Microsoft recently added “Require app protection policy (Preview)” to conditional access. App Protection Policies in Intune are a great way to secure the apps on either a managed device or an unmanaged device.
Suggested Reading – https://docs.microsoft.com/en-us/intune/app-protection-policy
This blogpost will show creating an example Conditional Access policy leveraging the “Require an app protection policy (Preview)” control, targeting Exchange Online, and the user experience for a device that does not have any App Protection Policies assigned.
In devicemanagement.microsoft.com go to Conditional Access, and create the new policy.
Give the policy a name, and in my policy I am testing out this policy, so I have only targeted one user.
I will be testing this policy only for Exchange Online.
I will only be using iOS and Android for this policy.
I have configured the conditions for all apps.
I have selected the control to require app protection policy.
The policy has now been created and enabled.
Below is the user experience when trying to add an email account targeted by the CA policy to the native mail app on an iOS device. You can see that it is blocked (similar to what happens if you require an approved client app in the CA policy)
Now If I try and setup the account in Outlook, I get the error saying that no application protection policies have been assigned.