Forum Discussion
Questions on device Security
Lots of questions, I will try my best to answer them 🙂
Scenario 1:
You can block access to specific SPO sites from unmanaged devices through CA, but no way possible to block sites with a specific tag AFAIK
Check out this: https://docs.microsoft.com/en-US/sharepoint/control-access-from-unmanaged-devices#block-or-limit-access-to-a-specific-sharepoint-site-or-onedrive
Scenario 2:
It's true that compliance updates very slow sometimes on Windows devices. I would recommend to set-up the grace period for non-compliant devices higher. That might solve your issue.
Scenario 3:
I do this one all the time. Set-up a CA policy that targets all apps (except browsers) and set the action to - require hybrid joined devices.
Scenario 4+5:
I would recommend looking into Windows Information Protection - https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip
Thijs Lecomte - Thanks a lot for your response.
We have read the link you send over but couldn’t get it to work like we intended to. Because of limitations with conditional access etc.
However, is it somehow possible to setup these policies together to make sure that we understand every option and configure it the way it is meant to?
- Thijs LecomteDec 09, 2019Bronze ContributorWhat do you mean, setup them up together?
Where are you getting stuck exactly? What scenario?- NewlifeDec 10, 2019Brass Contributor
Here is the update,
Customer talking about the issue outlined here: https://www.reddit.com/r/Intune/comments/adhtmf/builtin_device_compliance_policy_is_active_marked/
As you recommended, requested to set-up the grace period for non-compliant devices higher, but that didn't help. Is this a bug? do they need to raise MS support ticket?
- Thijs LecomteDec 10, 2019Bronze ContributorI would advise to raise a support ticket
But my fear is that they will also tell you to increase the grace period.
To that did you set the grace period?
- NewlifeDec 09, 2019Brass Contributor
Thijs Lecomte - Thanks for your prompt response.
Basically, we need to differentiate the corporate owned devices and non-corporate devices and the options that are provided in CA are not sufficient it seems. I'll list out the missing features shortly. Thanks again!!