Different week, different use cases. This blog will be about the impossibility of having GMAIL as your Email client in combination with android work profiles and Conditional Access.
Why not using Outlook? That’s indeed a very good question, as Gmail is also not an approved app. I guess users are just used to work with the Gmail app. They prefer the Gmail calendar notifications instead of the Outlook calendar notifications.
Of course, we advised to start using Outlook, but the customer is King and honestly, I was curious if it was possible. I tried to get some more information if it was possible and what kind of problems you can run into when working with the Gmail app instead of Outlook. But unfortunately, there is not much information about this particular setup.
So our journey begins…
The first thing we needed to do, was configuring the Gmail App to make sure it was available inside the work profiles google play store.
After the app was available and installed on the device we got to the next step: Approving the Gmail app itself. We have configured Admin consent requests to make sure the apps must be approved by an admin.
Okay so far, so good, what’s next? Like I said in the beginning, requiring approved apps in conditional access will not work with GMAIL. For now, we excluded, android to start testing.
So, let’s try to open the Gmail app and start configuring Office 365. Almost immediately this screen was shown. It tells us the device needs to be managed to access the company resources.
That’s kinda weird, as the device is already enrolled with a work profile and it’s compliant. After a while, the device prompted us with another error
I guess, it’s time to open the azure ad portal to start investigating.
As shown above: Your device is required to be managed to access this resource. Of course, there are conditional access rules in place to make sure the mobile devices are managed/compliant before they can access the companies resources. This rule, targets IOS and Android devices.
But it’s strange, the gmail app tells us the device needs to be managed even when the device (work profile) is compliant. To be sure we excluded android from this policy and Gmail worked within a few seconds. But totally excluding Android is not the way, so we have created an additional CA rule. It only targets Android, but it has the Exchange Online app excluded.
It’s not the nicest solution. The best option you might have is just to start using Outlook. When using outlook, you will need to make sure: contact sync is allowed and the option to transfer telecommunication data is configured in the app protection policy.
After spending some more time on google, I found one article with almost the same problem and also the same solution I came up with.
GMAIL application is unable to pass the device information for the exchange account added to it so that is the only reason it’s unable to satisfy the Conditional Access Policy …
We don’t live in a perfect work, where everything is strictly regulated. Sometimes you will need to drop the security barrier a bit. This is the way….