By: Michael Dineen - Sr Product Manager | Microsoft Intune
We wanted to provide a comprehensive guide for Microsoft Intune admins on the options available to block and remove specific, non-approved applications on both corporate-owned and personally owned (BYOD) iOS/iPadOS and Android devices. While the examples used in this article will be focused on the Microsoft OneDrive app, you can apply these steps to any app available in either the Apple App Store or Google Play Store.
This section covers corporate-owned and personally owned (BYOD) iOS/iPadOS devices.
iOS and iPadOS devices that have been enrolled into Intune using Apple Business Manager via their Automated Device Enrollment (ADE) method are Supervised devices. To make use of specific device management APIs required for the example outlined below, the device is required to be Supervised.
Intune gives admins the ability to block access to the Apple App Store on corporate-owned supervised devices. If your organization has enabled this policy, any user of the device will be unable to access and install any unmanaged applications other than those made available by the Intune admin through the Intune Company Portal app.
If the admin blocks access to the Apple App Store, no additional configuration or action is required. If your organization has not blocked access to the Apple App Store on corporate-owned iOS/iPadOS devices, then users will be able to sign in with a personal Apple ID and download any app available in the Store. The following sections cover how Intune admins can discover, hide, and block the launch of restricted apps on corporate-owned supervised iOS/iPadOS devices.
Reporting – Discovered apps
Admins can determine which apps are installed on supervised iOS/iPadOS devices by navigating to the Discovered apps report in the Microsoft Intune admin center (Apps > Monitor > Discovered apps). This data is refreshed every seven days for supervised devices, starting from the date that the device was enrolled. For additional details on the discovery cycle, see Intune discovered apps.
Admins can then click on a discovered app to see which devices have the app installed.
Reporting – Restricted Apps
Intune provides a report (Devices > Monitor > Devices with restricted apps) that displays devices that have installed restricted apps.
Specify restricted apps by navigating to Devices > iOS/iPadOS > Configuration Profiles > Create profile, select Templates for the Profile type and choose Device restrictions from the list. On the Configuration settings tab, expand the Restricted Apps option and change the Type of restricted apps list to Prohibited Apps. Then add the App store URL, App bundle ID, App name, and Publisher.
Note, this profile must be assigned to a user group.
Devices with the restricted app installed will be displayed under the Devices with restricted apps report (Devices > Monitor > Devices with restricted apps).
Hide and prevent the launch of an app
Admins can both hide and prevent the launch of specific apps by using the settings catalog. To hide and prevent the launch of specific apps:
Apps that a user has installed on a supervised iOS or iPadOS device via the Apple App Store can be easily uninstalled via Intune.
Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed.
Bring your own device (BYOD) iOS and iPadOS devices are personally owned devices that have been voluntarily enrolled into Intune and can access organizational email, apps, and other data. Note that unlike supervised devices, not all administrative actions or configuration options are available to BYOD devices, such as the ability to geolocate the device or view apps installed by the user.
Identify BYOD devices that have restricted apps installed and prevent access to corporate resources
Compliance policies can be used to determine if a device can access corporate resources protected by Conditional Access (by being accessed as either compliant or non-compliant, see Grant controls in Conditional Access policy - Microsoft Entra | Microsoft Learn), based on a number of properties, such as whether a particular app is installed.
In our example, we’re assessing if a device has OneDrive installed and, if it does, the device should be marked as non-compliant.
Devices that have the restricted app installed will be shown in the Monitor section of the compliance policy.
Manage the app in Intune
Now that devices with the restricted app installed have been identified, you’ll need to add the app in Intune to be managed before you can take action and uninstall the app (also known as app takeover: Distribute Managed Apps to Apple devices – Apple Support).
To manage an app that a user has installed, perform the following steps:
On the BYOD device, the user will receive the App Management Change prompt and will have the choice to allow the organization to manage the app.
If the user selects Cancel, then the app will not become managed. The compliance policy will still determine that the device is non-compliant, and when combined with a Conditional Access policy that requires the device to be compliant as a grant control, the user won’t be able to access corporate resources.
If the user selects Manage, then the app becomes managed, and the organization will have the ability to uninstall the app. The app will also be displayed under Managed Apps on the device object.
Once the app is managed, it may be uninstalled by performing the following steps:
This section covers how to restrict and remove apps on Android devices based on the enrollment method.
Devices enrolled using Android Enterprise corporate owned fully managed will only have access to the Managed Google Play Store. This is a curated store, where users are able to install approved apps published to them by their organization.
Organizations can enable access to the Google Play Store via the setting Allow access to all apps in Google Play store, available in the configuration settings of a device restriction policy. This setting is set to Not configured by default and prevents users from accessing the Google Play Store and installing restricted apps. If you configured the setting to Allow, and a restricted app has been installed, there are two options that the admin can take to remove the app.
1. Revoke access to all apps in Google Play Store
The admin can configure the setting to Allow access to all apps in Google Play Store to the default setting, Not configured. When changed from Allow to Not configured, all apps not explicitly allowed for the user will be removed from the device. The user will receive a notification indicating the app has been deleted.
2. Uninstall the restricted app
To uninstall a restricted app, and prevent it from being installed via the Google Play Store, perform the following steps:
Devices enrolled using Android Enterprise corporate-owned work profile provides the device owner with a separate work profile that allows them to install apps for personal use, over which the organization has limited control and visibility. With this enrollment method, the work profile is often referred to as the “personal profile”.
To restrict specific apps from being installed in the work profile, do the following steps:
For Android Enterprise personally owned devices with a work profile, use the same settings as described earlier in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile.
Apps installed outside of the work profile can’t be managed.
Intune mobile application management (MAM), comprised of app protection policies (APP) and app configuration policies (ACP), allows organizations to manage and protect corporate data within an application, without the need to have the device enrolled into an mobile device management (MDM) solution. This applies to both iOS/iPadOS and Android devices. When used on unenrolled devices, MAM has no visibility of the device configuration or other installed unmanaged apps.
For recommended configurations to keep your organization's data secure, see Data protection framework using app protection policies - Microsoft Intune | Microsoft Learn. Additional guidance is available for Android devices in Mobile Application Management (MAM) and Android Enterprise personally-owned work profiles in Microso....
In summary, we’ve discussed a variety of different approaches Intune admins can use to discover, hide, and prevent the launch of non-approved mobile applications, including how to remove specific apps on both iOS/iPadOS and Android devices.
We also discussed the use of compliance policies to mark devices that have non-approved mobile apps installed as non-compliant. When used in combination with Azure Active Directory Conditional Access, those non-compliant devices won’t be granted access to corporate resources. This is especially relevant for enrolled iOS/iPadOS BYOD scenarios.
Regardless of the platform or enrollment method, we recommend utilizing MAM to protect corporate data across both corporate and personal devices.
If you have any questions, please let us know in the comments or reach out to us on Twitter @IntuneSuppTeam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.