Forum Discussion

Jleebiker's avatar
Jleebiker
Iron Contributor
Apr 19, 2022
Solved

Battling app sprawl

Yes, I know there are controls to prevent new apps from being used in an org. We use them.    We are finding more and more though, that people are looking for alternatives to Teams for doing variou...
Activity
adoption
best practices
messaging
microsoft teams
User Interface
  • ChrisHoardMVP's avatar
    ChrisHoardMVP
    May 31, 2022

    Jleebiker Therese_Solimeno 

     

    Hi all,

     

    It depends where the apps are surfaced, but generally speaking it's a combination of the Teams Admin Centre together with Intune (MAM or MAM + MDM) Defender for Cloud Apps/Defender for Endpoint. However, this will be dependent on how users use those apps. It will also depend on such extra actions such as preventing them in the 365 environment from signing up to trials. 

     

    For example, if you have users who just come in and use their desktop in the office then you could configure Defender for Cloud Apps and control it based upon the Perimeter Appliance, and ingest the logs in Defender for Endpoint and then, for example, use a combination of Intune and Applocker to prevent that. If the users are working from home outside the perimeter it could be a combination of DFE/DFCA and then Unsanction the apps. In terms of Mobile, with full MDM you can block the apple App Store and push out the apps you want.

     

    But also just to add that ultimately, you can't prevent Shadow IT completely, because users can have personal devices and use things like WhatsApp. However, via the above methods it should give you pretty tight control over app usage for business devices. 

     

    Best, Chris

ChristianJBergstrom's avatar
ChristianJBergstrom
MVP
Apr 22, 2022

There are plenty tools in the M365 environment if the Teams app policies aren’t sufficient. You can block access with Defender for Endpoint, and apps with Defender for cloud apps as an example.

Jleebiker's avatar
Jleebiker
Iron Contributor
Apr 22, 2022
Hmm... Will take a look at Defender. We use it for Endpoints, wasn't aware we could use it for cloud apps as well. That will help, but the other part of that is the education to our staff to look at the MS ecosystem for a solution before going out and shopping for something else. I think that's a whole different strategy.
  • ChrisHoardMVP's avatar
    ChrisHoardMVP
    MVP
    May 31, 2022

    Jleebiker Therese_Solimeno 

     

    Hi all,

     

    It depends where the apps are surfaced, but generally speaking it's a combination of the Teams Admin Centre together with Intune (MAM or MAM + MDM) Defender for Cloud Apps/Defender for Endpoint. However, this will be dependent on how users use those apps. It will also depend on such extra actions such as preventing them in the 365 environment from signing up to trials. 

     

    For example, if you have users who just come in and use their desktop in the office then you could configure Defender for Cloud Apps and control it based upon the Perimeter Appliance, and ingest the logs in Defender for Endpoint and then, for example, use a combination of Intune and Applocker to prevent that. If the users are working from home outside the perimeter it could be a combination of DFE/DFCA and then Unsanction the apps. In terms of Mobile, with full MDM you can block the apple App Store and push out the apps you want.

     

    But also just to add that ultimately, you can't prevent Shadow IT completely, because users can have personal devices and use things like WhatsApp. However, via the above methods it should give you pretty tight control over app usage for business devices. 

     

    Best, Chris

Resources