SOLVED
Home

Conditional Access O365 apps in personal profile when using Android Enterprise Work Profile

%3CLINGO-SUB%20id%3D%22lingo-sub-637873%22%20slang%3D%22en-US%22%3EConditional%20Access%20O365%20apps%20in%20personal%20profile%20when%20using%20Android%20Enterprise%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-637873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20find%20out%20if%20it%20is%20possible%20to%20block%20access%20for%20the%20O365%20mobile%20apps%20on%20Android%20when%20used%20from%20the%20personal%20profile%20when%20the%20Work%20Profile%20has%20been%20configured%20on%20that%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20prevent%20that%20if%20the%20Work%20Profile%20is%20configured%20by%20Intune%20that%20the%20users%20can%20still%20connect%20to%20O365%20with%20their%20work%20account%20from%20the%20personal%20profile.%3C%2FP%3E%3CP%3EDuring%20the%20Work%20Profile%20creation%20the%20Company%20Portal%20app%20is%20moved%20to%20the%20Work%20Profile%20and%20disabled%20in%20the%20personal%20profile.%20If%20the%20user%20then%20configures%20the%20work%20account%20in%20Outlook%20in%20the%20personal%20profile%2C%20Outlook%20will%20show%20a%20message%20that%20the%20Company%20portal%20app%20is%20required%20to%20which%20the%20user%20can%20click%20to%20be%20redirected%20to%20the%20Play%20Store%20in%20the%20personal%20profile%20and%20enable%20the%20Company%20Portal%20again.%20After%20this%20the%20mail%20works%20in%20the%20personal%20and%20work%20profile...%3C%2FP%3E%3CP%3ECan%20something%20be%20configured%20to%20prevent%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EBart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-637873%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-638990%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20O365%20apps%20in%20personal%20profile%20when%20using%20Android%20Enterprise%20Work%20Profile%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-638990%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20playing%20around%20with%20some%20conditional%20access%20policies%20I%20found%20how%20this%20can%20be%20done.%20Here%20is%20what%20I%20did%3A%3C%2FP%3E%3CUL%3E%3CLI%3ECreated%20a%20new%20CA%20policy%3CUL%3E%3CLI%3EAssignments%3A%3CUL%3E%3CLI%3EAll%20users%3C%2FLI%3E%3CLI%3EAll%20cloud%20services%20(could%20obviously%20be%20limited%20off%20course)%3C%2FLI%3E%3CLI%3EConditions%3A%3CUL%3E%3CLI%3EDevice%20Platforms%3A%20Any%20Device%3C%2FLI%3E%3CLI%3EClients%20Apps%20(Preview)%3A%20Browser%2C%20Mobile%20Apps%20and%20Desktop%20clients%2C%20Modern%20authentication%20clients%20%26amp%3B%20Other%20clients%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EAccess%20Controls%3A%3CUL%3E%3CLI%3EGrant%3A%20Require%20device%20to%20be%20marked%20compliant%20%26amp%3B%20Require%20approved%20client%20app%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ESo%20in%20the%20conditions%20under%20clients%20apps%20(preview)%20I%20did%20not%20select%20Exchange%20ActiveSync%20Clients%20which%20seams%20to%20include%20apps%20outside%20of%20the%20Android%20Enterprise%20Work%20Profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20testing%20with%20Outlook%20in%20the%20private%20profile%20I%20was%20still%20able%20to%20enter%20in%20the%20work%20email%20address%20but%20then%20Outlook%20states%20that%20the%20Company%20portal%20app%20is%20required.%20Because%20this%20app%20is%20disabled%20in%20the%20private%20profile%20after%20the%20Work%20Profile%20is%20created%2C%20the%20user%20is%20directed%20to%20the%20Google%20Play%20Store%20where%20he%20can%20%22Enable%22%20the%20Company%20Portal%20app%20again%20and%20when%20authenticationg%20the%20device%20is%20registered%20again%20and%20the%20Work%20Profile%20is%20created%20again...%3C%2FP%3E%3CP%3ENot%20the%20best%20end%20user%20experience%20but%20at%20least%20the%20work%20email%20address%20can%20only%20be%20configured%20in%20the%20Work%20Profile.%3C%2FP%3E%3CP%3ETo%20add%20upon%20this%2C%20the%20device%20is%20at%20that%20point%20registered%20twice%20in%20the%20Intune%20console.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20some%20work%20to%20be%20done%20but%20I%20guess.%3C%2FP%3E%3C%2FLINGO-BODY%3E
senseforgreed
New Contributor

Hi,

 

I'm trying to find out if it is possible to block access for the O365 mobile apps on Android when used from the personal profile when the Work Profile has been configured on that device.

 

We want to prevent that if the Work Profile is configured by Intune that the users can still connect to O365 with their work account from the personal profile.

During the Work Profile creation the Company Portal app is moved to the Work Profile and disabled in the personal profile. If the user then configures the work account in Outlook in the personal profile, Outlook will show a message that the Company portal app is required to which the user can click to be redirected to the Play Store in the personal profile and enable the Company Portal again. After this the mail works in the personal and work profile...

Can something be configured to prevent this?

 

Thanks,

Bart

1 Reply
Solution

After playing around with some conditional access policies I found how this can be done. Here is what I did:

  • Created a new CA policy
    • Assignments:
      • All users
      • All cloud services (could obviously be limited off course)
      • Conditions:
        • Device Platforms: Any Device
        • Clients Apps (Preview): Browser, Mobile Apps and Desktop clients, Modern authentication clients & Other clients
    • Access Controls:
      • Grant: Require device to be marked compliant & Require approved client app

So in the conditions under clients apps (preview) I did not select Exchange ActiveSync Clients which seams to include apps outside of the Android Enterprise Work Profile.

 

During testing with Outlook in the private profile I was still able to enter in the work email address but then Outlook states that the Company portal app is required. Because this app is disabled in the private profile after the Work Profile is created, the user is directed to the Google Play Store where he can "Enable" the Company Portal app again and when authenticationg the device is registered again and the Work Profile is created again...

Not the best end user experience but at least the work email address can only be configured in the Work Profile.

To add upon this, the device is at that point registered twice in the Intune console.

 

Still some work to be done but I guess.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies