Forum Discussion
Conditional and App Policies to Protect Work Data on Personal Profiles Users Already Using Them
luvsql there was another question here that was similar to yours. Normally, you would have a compliance policy for Android or iOS devices. A conditional access policy should enforce compliance and block access to M365 when a device is not compliant (not enrolled). Now if that is not working for you than perhaps you want to have a look at a blog I wrote last week: https://allthingscloud.blog/blocking-access-to-microsoft-365-outside-the-android-for-work-profile-with-endpoint-manager/ Also did a https://youtu.be/Sqz7Hpv5RpY on the user experience.
This post only covers Android though... You will also have to make sure that you configure a compliance policy for Android devices and set Devices managed with device administator to Block. This will guide users to https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile management to regain access. And don't forget to block device admin with enrollment restrictions.
Combined with the conditional access policy with filter for devices I wrote about in my blog, you should be able to guide users on Android devices with migrating to a work profile, and at the same time, block access to M365 (OneDrive, Teams, SPO, Outlook) outside the work profile.
The policies I'm using only target Android devices, so you should be good with other OS platforms.
I'll have to work something out for iOS devices and do some testing there and let you know what the outcome is.
Hope this helps
Oktay
Our version of InTune does not have that setting on the compliance policy:
What is main issue is that these devices already have email and all the apps already working and authenticated. They will be compliant because they do get enrolled but then the data and apps are still functioning on the personal side as well as the work side. If we then just remove the work profile, all email and apps are still functioning on the personal side. That's a major data leak and security issue.
Hi luvsql,
What platform did you select when you created the compliance policy? Make sure you select Android Device Administrator for platform. The option is not available with other Platforms
In the blog I mentioned earlier, I use a conditional access policy with filter for devices. This conditional access policy blocks access to Microsoft 365 when the device OS is not AndroidForWork or AndroidEnterprise (device.operatingSystem -eq “AndroidForWork” -or device.operatingSystem -eq “AndroidEnterprise”) You can change the filter of course to your own need.
To be clear, I'm not checking for compliance, I'm checking for OS and block access based on OS. When you use a work profile the Android OS will be AndroidForWork. When the device is enrolled from Samsung Knox (or QR in Intune) the OS will be AndroidEnterprise. The ownership for these devices will be corporate. That's also something you can use with your filter.
Can you check the OS version for Android devices in Android? In particular, where users only use MAM and not the work profile. Android devices that are enrolled using Android device Administrator will have the OS Android, and ownership set to personal. These are all properties you can use when you work with filters. And based on these settings you can block (or grant) access.
Hope this helps.
Oktay
- I was told to not use the Device Administrator because it's being deprecated so eventually this won't even be available as an option. Also we have Device Administrator blocked from our device type restriction policy from a direct recommendation from Microsoft. If we did setup a policy using the Device Administrator, what happens when it's deprecated?
luvsql Sorry, didn't get that earlier. If you ask me, it's best practice to block DA. Also I'm not sure if DA will disappear 100%. I think it will have less options to configure. See https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll-device-administrator for a little more info. Check the blue Important block.
- Android Device Administration is being deprecated by InTune?
luvsql , It's https://developers.google.com/android/work/device-admin-deprecation that is deprecating the Android Device Admin API. 😉
- We use Android Enterprise in InTune