Forum Discussion

Iron Contributor

Apr 19, 2022

Solved

Battling app sprawl

Yes, I know there are controls to prevent new apps from being used in an org. We use them. We are finding more and more though, that people are looking for alternatives to Teams for doing variou...

ChrisHoardMVP
May 31, 2022
Jleebiker Therese_Solimeno

Hi all,

It depends where the apps are surfaced, but generally speaking it's a combination of the Teams Admin Centre together with Intune (MAM or MAM + MDM) Defender for Cloud Apps/Defender for Endpoint. However, this will be dependent on how users use those apps. It will also depend on such extra actions such as preventing them in the 365 environment from signing up to trials.

For example, if you have users who just come in and use their desktop in the office then you could configure Defender for Cloud Apps and control it based upon the Perimeter Appliance, and ingest the logs in Defender for Endpoint and then, for example, use a combination of Intune and Applocker to prevent that. If the users are working from home outside the perimeter it could be a combination of DFE/DFCA and then Unsanction the apps. In terms of Mobile, with full MDM you can block the apple App Store and push out the apps you want.

But also just to add that ultimately, you can't prevent Shadow IT completely, because users can have personal devices and use things like WhatsApp. However, via the above methods it should give you pretty tight control over app usage for business devices.

Best, Chris

Therese_Solimeno

Moderator

Apr 20, 2022

Jleebiker

ChrisHoardMVP ChrisWebbTech ChristianJBergstrom - you guys are experts - any suggestions?

ChristianJBergstrom

MVP

Apr 21, 2022

Therese_Solimeno Jleebiker Hey, sorry. In study mode lately for a bunch of certifications.

When it comes to Teams and all the apps you can as an admin be very helpful to your organization by using the Teams app setup policies and permission policies. You can pin apps for the users, be selective and install apps and messaging extensions as well. You can use custom policies too. By using this approach, in combination with organizational information, you will not only prevent sprawl but also narrow down what apps are available in Teams for the users to use, or simply highlight a couple by installing/pinning.

Manage app policies in Teams - Microsoft Teams | Microsoft Docs

Jleebiker
Iron Contributor
Apr 22, 2022
I get that, but take the case of Asana specifically. You can use the web version. No install needed. People are going to find a way to access it. This is how Shadow IT rises, when IT orgs don't provide the services/products people THINK they need.
- ChristianJBergstrom
  MVP
  Apr 22, 2022
  There are plenty tools in the M365 environment if the Teams app policies aren’t sufficient. You can block access with Defender for Endpoint, and apps with Defender for cloud apps as an example.
  - Jleebiker
    Iron Contributor
    Apr 22, 2022
    Hmm... Will take a look at Defender. We use it for Endpoints, wasn't aware we could use it for cloud apps as well. That will help, but the other part of that is the education to our staff to look at the MS ecosystem for a solution before going out and shopping for something else. I think that's a whole different strategy.