BYOD Policy Assignment

%3CLINGO-SUB%20id%3D%22lingo-sub-921525%22%20slang%3D%22en-US%22%3EBYOD%20Policy%20Assignment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921525%22%20slang%3D%22en-US%22%3EHi%20All%3CBR%20%2F%3E%3CBR%20%2F%3EWith%20regards%20to%20BYOD%2C%20is%20it%20best%20to%20create%20a%20separate%20assignment%20group%20for%20policies%20etc%3F%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20example%3A%3CBR%20%2F%3E%3CBR%20%2F%3EApp%20protection%20policy%20for%20Managed%20Devices%3CBR%20%2F%3ENo%20app%20PIN%20when%20device%20is%20managed%3CBR%20%2F%3EAssigned%20to%20Intune%20Test%20Group%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EApp%20protection%20policy%20for%20Unmanaged%20Devices%3CBR%20%2F%3EApp%20PIN%20for%20targeted%20apps%3CBR%20%2F%3EAssigned%20to%20Intune%20BYOD%20Test%20Group%3CBR%20%2F%3E%3CBR%20%2F%3EInfo%20appreciated%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-921525%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921889%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20Policy%20Assignment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921889%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F131657%22%20target%3D%22_blank%22%3E%40Stuart%20King%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20avoid%20this%20if%20at%20all%20possible.%20What%20happens%20if%20a%20user%20has%20a%20provided%20(enrolled)%20device%2C%20and%20also%20wants%20to%20BYOD%20their%20own%3F%3C%2FP%3E%3CP%3EWith%20PIN%20however%20you%20should%20not%20have%20an%20issue%2C%20if%20you%20look%20at%20the%20info%20for%20setting%20'App%20PIN%20when%20device%20PIN%20is%20set'%2C%20it%20says%20that%20this%20applies%20to%20MDM%20enrolled%20devices%20only.%20So%20you%20can%20set%20that%20and%20the%20app%20PIN%20will%20still%20be%20required%20for%20BYOD%20(MAM)%20devices%2C%20since%20it%20is%20the%20app%20which%20is%20protected%20and%20not%20the%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-922065%22%20slang%3D%22en-US%22%3ERe%3A%20BYOD%20Policy%20Assignment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-922065%22%20slang%3D%22en-US%22%3EYeah%2C%20are%20you%20suggesting%201%20X%20App%20Protection%20policy%20per%20OS%20platform%20for%20both%20managed%20%2F%20unmanaged%20devices%20and%20the%20require%20app%20PIN%20when%20MDM%20not%20present%3F%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor
Hi All

With regards to BYOD, is it best to create a separate assignment group for policies etc?

For example:

App protection policy for Managed Devices
No app PIN when device is managed
Assigned to Intune Test Group


App protection policy for Unmanaged Devices
App PIN for targeted apps
Assigned to Intune BYOD Test Group

Info appreciated
2 Replies
Highlighted

Hi @Stuart King 

I would avoid this if at all possible. What happens if a user has a provided (enrolled) device, and also wants to BYOD their own?

With PIN however you should not have an issue, if you look at the info for setting 'App PIN when device PIN is set', it says that this applies to MDM enrolled devices only. So you can set that and the app PIN will still be required for BYOD (MAM) devices, since it is the app which is protected and not the device.

Highlighted
Yeah, are you suggesting 1 X App Protection policy per OS platform for both managed / unmanaged devices and the require app PIN when MDM not present?