Last Updated on December 6, 2021 by rudyooms
Different week, different use cases. This blog will be about the impossibility of having GMAIL as your Email client in combination with Android Work profiles and Conditional Access.
Why not use Outlook? That’s indeed a very good question, as Gmail is also not an approved app. I guess users are just used to working with the Gmail app. They prefer the Gmail calendar notifications instead of the Outlook calendar notifications.
Of course, we advised to start using Outlook, but the customer is King and honestly, I was curious if it was possible. I tried to get some more information if it was possible and what kind of problems you can run into when working with the Gmail app instead of Outlook.
But unfortunately, there is not much information about this particular setup.
So our journey begins… I will divide this blog into multiple parts
- Configuring the Gmail App
- Excluding Android from the Approved Apps
- Testing the exclusion
- Troubleshooting
- Solving it?
- The Reason why!
1.Configuring the Gmail App
Like mentioned at the beginning of the blog, we already have an Android enrolled device with a nice working Work profile on it. To make sure the Gmail app arrives are our device we need to configure the Gmail App to make sure it was available inside the work profiles google play store.
After the app was available and installed on the device we got to the next step: Approving the Gmail app itself. We have configured Admin consent requests to make sure the apps must be approved by an admin. So don’t forget to approve the request 🙂
Okay so far, so good, what’s next?
2. Exclude Android from the Approved Apps
Like I said in the beginning, requiring approved apps in conditional access will not work with GMAIL. Go check out this list from Microsoft to determine which apps DO support app protection!
Supported Microsoft Intune apps | Microsoft Docs
But lets us continue. For now, we excluded, Android to start testing.
3. Testing the exclusion
Now we have made sure we are not requiring an approved app for android devices, let’s try to open the Gmail app and start configuring Office 365. Almost immediately this screen was shown. It tells us the device needs to be managed to access the company resources.
That’s kinda weird, as the device is already enrolled with a work profile and it’s compliant. After a while, the device prompted us with another error. AADSTS90014. The required field “request” is missing from the credential
4. Troubleshooting
I guess it’s time for some troubleshooting. When troubleshooting Conditional Access, the best place to start would be the Azure Ad portal. So open this portal to start investigating.
As shown above: “Your device is required to be managed to access this resource”. Of course, there are conditional access rules in place to make sure the mobile devices are managed/compliant before they can access the companies resources. This rule targets IOS and Android devices.
But it’s strange, the Gmail app tells us the device needs to be managed even when the device (work profile) is compliant. To be sure we also excluded Android from this policy and the Gmail App worked within a few seconds!
5. Solving it?
But totally excluding Android is totally not the way, so we have created an additional CA rule. It only targets Android, but it has the Exchange Online app excluded.
It’s not the nicest solution. The best option you might have is just to start using Outlook. When using outlook, you will need to make sure: contact sync is allowed and the option to transfer telecommunication data is configured in the app protection policy.
6. The Reason why!
After spending some more time on google, I found one article with almost the same problem and also the same solution I came up with.
GMAIL application is unable to pass the device information for the exchange account added to it so that is the only reason it’s unable to satisfy the Conditional Access Policy ...
So… that totally explains it!. Just use outlook I guess 🙂
Conclusion:
We don’t live in a perfect work, where everything is strictly regulated. Sometimes you will need to drop the security barrier a bit. But don’t forget to convince them afterwards to start using Outlook!