SOLVED
Home

Intune MAM Delve app dataloss issue?

%3CLINGO-SUB%20id%3D%22lingo-sub-291550%22%20slang%3D%22en-US%22%3EIntune%20MAM%20Delve%20app%20dataloss%20issue%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291550%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20set%20up%20conditional%20access%20policy%20requiring%20approved%20apps%20for%20access%20to%20Office%20365%20data%3C%2FP%3E%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fmedia%2Ftechnical-reference%2F21.png%22%20border%3D%220%22%20alt%3D%22Control%20access%20for%20approved%20client%20apps%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20documentation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23approved-client-app-requirement%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Ftechnical-reference%23approved-client-app-requirement%3C%2FA%3E%20lists%20Microsoft%20Delve%20as%20one%20of%20the%20client%20apps.%20It%20goes%20on%20to%20say%20%22%3CSPAN%3E%3CEM%3EThe%20approved%20client%20apps%20support%20the%20Intune%20mobile%20application%20management%20feature%3C%2FEM%3E.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20Intune%20we%20have%20set%20up%20iOS%20app%20protection%20policy%20for%20Word%2C%20Excel%20etc.%2C%20Delve%20is%20not%20a%20choice%20here.%20We%20add%20Delve%20using%20the%20bundle%20id%2C%20with%20the%20result%20that%20the%20sign-in%20in%20the%20Delve%20app%20now%20registers%20the%20device%20through%20Authenticator.%20None%20of%20the%20other%20app%20policy%20settings%20are%20applied%20however%2C%20no%20PIN%20requirement%2C%20copy%20paste%20is%20allowed%20to%20any%20app%20etc.%20These%20are%20restrictions%20we%20have%20working%20in%20the%20other%20apps%20such%20as%20Word%20and%20Excel.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20the%20Delve%20app%20users%20can%20still%20read%20all%20accessible%20documents%20from%20O365%20with%20no%20PIN%20prompt%20and%20copy%2Fpaste%20anywhere.%20How%20do%20we%20prevent%20this%20so%20not%20to%20render%20the%20policy%20pointless%3F%20Does%20anyone%20have%20a%20recipe%20for%20blocking%20access%20to%20the%20Delve%20app%20(through%20conditional%20access%3F)%2C%20or%20any%20way%20of%20managing%20the%20app%20properly%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-291550%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-302637%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20MAM%20Delve%20app%20dataloss%20issue%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-302637%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250570%22%20target%3D%22_blank%22%3E%40esmugala%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EThis%20can%20by%20remediated%20by%20creating%20a%20Conditonal%20Access%20policy%20targeted%20to%20Office%20Delve%20and%20IOS%2FAndroid%20devices.%26nbsp%3B%20Setting%20that%20to%20block%20will%20prevent%20access.%26nbsp%3B%20Microsoft%20should%20really%20update%20their%20list%20of%20apps%20approved%20for%20CA%20for%20mobile%20though%20as%20we%20noticed%20the%20same%20thing.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EThis%20works%20well%2C%20with%20the%20one%20caveat%20that%20Delve%2FMy%20profile%20is%20not%20accessible%20anymore%20i%20Edge%20when%20browsing%20SharePoint%20Online%20sites%20in%20the%20tenant%20from%20iOS%20devices.%20Acceptable%20stop-gap%20I%20suppose%20whilst%20waiting%20for%20Microsoft%20to%20remedy%20this%20properly.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-297120%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20MAM%20Delve%20app%20dataloss%20issue%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-297120%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20can%20by%20remediated%20by%20creating%20a%20Conditonal%20Access%20policy%20targeted%20to%20Office%20Delve%20and%20IOS%2FAndroid%20devices.%26nbsp%3B%20Setting%20that%20to%20block%20will%20prevent%20access.%26nbsp%3B%20Microsoft%20should%20really%20update%20their%20list%20of%20apps%20approved%20for%20CA%20for%20mobile%20though%20as%20we%20noticed%20the%20same%20thing.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Vegard Strømsøy
Occasional Contributor

We have set up conditional access policy requiring approved apps for access to Office 365 data

Control access for approved client apps

 

The documentation https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/technical-reference#appro... lists Microsoft Delve as one of the client apps. It goes on to say "The approved client apps support the Intune mobile application management feature."

 

In Intune we have set up iOS app protection policy for Word, Excel etc., Delve is not a choice here. We add Delve using the bundle id, with the result that the sign-in in the Delve app now registers the device through Authenticator. None of the other app policy settings are applied however, no PIN requirement, copy paste is allowed to any app etc. These are restrictions we have working in the other apps such as Word and Excel.

 

In the Delve app users can still read all accessible documents from O365 with no PIN prompt and copy/paste anywhere. How do we prevent this so not to render the policy pointless? Does anyone have a recipe for blocking access to the Delve app (through conditional access?), or any way of managing the app properly?

2 Replies
Solution

This can by remediated by creating a Conditonal Access policy targeted to Office Delve and IOS/Android devices.  Setting that to block will prevent access.  Microsoft should really update their list of apps approved for CA for mobile though as we noticed the same thing.


@esmugala wrote:

This can by remediated by creating a Conditonal Access policy targeted to Office Delve and IOS/Android devices.  Setting that to block will prevent access.  Microsoft should really update their list of apps approved for CA for mobile though as we noticed the same thing.


This works well, with the one caveat that Delve/My profile is not accessible anymore i Edge when browsing SharePoint Online sites in the tenant from iOS devices. Acceptable stop-gap I suppose whilst waiting for Microsoft to remedy this properly.  

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies