OWA app on iOS allows access to email with Conditional Access enabled in Intune
I ran into this problem testing access to O365 company email for a client. We set up Conditional Access in Intune so that anyone with iOS or Android would need to have a compliant device (Have the Intune Company Portal App installed, etc.) in order to sync email down. Turns out that the OWA app on iOS gets around this setting. When setting up access to Exchange online email, we get the screen saying the device needs to be enrolled via Intune to get email. Two buttons are presented at that point, Enroll (Sends you to App store to install Company Portal App) and OK. The problem is that if you click OK, it sends you right through and email starts to sync.
This is a HUGE loophole (security risk) that is somehow getting around the Exchange Online Policy settings in Intune!
I have O365 MDM and with conditional access setup, I can no longer sign into the OWA App but I can sign in through the browser.
Aaron Marks commented
This is definitely a security risk. We're dealing with this currently by having a server run a script to disable OWA for Devices once a day.
Anna Lee commented
Has this been resolved? It is so upsetting!