Hello @Kelly_Y ,

Thank you for your response.

As the SyncTypesListDisabled policy can only be enforced on managed devices this would still not prevent from syncing any data into the work profile (stored in our AzureAD tenant) from unmanaged devices. If im correct, data may be synced between unmanaged devices using the same work profile while sync may be restricted or disabled (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#syncdisabled) on managed devices via GPO. Sign-in may even be completely disabled on managed devices (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#browsersignin), which still would not affect unmanaged devices.

At time of writing the sync and its capabilities cannot be restricted on AzureAD side nor is it possible to restrict from which device one is allowed to sign-in into a work profile (we have a service request open for that since quite some time).

So imho besides syncing, one can take advantage from work profile features like seemless SSO on any device. There is also no need to re-authenticate a work profile sign-in after a certain period of time. If one adds his work profile to an unmanaged device like a personal iPad or a PC in an internet cafe and doesn't remove it, it may stay there logged in forever. These device (at least in my test) even do not show up in My Account -Devices (microsoft.com) nor in the company portal app.

Best Regards

Joe

The status of our service request was set to 'archived', and it was stated

• At this time there is still no ETA for the implementation of this Feature Request
• The Product Group has this on their roadmap and they will revisit this proposal next quarter

Currently there is no control from which device an employe is allowed to logon to the work profile and use the sync feature. Please remember: As browser policies can only be enforced on managed devices, to restrict on unmanaged devices it would be necessary to have an option to enforce this in the Azure tenant.