VMware Workspace ONE Community
tmbm5060
Contributor
Contributor

Controlling O365 with WorkspaceOne

We have a new license and install of Workspace One Enterprise. 

We have a pretty simple goal for our phase 1 of our Workspace One deployment.  We want to restrict access to O365/Exchange Online from any device that's not enrolled in airwatch.  So if its a Windows laptop or an Android phone, no mail if its not enrolled.  We do not want to use the Boxer app and want all native apps/MS apps.

Our engineering team has been working with VMWare support and we are being told this is not possible.  There is a process to do it for iOS/Android devices that uses intune and the MS authenticator app but that won't work for Windows 10 laptops.  So its a partial solution. 

This seems like a pretty big gap if I can't restrict a Windows Outlook client.  What are we missing?  I can't believe this is not possible but VMWare tech support is saying no way.

Reply
0 Kudos
5 Replies
jafullersr
Enthusiast
Enthusiast

Are you planning to use Workspace ONE Access?  If so, your authentication process may be able to handle this.

It's not baked into Workspace ONE UEM stand-alone.

tmbm5060
Contributor
Contributor

We are using access only for VDI access.

I guess we have to move to intune and decom workspace one.  The ability to restrict email to enrolled devices is a pretty basic requirement.  I'm surprised this isn't more common.

Reply
0 Kudos
jfjohnson
Contributor
Contributor

Perhaps what is outlined in this blog will assist your request: https://cloudtekki.com/post/tunnel-o365-conditional-access/ 

TechMassey
Hot Shot
Hot Shot

I do understand the reasoning and why it would be quite useful. I don't have a solution because this is a by design scenario. I can help explain why this isn't possible. 

 

At a high level, Office 365 is owned by Microsoft. The entire O365 infrastructure is controlled by Microsoft for personal and business use. For that reason, one can simply go to www.outlook.com and attempt to sign in to their personal or work email. 

 

In your scenario, you asking why can't users be redirected to WS1 if they attempt to access Office 365 online. The only method to do that, is to have Microsoft initiate the redirection which they will not do. This is not a Workspace One issue but a design functionality of O365. 

 

In this case, I would recommend leveraging conditional access and using both solutions to deliver the desired security. 


Please help out! If you find this post helpful and/or the correct answer. Mark it! It helps recgonize contributions to the VMTN community and well me too 🙂
jafullersr
Enthusiast
Enthusiast

Hello TechMassey,

Please clarify because this doesn't sound right. 

While Microsoft by default will funnel an identity through their authentication process, it is still possible to federate the entire authentication (AUTH-N) through another IdP for your own enterprise tenant.  In that process you can institute your own IdP flow which can include Workspace ONE Access.

In this way, you're protecting the SaaS applications with your identity provider (IdP) that are available through Microsoft on every level, web and native.

Reply
0 Kudos