I keep running into the same old thing, Apple Mail is impossible to be managed by Intune and to give up and force users to use Outlook. I’ve posted instructions with details on reddit (gets deleted) so decided to just post it here for my reference. Settings below are managing the data but allowing it to be a little open. Feel free to change for your environment to make more restrictive as needed.
Before all the keyboard warriors get all uppity that “Intune can’t truly manage manage Apple native mail, it’s not on the MAM list and isn’t truly implementing DLP.” MDMs by themselves aren't a DLP solution, they're one tool in the broader part of a solution. Avantis, WorkSpace One, and alike for MDMs can all manage Apple Native mail. Are they saying Intune magically is the only MDM service that can’t prevent Apple Native mail from saving files and data outside of work managed applications? Well, it totally can and they can’t delete my webpage in response. Can’t stop the signal.
Goals for Management of Native Mail App and Data on a BYOD iOS / iPadOS device
Allow email to be synced in iOS/iPadOS (just referenced as iOS) Native Mail App
Prevent users from moving the email to another mailbox
Prevent users from saving attachments to iCloud or the device
Allow copy in, but not copy out
Remove the profile and device on device unenrollment
Allow sync with Native Contacts
Allow sync with Native Calendar
Allow files to be saved or opened in approved applications that are managed by Intune and MAM protected
We’re going to achieve the goals in several steps.
First step is to push the email profile to Apple mobile devices. This will make the account managed by the company in native mail and remove the account once unenrolled or removed from Intune.
Devices > iOS/iPadOS > Configuration
Profile Type > Email
Enter your email settings
Allow Messages to be moved to other email accounts > Disable
Allow email to be sent from third party applications > Enable
Next we need to prevent the Apple Native Mail app from saving files to iCloud and the phone storage device
Devices > iOS/iPadOS > Configuration
Profile Type > Device Restrictions
App Store, Doc Viewing, Gaming
Block viewing corporate documents in unmanaged apps > Yes
Allow unmanaged apps to read from managed contacts accounts > Yes
Treat AirDrop as an unmanaged destination > Yes
Allow copy/paste to be affected by managed open-in > Yes
Now that we have iOS Apple Native Mail restricted from saving, time to allow Native Mail to save to approved locations.
Apps > App Protection Policies
Platform > iOS/iPad OS
Apps
Target to apps on all device types > Yes
Target Policy to > All Apps
Data Protection
Backup or data to iTunes and iCloud backups > Block
Send org data to other Apps > Policy managed apps
Save copies of org data > Block
Allow users to save copies to selected services > Add exceptions like org managed OneDrive, SharePoint, etc.
Transfer telecommunication data to > Any dialer app
Transfer messaging data to > Any messaging app
Receive data from other apps > All apps
Restrict cut, copy, and paste between other apps > Policy managed apps with paste in
Third party keyboards > Allow
Encryption
Encrypt org data > Require
Functionality
Sync policy managed app data with native apps or add ins > Allow
Printing org data > Allow
Restrict web content transfer with other apps > Microsoft Edge
We can stop there, but for added protection, we can now create a Conditional Access policy to block any MAM access if a device had Intune removed or deleted from it. This still allows Native Mail, calendar, and contact syncs. We’re only targeting O365 apps that I have deployed using MAM protection policies already. You can add other apps deployed with MAM policy as needed.
In Entra dashboard go to Protection > Conditional Access > Policies > Create New Policy
Target Resources > Office 365
Again can add other MAM protected apps here
Conditions
Device Platforms > iOS
Grant
Grant Access
Require device to be marked as compliant
Require approved client app
Require app protection policy
Require all the selected controls
That’s it, you now have Apple Native Mail for iOS managed by Intune.
To address the critiques of keyboard warriors that are upset because they just take everything at face value to just use Outlook:
“Just tell everybody to use Outlook and force them to do what IT wants and say it’s impossible to do.”
Other MDMs can manage Apple Native mail no problem. Intune can’t magically be the only MDM that has to force usage of Outlook
Hate to work at your company and glad I don’t.
“But Intune isn’t truly managing Apple Native Mail, it’s not on the list of MAM capable apps”
Data is deleted and saved in only approved locations.
Email is not allowed to be moved to other email accounts in native mail
Email and data from email is purged when device is removed from Intune
Sug mai balls, that’s managing Apple Native Mail
“Your Conditional Access isn’t controlling Apple Native Mail and does nothing for Apple Native Mail”
Yeah, I know. It’s applied to Office 365 apps or other MAM protected apps
Once Intune is removed from the device, the work email and work email data is removed from the Native Mail app
If the user has intune removed from their device, the data stored from Native Mail in a MAM managed app is now locked out.
“This isn’t a true DLP solution.”
MDMs aren’t DLPs….