I'm trying to find out if it is possible to block access for the O365 mobile apps on Android when used from the personal profile when the Work Profile has been configured on that device.
We want to prevent that if the Work Profile is configured by Intune that the users can still connect to O365 with their work account from the personal profile.
During the Work Profile creation the Company Portal app is moved to the Work Profile and disabled in the personal profile. If the user then configures the work account in Outlook in the personal profile, Outlook will show a message that the Company portal app is required to which the user can click to be redirected to the Play Store in the personal profile and enable the Company Portal again. After this the mail works in the personal and work profile...
After playing around with some conditional access policies I found how this can be done. Here is what I did:
Created a new CA policy
All cloud services (could obviously be limited off course)
Device Platforms: Any Device
Clients Apps (Preview): Browser, Mobile Apps and Desktop clients, Modern authentication clients & Other clients
Grant: Require device to be marked compliant & Require approved client app
So in the conditions under clients apps (preview) I did not select Exchange ActiveSync Clients which seams to include apps outside of the Android Enterprise Work Profile.
During testing with Outlook in the private profile I was still able to enter in the work email address but then Outlook states that the Company portal app is required. Because this app is disabled in the private profile after the Work Profile is created, the user is directed to the Google Play Store where he can "Enable" the Company Portal app again and when authenticationg the device is registered again and the Work Profile is created again...
Not the best end user experience but at least the work email address can only be configured in the Work Profile.
To add upon this, the device is at that point registered twice in the Intune console.