Forum Discussion

  • pvanberlo's avatar
    pvanberlo
    Steel Contributor
    Jun 30, 2021
    You'll want to look at a combination of MAM policies and Azure AD Conditional Access policies for this. Are the devices used for work all enrolled in Intune MDM? If so, it's probably just as simple as saying a device needs to be marked as compliant. Alternatively, there's also a preview for AAD Conditional Access policies that allows you to filter on devices (and the filter includes the option to match on the 'deviceOwnership' attribute eg. if a device is marked as personal or not).

    Some info can be found at https://docs.microsoft.com/en-us/mem/intune/protect/tutorial-protect-email-on-unmanaged-devices.
    • allymohit's avatar
      allymohit
      Copper Contributor
      Jun 30, 2021
      pvanberlo Thank you for the response. From what I understood, I can restrict mail to a compliant device but the user will still be able to configure the mail on the personal profile. I want to allow mail on work profile only even if the device is compliant.
      • pvanberlo's avatar
        pvanberlo
        Steel Contributor
        Jun 30, 2021
        Just to avoid confusion, can you tell me what you mean with profile in this case? Are we talking about for example Android phones which have this feature in some cases to 'distinguish' between a personal and work profile?

        You may want to approach this the other way around. Instead of "blocking personal devices", only allowing "managed/compliant devices". Effectively it would be the same.

        I do not recall seeing the possibility to actually block setting up e-mail, unless you do this per user or do it the other way around - make everything that should be allowed compliant and block everything else. Perhaps someone else has more insight into this specifically.

Resources