May 05 2020 01:27 AM
Yesterday we mass deployed Cisco umbrella to all iOS devices currently in Intune.
Up until now we only do fully managed devices (with and without user affinity)
Leadership team has expressed a potential desire to also deploy the Cisco umbrella app to personal mobile phones IF they are using it to access company resources.
My problem here is I do not know how I would even stop users from accessing Outlook, Teams, Onedrive from their personal mobiles and if they wanted to had to accept some security policies and the Cisco umbrella app to be deployed.
Could anyone help me out?
May 05 2020 01:38 AM
May 05 2020 01:51 AM
Would i need to do anything with MAM for this one ? in Azure AD there is this MAM & MDM section where you can turn them on or off. mine currently has MDM on and MAM off.
May 05 2020 01:55 AM
May 05 2020 02:50 AM
@Thijs Lecomte I dont really want to manage personal devices in great detail. It sounds like we just want to make sure that if they want to access corporate data that they are to some extend managed so that we can make sure they are in compliance and our data is secure. If a user leave we should be able to remove just corporate data off the device.
May 05 2020 02:59 AM
May 05 2020 03:09 AM
@Thijs Lecomte In which case then what i want is not correct :) So im back to Android Work Profiles and IOS user enrolment right?
May 05 2020 03:10 AM
May 07 2020 06:54 AM
Hey,
if we talk about push it is not possible to do so if a device is not enrolled, If we talk about a App Store functionality it is possible to provide users apps even without enrollment. The key thing there is to assign them to users not devices, only user assignment is working and then using the company portal. The web version of the company portal (https://portal.manage.microsoft.com/) will even allow you to install your custom LOB iOS apps for example. You need to confirm a few prompts but finally you can have a company in-house developed iOS app target to your users (without enrollment) via Company Portal and let them install the LOB app. Just go ahead, upload a app and assign it to the user and go to the web Company Portal.
Yes it is no push, but self-service app store style is possible. For app updates it is the same they will not be pushed, the user would need to go again to the Company Postal to install the update.
best,
Oliver
May 07 2020 06:59 AM
Your initial request to bring more security to the unenrolled devices is done in the MS concept by using MTD connectors. This is available for unenrolled devices as well.
https://docs.microsoft.com/en-us/mem/intune/protect/mtd-add-apps-unenrolled-devices
There are a few vendors supported but Cisco is not listed there. See here: https://docs.microsoft.com/en-us/mem/intune/protect/mobile-threat-defense
All this would give you the ability to to even more security checks on the device before allowing Outlook, Teams, etc. I think this is the intention of your initial ask. So if your leadership is okay to maybe switch the vendor here you might want to have a look at this.
best,
Oliver