Forum Discussion
Conditional and App Policies to Protect Work Data on Personal Profiles Users Already Using Them
Our version of InTune does not have that setting on the compliance policy:
What is main issue is that these devices already have email and all the apps already working and authenticated. They will be compliant because they do get enrolled but then the data and apps are still functioning on the personal side as well as the work side. If we then just remove the work profile, all email and apps are still functioning on the personal side. That's a major data leak and security issue.
Hi luvsql,
What platform did you select when you created the compliance policy? Make sure you select Android Device Administrator for platform. The option is not available with other Platforms
In the blog I mentioned earlier, I use a conditional access policy with filter for devices. This conditional access policy blocks access to Microsoft 365 when the device OS is not AndroidForWork or AndroidEnterprise (device.operatingSystem -eq “AndroidForWork” -or device.operatingSystem -eq “AndroidEnterprise”) You can change the filter of course to your own need.
To be clear, I'm not checking for compliance, I'm checking for OS and block access based on OS. When you use a work profile the Android OS will be AndroidForWork. When the device is enrolled from Samsung Knox (or QR in Intune) the OS will be AndroidEnterprise. The ownership for these devices will be corporate. That's also something you can use with your filter.
Can you check the OS version for Android devices in Android? In particular, where users only use MAM and not the work profile. Android devices that are enrolled using Android device Administrator will have the OS Android, and ownership set to personal. These are all properties you can use when you work with filters. And based on these settings you can block (or grant) access.
Hope this helps.
Oktay
- I was told to not use the Device Administrator because it's being deprecated so eventually this won't even be available as an option. Also we have Device Administrator blocked from our device type restriction policy from a direct recommendation from Microsoft. If we did setup a policy using the Device Administrator, what happens when it's deprecated?
luvsql Sorry, didn't get that earlier. If you ask me, it's best practice to block DA. Also I'm not sure if DA will disappear 100%. I think it will have less options to configure. See https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll-device-administrator for a little more info. Check the blue Important block.
- I have it working such that my Samsung that's enrolled in a Personal Work would not let me add my account to the native Samsung Email add. I'm having a colleague test if they add email to native email app first if after enrollment, the email is still accessible or not.