Forum Discussion
How to stop users connecting to things with their work account from personal mobile
RippieUK Hey! I don't work with CA/Intune as we have a separate unit for that, but if I understand your question correct I believe you should use the Grant section in the policy and "require device to be marked as compliant" or "require approved client app" for example, to have them registered in AAD.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#
ChristianBergstrom so CA is considered but not all our users are on a license that allow them CA hence why i wanted to know how to do this without CA.
But if people want to set up work email on their personal phones, then at least we need to make sure its secure. 🙂 hence why i thought of MAM
RippieUK MAM is indeed a good way to go, but you need something to make sure those App protection (MAM) policies are applied to the mobile apps. For example to Outlook mobile when the users opens the mailbox, because that app supports these kind of policies. Most third-party mail apps don`t support these kind of policies. And that`s why CA policies are needed.
More on that can be found on my blog post https://www.inthecloud247.com/azure-ad-conditional-access-explained-android-and-ios/
If you have any questions, let me know!RippieUK Hello! OK, you didn't mention all users aren't eligible for CA. Have you looked at this then? https://docs.microsoft.com/en-us/mem/intune/apps/mam-faq
And just to put it out there you also have the built-in MDM in Office 365 and in that case you would end up with Office 365 MDM Coexistence and the management authority being defined based on the license assigned to the user.
https://support.microsoft.com/en-gb/office/set-up-mobile-device-management-mdm-in-microsoft-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-us&rs=en-gb&ad=gb
