Forum Discussion
Conditional and App Policies to Protect Work Data on Personal Profiles Users Already Using Them
This is a real scenario that most businesses probably already have. They have users already using personal devices or using work devices that the business does not want to fully manage. They already use email, Teams and OneDrive on the device. Now the company wants to setup a BYOB and get InTune to protect its data.
Tutorial - Protect Exchange Online email on unmanaged devices - Microsoft Intune | Microsoft Docs
They use this document to setup all the policies then setup InTune and require enrollment. What the document does not go into is what happens to all the data and apps on the personal side that's already authenticated and working? I tried it on mine and can still use all the apps on the personal side so what is the purpose of this and InTune?
I have a support case with a senior Microsoft technician and their only 2 suggestions are to either (this is one user at a time BTW so if you have to deploy a lot of devices you're gonna be spending hours in the portal):
1. Open user in Admin Portal and "sign out of all sessions" which will sign them out not only on their celpphone apps, but their work laptop's Outlook, OneDrive (which will stop syncing their files), Teams, all of their forms, power automate sessions etc. They then have to resign in to everything (I'm assuming reauthenticate too since we require MFA). That is putting that user out of commission for quite some time.
2. Force a password reset. This too is a MAJOR deal to a user as it's not immediate and things will just stop working. They have to not only reset, but reauthenticate ALL of their apps on their work laptop, resave in the browser apps.
Both of these "solutions" stop our users from working on ALREADY enrolled Windows devices which we cannot nor should have. The conditional policies we setup are just for Android and iOS so our Windows devices should never be affected, but they are. Imagine if Teams just stops working in the middle of a meetings for our users, their calls get cut off? Then we'll be told, tell your IT staff to work after hours, then what happens? Users can't work the next morning and we spend all our days trying to get them working again.
If we can't prevent data access to existing users on existing personal devices, what is the point of InTune? This is supposed to be seamless and save IT admins time but this certainly does not.
12 Replies
luvsql there was another question here that was similar to yours. Normally, you would have a compliance policy for Android or iOS devices. A conditional access policy should enforce compliance and block access to M365 when a device is not compliant (not enrolled). Now if that is not working for you than perhaps you want to have a look at a blog I wrote last week: https://allthingscloud.blog/blocking-access-to-microsoft-365-outside-the-android-for-work-profile-with-endpoint-manager/ Also did a https://youtu.be/Sqz7Hpv5RpY on the user experience.
This post only covers Android though... You will also have to make sure that you configure a compliance policy for Android devices and set Devices managed with device administator to Block. This will guide users to https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile management to regain access. And don't forget to block device admin with enrollment restrictions.
Combined with the conditional access policy with filter for devices I wrote about in my blog, you should be able to guide users on Android devices with migrating to a work profile, and at the same time, block access to M365 (OneDrive, Teams, SPO, Outlook) outside the work profile.
The policies I'm using only target Android devices, so you should be good with other OS platforms.
I'll have to work something out for iOS devices and do some testing there and let you know what the outcome is.
Hope this helps
Oktay
- I've been able to get it setup so that when I enroll a personal device, my work data stops working in the Microsoft Apps (Outlook, Teams etc) but still have not been able to prevent a user from adding their account to a device's native mail app or stopping that email from working if they had it already setup.
Hi luvsql You can block the native apps by configuring a conditional access policy requiring approved client apps. See https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app for more info. In the example below I'm requiring approved client app AND app protection policy. You can also set the multiple control to One of the selected controls. Also See the article, How to: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection for configuration examples.
This should help block access when using native apps. Make sure to test the configuration because users are going to be impacted when you deploy this.
Hope this helps
Our version of InTune does not have that setting on the compliance policy:What is main issue is that these devices already have email and all the apps already working and authenticated. They will be compliant because they do get enrolled but then the data and apps are still functioning on the personal side as well as the work side. If we then just remove the work profile, all email and apps are still functioning on the personal side. That's a major data leak and security issue.
Hi luvsql,
What platform did you select when you created the compliance policy? Make sure you select Android Device Administrator for platform. The option is not available with other Platforms
In the blog I mentioned earlier, I use a conditional access policy with filter for devices. This conditional access policy blocks access to Microsoft 365 when the device OS is not AndroidForWork or AndroidEnterprise (device.operatingSystem -eq “AndroidForWork” -or device.operatingSystem -eq “AndroidEnterprise”) You can change the filter of course to your own need.
To be clear, I'm not checking for compliance, I'm checking for OS and block access based on OS. When you use a work profile the Android OS will be AndroidForWork. When the device is enrolled from Samsung Knox (or QR in Intune) the OS will be AndroidEnterprise. The ownership for these devices will be corporate. That's also something you can use with your filter.
Can you check the OS version for Android devices in Android? In particular, where users only use MAM and not the work profile. Android devices that are enrolled using Android device Administrator will have the OS Android, and ownership set to personal. These are all properties you can use when you work with filters. And based on these settings you can block (or grant) access.
Hope this helps.
Oktay
