my Conditional access baseline policies, as written, actually leave open the possibility that users could simply use OWA on their mobile devices, instead of using the Outlook app.
And that means a user could bypass your protections such as encryption of app data, PIN requirement, and so forth. If you want to prevent that, simply include Browsers under the Client apps condition, like so:
This change has also been added to my published policy design.
And as long as you include the managed browsers in your App protection policy > Targeted apps, then the user will be required to abide by the same protections as they are for the Outlook app and any other protected applications you have specified.
Now since your Conditional access policy specifies the access control Require approved client apps, it will enforce the use of either Edge or the Intune Managed Browser app. The user will see a message like the below:
Which will annoy some people, yes. But it also means that on unmanaged mobile devices, the company data is still being protected, whether accessed via an app or via a web browser.