Forum Discussion

luvsql's avatar
luvsql
Iron Contributor
Jun 01, 2022

Conditional and App Policies to Protect Work Data on Personal Profiles Users Already Using Them

This is a real scenario that most businesses probably already have.  They have users already using personal devices or using work devices that the business does not want to fully manage.  They alread...
Intune
Oktay Sari's avatar
Oktay Sari
Iron Contributor
Jun 01, 2022

luvsql there was another question here that was similar to yours. Normally, you would have a compliance policy for Android or iOS devices. A conditional access policy should enforce compliance and block access to M365 when a device is not compliant (not enrolled). Now if that is not working for you than perhaps you want to have a look at a blog I wrote last week: https://allthingscloud.blog/blocking-access-to-microsoft-365-outside-the-android-for-work-profile-with-endpoint-manager/ Also did a https://youtu.be/Sqz7Hpv5RpY on the user experience. 

 

This post only covers Android though... You will also have to make sure that you configure a compliance policy for Android devices and set Devices managed with device administator to Block. This will guide users to https://docs.microsoft.com/en-us/mem/intune/enrollment/android-move-device-admin-work-profile management to regain access. And don't forget to block device admin with enrollment restrictions.

 

 

Combined with the conditional access policy with filter for devices I wrote about in my blog, you should be able to guide users on Android devices with migrating to a work profile, and at the same time, block access to M365 (OneDrive, Teams, SPO, Outlook) outside the work profile.

 

The policies I'm using only target Android devices, so you should be good with other OS platforms.

 

I'll have to work something out for iOS devices and do some testing there and let you know what the outcome is.

 

Hope this helps

Oktay

luvsql's avatar
luvsql
Iron Contributor
Jun 02, 2022
I've been able to get it setup so that when I enroll a personal device, my work data stops working in the Microsoft Apps (Outlook, Teams etc) but still have not been able to prevent a user from adding their account to a device's native mail app or stopping that email from working if they had it already setup.
  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor
    Jun 02, 2022

    Hi luvsql You can block the native apps by configuring a conditional access policy requiring approved client apps. See https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app for more info. In the example below I'm requiring approved client app AND app protection policy. You can also set the multiple control to One of the selected controls. Also See the article, How to: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection for configuration examples.

     

    This should help block access when using native apps. Make sure to test the configuration because users are going to be impacted when you deploy this. 

     

     

    Hope this helps

Resources