There's a strange behaviour with policies with All Cloud Apps scope and simulataneosly selecting LastPass App as an exception, somehow that doesn't seem to work as "we think" is intendend.
This policy will not skip LastPass valition and fails the login.
Our current best solution for iOS uses a combination of two policies and one of them uses the scope "Selected Apps" where we select all apps and leave LastPass unselected.
Yep thats true @rritterson
Our best solution for iOS is a mix of two policies :
All Cloud apps
Require Compliant Device
Selected apps - Where we select all apps except LastPass
Require Approved and APP Protect Policy
This will force device enrolment on any APP except LastpPass and unfortunetly will fail to protect LastPass Data.
On Android using only "Require Compliant Device" on All Cloud Apps will force the use of Work profile apps and that will force the enrolment so here it seems we don't have any issue.
If I try to block Apple mail only by choosing "Apple Internet Accounts" and then "Require Approved App", the conditional access doesn't apply because it says Apple Internet Accounts doesn't match Apple Internet Accounts. I presume this is the same issue as Lastpass in reverse -- do you know what other apps you have to add to get that enforced?
Yep it should be the same problem, because LastPass uses the "GRAPH API" resource and Apple Internet Accounts will problably use "Office 365 Exchange Online" resource.
In order to block native iOS APP you will need to add the APP Office 365 each is a bundle of almost if not all Office 365 ecosystem and require "Approved APP" and "APP Policy Protection ". This will force the enrolment.
You can the APP bundle here.