Can you deploy an app to personal mobiles if they use it for work?

Brass Contributor

Yesterday we mass deployed Cisco umbrella to all iOS devices currently in Intune.

Up until now we only do fully managed devices (with and without user affinity)

 

Leadership team has expressed a potential desire to also deploy the Cisco umbrella app to personal mobile phones IF they are using it to access company resources.

 

My problem here is I do not know how I would even stop users from accessing Outlook, Teams, Onedrive from their personal mobiles and if they wanted to had to accept some security policies and the Cisco umbrella app to be deployed.

 

Could anyone help me out?

9 Replies
This should be done with Intune and Conditional Access:

- I would advise to look into Android Work Profiles and iOS User Enrollment and set that one up
- Configure Conditional Access to require a compliant device when accessing Exchange/Teams/Sharepoint...
- Setup Cisco Umbrella application push to all devices

Users will need to enroll when they try to access from a personal device

Would i need to do anything with MAM for this one ? in Azure AD there is this MAM & MDM section where you can turn them on or off. mine currently has MDM on and MAM off.

It really depends on how you want to setup personal devices.
How much do you want to manage those personal devices?

FYI, these MAM & MDM settings are only for W10 - https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

@Thijs Lecomte I dont really want to manage personal devices in great detail. It sounds like we just want to make sure that if they want to access corporate data that they are to some extend managed so that we can make sure they are in compliance and our data is secure. If a user leave we should be able to remove just corporate data off the device.

Then you should look into implementing mobile application management without enrollment (https://allthingscloud.blog/manage-byod-devices-with-intune-mam-without-enrollment/)

Then you can manage only corporate data on the phones
Do note: then you cannot push the Cisco application

@Thijs Lecomte  In which case then what i want is not correct :) So im back to Android Work Profiles and IOS user enrolment right?

Correct :) You need to manage the device if you want to publish applications to them

Hey,

 

if we talk about push it is not possible to do so if a device is not enrolled, If we talk about a App Store functionality it is possible to provide users apps even without enrollment. The key thing there is to assign them to users not devices, only user assignment is working and then using the company portal. The web version of the company portal (https://portal.manage.microsoft.com/) will even allow you to install your custom LOB iOS apps for example. You need to confirm a few prompts but finally you can have a company in-house developed iOS app target to your users (without enrollment) via Company Portal and let them install the LOB app. Just go ahead, upload a app and assign it to the user and go to the web Company Portal. 

Yes it is no push, but self-service app store style is possible. For app updates it is the same they will not be pushed, the user would need to go again to the Company Postal to install the update.

 

best,

Oliver

Your initial request to bring more security to the unenrolled devices is done in the MS concept by using MTD connectors. This is available for unenrolled devices as well. 

 

https://docs.microsoft.com/en-us/mem/intune/protect/mtd-add-apps-unenrolled-devices

 

There are a few vendors supported but Cisco is not listed there. See here: https://docs.microsoft.com/en-us/mem/intune/protect/mobile-threat-defense

 

All this would give you the ability to to even more security checks on the device before allowing Outlook, Teams, etc. I think this is the intention of your initial ask. So if your leadership is okay to maybe switch the vendor here you might want to have a look at this.

 

best,

Oliver