iOS/iPadOS Managing Apple Native Mail with Intune

I keep running into the same old thing, Apple Mail is impossible to be managed by Intune and to give up and force users to use Outlook. I’ve posted instructions with details on reddit (gets deleted) so decided to just post it here for my reference. Settings below are managing the data but allowing it to be a little open. Feel free to change for your environment to make more restrictive as needed.

Before all the keyboard warriors get all uppity that “Intune can’t truly manage manage Apple native mail, it’s not on the MAM list and isn’t truly implementing DLP.” MDMs by themselves aren't a DLP solution, they're one tool in the broader part of a solution. Avantis, WorkSpace One, and alike for MDMs can all manage Apple Native mail. Are they saying Intune magically is the only MDM service that can’t prevent Apple Native mail from saving files and data outside of work managed applications? Well, it totally can and they can’t delete my webpage in response. Can’t stop the signal.

Goals for Management of Native Mail App and Data on a BYOD iOS / iPadOS device

• Allow email to be synced in iOS/iPadOS (just referenced as iOS) Native Mail App

  • Prevent users from moving the email to another mailbox

  • Prevent users from saving attachments to iCloud or the device

  • Allow copy in, but not copy out

  • Remove the profile and device on device unenrollment

• Allow sync with Native Contacts

• Allow sync with Native Calendar

• Allow files to be saved or opened in approved applications that are managed by Intune and MAM protected

We’re going to achieve the goals in several steps.

First step is to push the email profile to Apple mobile devices. This will make the account managed by the company in native mail and remove the account once unenrolled or removed from Intune.

• Devices > iOS/iPadOS > Configuration

  • Profile Type > Email

  • Enter your email settings

  • Allow Messages to be moved to other email accounts > Disable

  • Allow email to be sent from third party applications > Enable

Next we need to prevent the Apple Native Mail app from saving files to iCloud and the phone storage device

• Devices > iOS/iPadOS > Configuration

  • Profile Type > Device Restrictions

  • App Store, Doc Viewing, Gaming

    • Block viewing corporate documents in unmanaged apps > Yes

    • Allow unmanaged apps to read from managed contacts accounts > Yes

    • Treat AirDrop as an unmanaged destination > Yes

    • Allow copy/paste to be affected by managed open-in > Yes

Now that we have iOS Apple Native Mail restricted from saving, time to allow Native Mail to save to approved locations.

• Apps > App Protection Policies

  • Platform > iOS/iPad OS

  • Apps

    • Target to apps on all device types > Yes

    • Target Policy to > All Apps

  • Data Protection

    • Backup or data to iTunes and iCloud backups > Block

    • Send org data to other Apps > Policy managed apps

    • Save copies of org data > Block

      • Allow users to save copies to selected services > Add exceptions like org managed OneDrive, SharePoint, etc.

      • Transfer telecommunication data to > Any dialer app

      • Transfer messaging data to > Any messaging app

    • Receive data from other apps > All apps

    • Restrict cut, copy, and paste between other apps > Policy managed apps with paste in

    • Third party keyboards > Allow

  • Encryption

    • Encrypt org data > Require

  • Functionality

    • Sync policy managed app data with native apps or add ins > Allow

    • Printing org data > Allow

    • Restrict web content transfer with other apps > Microsoft Edge

We can stop there, but for added protection, we can now create a Conditional Access policy to block any MAM access if a device had Intune removed or deleted from it. This still allows Native Mail, calendar, and contact syncs. We’re only targeting O365 apps that I have deployed using MAM protection policies already. You can add other apps deployed with MAM policy as needed.

• In Entra dashboard go to Protection > Conditional Access > Policies > Create New Policy

  • Target Resources > Office 365

    • Again can add other MAM protected apps here

  • Conditions

    • Device Platforms > iOS

  • Grant

    • Grant Access

      • Require device to be marked as compliant

      • Require approved client app

      • Require app protection policy

      • Require all the selected controls

That’s it, you now have Apple Native Mail for iOS managed by Intune.

To address the critiques of keyboard warriors that are upset because they just take everything at face value to just use Outlook:

• “Just tell everybody to use Outlook and force them to do what IT wants and say it’s impossible to do.”

  • Other MDMs can manage Apple Native mail no problem. Intune can’t magically be the only MDM that has to force usage of Outlook

  • Hate to work at your company and glad I don’t.

• “But Intune isn’t truly managing Apple Native Mail, it’s not on the list of MAM capable apps”

  • Data is deleted and saved in only approved locations.

  • Email is not allowed to be moved to other email accounts in native mail

  • Email and data from email is purged when device is removed from Intune

  • Sug mai balls, that’s managing Apple Native Mail

• “Your Conditional Access isn’t controlling Apple Native Mail and does nothing for Apple Native Mail”

  • Yeah, I know. It’s applied to Office 365 apps or other MAM protected apps

  • Once Intune is removed from the device, the work email and work email data is removed from the Native Mail app

  • If the user has intune removed from their device, the data stored from Native Mail in a MAM managed app is now locked out.

• “This isn’t a true DLP solution.”

  • MDMs aren’t DLPs….