Oct 31 2018 12:47 PM
so we're trying to go all mam, and recently created some changes that allow domain users to install apps, i.e. teams & outlook and the app protection configurations apply.
However, when I invite a guest user, that user is able to copy & paste data.
To work around that, in azure ad, I added the guest ID to the group that should still provide the protections.
But it is stil not protecting the data.
Should app protection policies apply globally? if not, what do I have to do?
the only documentation I have, says apply the app protection policies to a group called 'all users' which I thought guest users fall into... but seeing as it didn't, I made the change above.. Anyone have input?
Nov 02 2018 07:19 AM
We're having the same issue. I have a call in to Premier regarding this.
We invite a guest user. I.e. (Guestuser@gmail.com)
We see that account show up as a guest in the tenant.
We are then able to assign a EMS E3 license - (after specifying a 'location (US) for the guest user)
We put the user in a Group and apply the app protection policies to that group.
We see nothing happen.. It basically says the user never checks in.
MS is escalating it internally, so we're waiting to hear back.
Nov 02 2018 11:08 AM
Nov 02 2018 01:36 PM
MY guest user can get into TEams, fine. We're able to force MFA with CA rules.
What we can't prevent is "copy and paste" or Enforce Pin with app protection policies
Feb 01 2019 02:39 PM
Hi Folks, just wondering what the end result was for this thread?
Mar 27 2019 09:47 PM
Hello Everyone,
We're in the same boat now. Has anyone made any Progress here? We're about to put a call into Premier too but as some of you already have - could you kindly share your finidngs?
Thank you :)
Mar 28 2019 05:11 AM
Guest users do not adhere to InTune MAM controls on a mobile device.
What i had to do was block all the native apps with Conditional Access and rely on Security and Compliance center reporting for file activity.
Feb 20 2020 07:37 AM
@Phillip Kenyon Anything new with this? also interessted in a possible solution
Feb 20 2020 07:49 AM
I think I ended up hearing back that it doesn't work because of licensing. Theres no way for them to enforce enrollment, across tenants in a way that supports the MAM. To that end we've made the choice to limit how much we do across tenants with Teams. @RobertHeep
Feb 20 2020 08:04 AM
@Phillip Kenyon aw that was not the answer I was looking for :D so you ended up blocking mobile access for guests entirely?
Feb 20 2020 08:11 AM
not officially, but in a round-about way. Our MAM policy I only apply to direct employees, others get our fully managed MDM policies. @RobertHeep
Jul 02 2020 03:43 AM
As mentioned above this doesn't work with guest users. There are a number of reasons and it doesn't purely apply because of licensing today. The main core reason is the fact that an external or guest user could be another user from another organisations azure tenant, where there own MAM policies may apply.
So what I do is this. For guest users block the rich client teams app. This can be done using conditional based access, so when they access the team they have to go via the web. Then using MCAS use session controls to block downloads inside teams.
Hope this helps.
Jul 02 2020 04:36 AM
Jan 19 2021 07:20 PM