How to prevent users from circumventing MAM by going through OWA on mobile devices - ITProMentor

Back to Blog

04SepSeptember 4, 20192019

How to prevent users from circumventing MAM by going through OWA on mobile devices

One of my smart co-workers pointed out that my Conditional access baseline policies, as written, actually leave open the possibility that users could simply use OWA on their mobile devices, instead of using the Outlook app.

And that means a user could bypass your protections such as encryption of app data, PIN requirement, and so forth. If you want to prevent that, simply include Browsers under the Client apps condition, like so:

This change has also been added to my published policy design.

And as long as you include the managed browsers in your App protection policy > Targeted apps, then the user will be required to abide by the same protections as they are for the Outlook app and any other protected applications you have specified.

Now since your Conditional access policy specifies the access control Require approved client apps, it will enforce the use of either Edge or the Intune Managed Browser app. The user will see a message like the below:

Which will annoy some people, yes. But it also means that on unmanaged mobile devices, the company data is still being protected, whether accessed via an app or via a web browser.

Technical Enterprise Mobility + Security, Intune, MAM, Microsoft 365 Business, Microsoft 365 Enterprise, security 0 Comments

Leave a ReplyCancel reply

Back to Blog

Related Posts

Turn your MFA up to 11

09DecDecember 9, 2022

But have you turned multifactor authentication ALL the way on?

Do you remember just a short time ago, Microsoft would claim that switching on Multi-factor Authentication (MFA) prevents 99.9% of identity-based attacks? Well, the times they are a-changin. I do not know what they would report today for a percentage of attacks which are thwarted... read more

22SepSeptember 22, 2016

Redirection no more?

I had recently published an article about setting up NTFS security for roaming profiles and redirected folders, when a co-worker and I got into an interesting discussion. So I had to share some of these thoughts while they were still bouncing around in my brain.... read more

20AprApril 20, 2017

What is Windows Hello, and how to enable it

Windows 10 introduced a new security feature called "Hello," which allows a computer to be unlocked via different means than a traditional username/password prompt. The marketing around this sells it as a more "personalized" login experience--more "human" or whatever. But it's really just extra security... read more

Unboxing Defender for Business, Part 2: Threat & Vulnerability Management

01FebFebruary 1, 2022

Unboxing Defender for Business, Part 2: Threat & Vulnerability Management

Last time we looked at how to get started with Microsoft Defender for Business and the so-called "Simplified configuration process," which helped us onboard our first Windows devices and apply basic policies to manage antivirus and firewall settings across the organization. In this blog post,... read more

12MarMarch 12, 2018

New OME Encryption Template, Criticism Revisited…

Spooky. Lately it's like Microsoft is following this blog or something. I have been working on a number of posts that I'm rather excited about. First, I had one of my biggest wishes come true, with the release of Files On-Demand for OneDrive (included in Fall... read more

25JanJanuary 25, 2018

Tutorial: How to downgrade to the old Office 365 Message Encryption

I recently shared the method used to enable the "new" Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old... read more

28DecDecember 28, 2019

Reader Question: Can I sync my Network Drives to Teams?

Dear Alex, I wish to know if its possible to sync files/folders on my Network Server to teams. I have read a few documentations but all seems to be just for own PCs and not for Server/network drives. Yours is the closest I could see.... read more

06AugAugust 6, 2019

Updated: Exchange Online baseline / best practices scripts

I recently updated the scripts that I use to provision new Exchange Online tenants and configure them according to best practices, and I just uploaded these edits to GitHub. The main script is Baseline-ExchangeOnline.ps1--this is like a "master" script that contains almost all of the... read more

26JanJanuary 26, 2017

How to prepare for a HIPAA technical risk assessment or audit

I have had to help a number of smaller-sized health services clinics with this kind of thing recently, so I figured a place to collect notes on these experiences was in order. Hopefully others will find it valuable; just know that there is no such... read more

12OctOctober 12, 2017

Comparing Single Sign-On Options with Azure AD Connect

Azure AD Connect offers customers a number of ways to enable a "Single Sign-On" (or SSO) experience for users. I think it is important to understand the differences in these options, so that when you deploy Azure AD Connect into customer environments, you can pick... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.