Forum Discussion
Conditional Access O365 apps in personal profile when using Android Enterprise Work Profile
After playing around with some conditional access policies I found how this can be done. Here is what I did:
- Created a new CA policy
- Assignments:
- All users
- All cloud services (could obviously be limited off course)
- Conditions:
- Device Platforms: Any Device
- Clients Apps (Preview): Browser, Mobile Apps and Desktop clients, Modern authentication clients & Other clients
- Access Controls:
- Grant: Require device to be marked compliant & Require approved client app
- Assignments:
So in the conditions under clients apps (preview) I did not select Exchange ActiveSync Clients which seams to include apps outside of the Android Enterprise Work Profile.
During testing with Outlook in the private profile I was still able to enter in the work email address but then Outlook states that the Company portal app is required. Because this app is disabled in the private profile after the Work Profile is created, the user is directed to the Google Play Store where he can "Enable" the Company Portal app again and when authenticationg the device is registered again and the Work Profile is created again...
Not the best end user experience but at least the work email address can only be configured in the Work Profile.
To add upon this, the device is at that point registered twice in the Intune console.
Still some work to be done but I guess.
- Created a new CA policy
After playing around with some conditional access policies I found how this can be done. Here is what I did:
- Created a new CA policy
- Assignments:
- All users
- All cloud services (could obviously be limited off course)
- Conditions:
- Device Platforms: Any Device
- Clients Apps (Preview): Browser, Mobile Apps and Desktop clients, Modern authentication clients & Other clients
- Access Controls:
- Grant: Require device to be marked compliant & Require approved client app
- Assignments:
So in the conditions under clients apps (preview) I did not select Exchange ActiveSync Clients which seams to include apps outside of the Android Enterprise Work Profile.
During testing with Outlook in the private profile I was still able to enter in the work email address but then Outlook states that the Company portal app is required. Because this app is disabled in the private profile after the Work Profile is created, the user is directed to the Google Play Store where he can "Enable" the Company Portal app again and when authenticationg the device is registered again and the Work Profile is created again...
Not the best end user experience but at least the work email address can only be configured in the Work Profile.
To add upon this, the device is at that point registered twice in the Intune console.
Still some work to be done but I guess.
thank you for posting this, it is exactly what i need to do too (allow access via the work profile, but prevent access from the personal profile)
its seems so odd Microsoft (or Google) didn't consider this when implementing the work profile on Android and Intune/Endpoint.
- 2 Years since the initial post, is there still no elegant enterprise worthy solution?
- Intune does support Android COPE now which has a better user experience in my opinion: https://docs.microsoft.com/en-us/mem/intune/enrollment/android-corporate-owned-work-profile-enroll
