Forum Discussion
Conditional and App Policies to Protect Work Data on Personal Profiles Users Already Using Them
luvsql there was another question here that was similar to yours. Normally, you would have a compliance policy for Android or iOS devices. A conditional access policy should enforce compliance and block access to M365 when a device is not compliant (not enrolled). Now if that is not working for you than perhaps you want to have a look at a blog I wrote last week: https://allthingscloud.blog/blocking-access-to-microsoft-365-outside-the-android-for-work-profile-with-endpoint-manager/ Also did a https://youtu.be/Sqz7Hpv5RpY on the user experience.
This post only covers Android though... You will also have to make sure that you configure a compliance policy for Android devices and set Devices managed with device administator to Block. This will guide users to https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile management to regain access. And don't forget to block device admin with enrollment restrictions.
Combined with the conditional access policy with filter for devices I wrote about in my blog, you should be able to guide users on Android devices with migrating to a work profile, and at the same time, block access to M365 (OneDrive, Teams, SPO, Outlook) outside the work profile.
The policies I'm using only target Android devices, so you should be good with other OS platforms.
I'll have to work something out for iOS devices and do some testing there and let you know what the outcome is.
Hope this helps
Oktay
- I've been able to get it setup so that when I enroll a personal device, my work data stops working in the Microsoft Apps (Outlook, Teams etc) but still have not been able to prevent a user from adding their account to a device's native mail app or stopping that email from working if they had it already setup.
Hi luvsql You can block the native apps by configuring a conditional access policy requiring approved client apps. See https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app for more info. In the example below I'm requiring approved client app AND app protection policy. You can also set the multiple control to One of the selected controls. Also See the article, How to: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection for configuration examples.
This should help block access when using native apps. Make sure to test the configuration because users are going to be impacted when you deploy this.
Hope this helps
Our version of InTune does not have that setting on the compliance policy:What is main issue is that these devices already have email and all the apps already working and authenticated. They will be compliant because they do get enrolled but then the data and apps are still functioning on the personal side as well as the work side. If we then just remove the work profile, all email and apps are still functioning on the personal side. That's a major data leak and security issue.
Hi luvsql,
What platform did you select when you created the compliance policy? Make sure you select Android Device Administrator for platform. The option is not available with other Platforms
In the blog I mentioned earlier, I use a conditional access policy with filter for devices. This conditional access policy blocks access to Microsoft 365 when the device OS is not AndroidForWork or AndroidEnterprise (device.operatingSystem -eq “AndroidForWork” -or device.operatingSystem -eq “AndroidEnterprise”) You can change the filter of course to your own need.
To be clear, I'm not checking for compliance, I'm checking for OS and block access based on OS. When you use a work profile the Android OS will be AndroidForWork. When the device is enrolled from Samsung Knox (or QR in Intune) the OS will be AndroidEnterprise. The ownership for these devices will be corporate. That's also something you can use with your filter.
Can you check the OS version for Android devices in Android? In particular, where users only use MAM and not the work profile. Android devices that are enrolled using Android device Administrator will have the OS Android, and ownership set to personal. These are all properties you can use when you work with filters. And based on these settings you can block (or grant) access.
Hope this helps.
Oktay
- I was told to not use the Device Administrator because it's being deprecated so eventually this won't even be available as an option. Also we have Device Administrator blocked from our device type restriction policy from a direct recommendation from Microsoft. If we did setup a policy using the Device Administrator, what happens when it's deprecated?
- Android Device Administration is being deprecated by InTune?
luvsql , It's https://developers.google.com/android/work/device-admin-deprecation that is deprecating the Android Device Admin API. 😉
