Forum Discussion

luvsql's avatar
luvsql
Steel Contributor
Jun 01, 2022

Conditional and App Policies to Protect Work Data on Personal Profiles Users Already Using Them

This is a real scenario that most businesses probably already have.  They have users already using personal devices or using work devices that the business does not want to fully manage.  They alread...
Intune
luvsql's avatar
luvsql
Steel Contributor
Jun 02, 2022
I've been able to get it setup so that when I enroll a personal device, my work data stops working in the Microsoft Apps (Outlook, Teams etc) but still have not been able to prevent a user from adding their account to a device's native mail app or stopping that email from working if they had it already setup.
Oktay Sari's avatar
Oktay Sari
Iron Contributor
Jun 02, 2022

Hi luvsql You can block the native apps by configuring a conditional access policy requiring approved client apps. See https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-approved-client-app for more info. In the example below I'm requiring approved client app AND app protection policy. You can also set the multiple control to One of the selected controls. Also See the article, How to: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection for configuration examples.

 

This should help block access when using native apps. Make sure to test the configuration because users are going to be impacted when you deploy this. 

 

 

Hope this helps