I'm trying to restrict access to office365 (exchange specifically) from Microsoft office apps only?
I don't want to allow certain users to use native email clients because I want to use application restriction policies. This seems to me like a classic BYOD scenario. So I read this https://docs.microsoft.com/en-us/mem/intune/fundamentals/common-scenarios
It would appear to have a section talking about BYOD that says "When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply managing the apps that contain corporate data. Intune protects the corporate data even if the app in question accesses both corporate and personal data, as is the case for Office mobile apps.
As an administrator, you can require users to access Microsoft 365 from the Office mobile apps and configure the apps with policies that keep the data protected"
I've got my application protection policies in place, however when I try to restrict access only to clients using office mobile apps the only way I can see to do this is using conditional access, which in turn requires me to download the portal app and enrol the device which is what I'm trying to avoid.
Am I missing something here?
So I think to answer my own question, there's instructions here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-conditional-access#scenario-1-office-365-apps-require-approved-apps-with-app-protection-policies
The subtle caveat is that app protection policies don't require enrolment but they do require the device to be registered using the authenticator app. So from the users perspective it's still more work and the process looks the same. However the advantage with this option over enrolment for the user is that the organisation doesn't have and control over the device, just the apps. Which I suppose also helps with GDPR requirements.