When you move to Exchange Online the connectivity to your mailboxes is no longer limited by your firewall. Microsoft enables everything by default. So if you don’t want users to configure Outlook on their unmanaged Windows 10 devices you need create policy to do so. To block Outlook on unmanaged Windows 10 devices you need to create an app protection policy.
This business case was about using the teams client but blocking the Outlook client.
Furthermore you need to have the appropiate licenses.
App Protection Policy
Go to https://endpoint.microsoft.com/ and log on.
Go to Apps and after that go to App Protection Policies:
Create a new policy for Windows 10:
Name the policy and select “Without Enrollment”:
Select “Add” and Desktop Apps After that:
Enter the following data:
Publisher: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Productname: Microsoft Outlook
Min Version: *
Max Version: *
It needs to look like to this (2 screenshots):
Select block and check whether your corporate identity has been entered:
I have left the advanced settings to default but you can edit them to enforce a more complex Windows Hello passcode. For example:
Assign the policy to a group. Please test first:
And click on create.
Testing the Policy
I have downloaded Microsoft Office 365 Pro Plus from https://portal.office.com/ with my user account.
When I start outlook as this test user and try to configure my corporate profile I get this error:
NOTE: This only works on newly enrolled machines. Machines that already have been registered can configure outlook. So these machines need to be re-registered.