Blocking Windows 10 Mail App with ActiveSync Device Access Rules
Controlling mail clients that use Exchange ActiveSync (EAS) for connectivity can be done using EAS Device Access Rules. A common scenario is to block all native mail apps on mobile devices and require the use of the Outlook app for Android and iOS. This can easily be done using the built-in configuration in Exchange Online, but what I've recently noticed is that the Mail app on Windows 10 doesn't seem to behave how we would like it to.
EAS Device Access Rules are limited in how they can be configured through the Exchange Admin Center. In my case, I want to only allow the Outlook app, so I need to first block all access to EAS unless a specific Device Access Rule applies to the device. To do this, the EAS service settings needs to be set to block all devices by default.
This prevents the use of any devices that I do not explicitly allow. This plays into effect a little later when I get to the Mail app on Windows 10.
Allowing Specific Devices
To allow the Outlook app for Android and iOS, a specific device access rule is required. This is relatively easy to configure through the Exchange Admin Center portal by selecting the device family of Outlook and the option to Allow Access.
This can be somewhat misleading as the name Outlook here could apply to desktop clients, mobile clients, and even Outlook on the web. Because these are ActiveSync Device Rules, this reference to Outlook only applies to the Outlook for iOS and Outlook for Android mobile apps.
If you were looking to only block the Windows 8 Mail app, the option for WindowsMail is also available here. Unfortunately, using this option does not apply to Windows 10 Mail apps.
Rule For Windows 10 Mail App
When we have our blanket rule for blocking all ActiveSync device access, this does not apply to the Windows 10 Mail app. It does apply to the Mail app on Windows 8, but using this method only will still allow users to connect the Mail app on Windows 10 to their mailboxes.
To block the Windows 10 Mail App, another ActiveSync Device Access Rule is required to explicitly block Windows 10. Unfortunately, this cannot be created through the Exchange Admin Center portal, but can only be created using PowerShell.
This creates a new Device Access Rule that applies to the Device Family of UniversalOutlook. This device family is not listed in the EAC to be selected requiring this rule to be created via PowerShell.