Detect when apps are managed in iOS and allow them in Conditional Access

Copper Contributor

Here is my scenario, we want to allow our users to use some specialized apps such as AutoCAD or ArcGIS to access OneDrive files on managed iOS devices, but we want to ensure that the app the users are using are in the "Managed area" of their iOS device. This means the app needs to be installed from the App store in the Intune Company Portal app, however we see instances where users are downloading the app from the public app store.

 

To me there are two approaches I can take:

1. Detect when one of these apps is installed from the app store and then force the installation from the Company App store. Is this possible?

 

2. Create an App Configuration for the app, which only gets applied when the app is installed from the Company App store, and then use Conditional Access to detect this setting. Is this possible?

 

Or perhaps there is another way to achieve what I am looking for?

2 Replies
There is no difference if you install apps from the company portal or through the app store. The Company Portal links back to the Public App Store.

If you want AutoCAD/ArcGIS to be in the container, the apps themself need to support this feature. Here you can find an overview of the apps that support App Protection Policies: https://docs.microsoft.com/en-us/intune/apps/apps-supported-intune-apps. As AutoCAD/ArcGIS are not listed there, there is no way of managing these apps.

You could create an exemption. this means that Onedrive can share data outside the comtainer to only AutoCAD & ArcGIS apps.

I think I finally found a solution, or at least a way to achieve what I want. In the iOS Compliance Policy there is an area where you can list "Restricted Apps." So as I test I added the Workday app to the list of restricted app in my compliance policy, then on my test device I downloaded the Workday app from the Apple App Store. As expected my device was no longer compliant, and the reason in the Comp Portal app was because I had the Workday app installed. Then I went to the App Store in the Comp Portal app and installed the "Managed" version of the Workday app. Once it finished installing I check the device settings again and synced the device from the Intune portal; the device was now compliant. 

 

clipboard_image_0.png

 

This doesn't automatically install the app, but does allow my to detect the apps and make the users remedy the issue. The Microsoft documentation doesn't explicitly say this is how it works, but it definitely seems to work for my scenario.

 

Just thought I would share in case someone else comes across this scenario.