Hi Yoann,

Thank you for sharing the link. I have read that guidance before, but I don't think it answered my question clearly.

I have fifty-four apps in total.

I have fifty apps that I want to block access to for everyone.

I have the following four apps that I want to block access to for nearly everyone, but allow for certain users only, who I will call Alice, Bob, Chris and Dave:
- Dropbox
- Gmail
- Google Docs
- Google Drive

How do I allow Alice, Bob and Chris access to Dropbox and Gmail, whilst stopping Dave and everyone else from accessing it?

Also, I want to allow Alice, Chris and Dave access to Google Docs but stop Bob and everyone else from accessing it.

Lastly, I want to allow Bob and Dave access to Google Drive, but stop Alice, Chris and everyone else.

I found out about importing user groups from AD, but the literature seems to suggest this is only for deciding which groups to monitor for app discovery, rather than governance actions.

My understanding is (please correct me if I'm wrong!) that currently I can only use scoped profiles based on Device groups. This means that if a user gets their laptop swapped, I need to make sure to move the old/new laptops into/out of the device group.

It also means that a laptop can only be in one device group at a time, with the highest ranked device group taking precedence.

So, if I create a scoped profile for allow Dropbox and I put Alice, Bob and Chris' laptops in the device group, and then create a deny device group for Alice and Chris to prevent access to Google Drive, then Alice and Chris' laptops would be blocked from accessing Dropbox as the Google Drive block device group takes precedence.

Is it possible to created scoped profiles based on membership of an Active Directory group, import that group, and have that user be a member of more than one AD group/scoped profile, depending on the app and requirement to block/allow?

So, if I have an AD group called 'Allow Dropbox' and added Alice, Bob, and Chris, I could unsanction Dropbox to block access to Dropbox for but except that group?

And then if I had an AD group called 'Allow Google Drive' and added Bob and Dave, I could unsanction Google Docs to block access to everyone but Bob and Dave, without it having any impact on Alice and Chris being able to access Dropbox?

Sorry for the wordy reply, but I'm really trying to figure this out!

@GI472
Hi,
Did you work this out?
In same kind of situation.
Thanks.

Nope.

As far as I know, you can leave groups of devices out of app discovery, but you can't apply allow/deny permissions to apps based on different groups. You can either allow access to all apps or deny access to all apps.