Microsoft
Microsoft
MicrosoftKoen Van den Broeck - I think there are a few questions here, so let me see if I can parse them out correctly. :)
Question 1 - How can I allow contact sync on enrolled devices, but block it on unenrolled devices?
Assuming the enrollment provider is Intune, the best approach here is to use a set of App Protection Policies.
For enrolled devices, create an APP with app types targeted set to "Apps on Intune managed devices". In the APP data protection settings, set "sync app with native contacts app" to enable.
For unenrolled devices, create an APP with app types targeted set to "Apps on unmanaged devices". In the APP data protection settings, set "sync app with native contacts app" to disable.
This will allow users to setup contact sync on enrolled devices, while disabling the ability for users to setup contact sync on unenrolled devices. You can then use an ACP (either managed apps or managed devices) to set the default behavior of contact sync to be on. Note: the APP setting enables/disables the ability for Outlook to use contact sync, while the ACP setting only controls the default behavior of contact sync if Outlook is allowed to perform contact sync.
See https://docs.microsoft.com/intune/app-protection-policies#target-app-protection-policies-based-on-device-management-state for more information.
Question 2: What happens if I have a managed devices ACP and managed apps ACP targeted to the same user (setting either has same or competing values)?
In this scenario, the managed apps ACP setting will take priority.
