How do I stop Office 365 users using apps to download email to personal devices? RRS feed

  • Question

  • I trust this is the right forum!


    I hope someone can point me in the right direction.

    I am configuring Office 365 E1 plan for a non profit organisation.

    One of their requirement is that users should not be able to download emails to personal devices, e.g. tablets, ipads, mobile phones and home computers. This is to safeguard sensitive information and is in line with forthcoming UK Data Protection regulations. Users are only allowed to access email online using a browser.

    I have configured user accounts to set to off all the email apps in Mail Settings.

    When I do verification testing I cannot connect using POP or IMAP, so far so good.

    However when I create an account in the Windows mail app, using the Exchange option, the account is created and I can send and receive email! The same happens when I configure an account in Outlook 2013.

    I have looked at Mobile Device Access in the Exchange Admin Centre. There is the option to block access using a device rule. However when I select All Families as the Device Family and save I get an error stating I must specify a mobile device model. If I then browse the device list I get a list of devices to select one from, not all devices.

    I am stuck! How do I prevent users downloading emails to personal devices?

    Thanks for looking.

    Thursday, December 21, 2017 1:23 PM

All replies

  • Hi.

    1. You can disable ActiveSync connection for all users or special user. (Outlook App for Mobile devices and any other client Maill App, etc)

    Exchange ActiveSync in Exchange Online

    2. Create policy for Mobile device mailbox policies in Exchange Online with block all devices.

    PS. POP, IMAP by default is disabled.

    MCITP, MCSE. Regards, Oleg

    Thursday, December 21, 2017 2:04 PM
  • Hi Oleg

    My thanks for your quick reply.

    I already had ActiveSync disabled.

    However I deleted the test account and recreated it. In the Admin Centre I disabled ActiveSync, I also disabled POP and IMAP.

    When I tested adding an account in the Win Mail app, I successfully created the account and was able to send and receive email.

    I have looked at ‘Create policy for Mobile device ......... with block all devices’.

    I cannot see a Mobile device mailbox policy setting to block all devices. I also cannot see how to implement a policy.

    I am still stuck.

    Kind regards


    Sorry I cannot put active links in the message. Seems I need to be verified and have not received any verification email.

    Thursday, December 21, 2017 7:38 PM
  • Hi Oleg

    Thanks for those links. It will take me some time to read and digest.



    Thursday, December 21, 2017 8:52 PM
  • Hi,

    Yes, we can disable POP3, IMAP4, ActiveSync, EWS feature for user mailbox. However, we cannot prevent Outlook Anywhere or MAPI over HTTP in Exchange Online as far as I know.

    Therefore, I recommend to deploy Data Loss Prevention (DLP) to prevent sensitive information in your environment.
    Note: it's a premium feature that requires an Exchange Online Plan 2 subscription. 

    For your reference:
    Data loss prevention in Exchange
    Overview of data loss prevention policies

    Allen Wang

    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Proposed as answer by Allen_WangJF Friday, December 29, 2017 4:17 PM
    Friday, December 22, 2017 3:20 PM