Forum Discussion
Disallow O365 access from 'outside' of the Android for Work work profile?
Oktay Sarihere's how i achieved the configuration:
1. created a CA policy BLOCKING every application except "microsoft intune" and "microsoft intune enrollment", applied to IOE a Android devices. The app exception are needed because otherwise you cannot do anything on the personal profile, also register the device is blocked.
2. THEN i create a second CA policy, that grant access to all cloud apps requesting app protection policy
And the of course i created an app protection policy targeting "all apps on all devices".
Result
- if the device is not enrolled, you can't access anythign anything
- if the device is enrolled, you can only use tenant's app in the work profile
This is exactly what i wanted.
Thanks to everyone for your help
- Good to hear! and that's a better way to accomplish this 😉
i eventually got it to work (M'soft have changed things since i last tried), the company portal app is much better than it used to be)
Using a conditional access policy, for all cloud apps/or just 365, that required the device is enrolled AND using a known app (or app policy), along with an app policy too.
with that i couldn't use Outlook (or Teams or Onedrive or anything 365) in the personal profile 🙂
Oktay Sari thank you very much
Hi Avadhootfacctumcom, Try CA with Filter for devices. My setup is like this:
CA policy: block O365 outside workprofile
Assignments mailto:testuser@yourtenant.com Cloud apps or actions Office 365 Conditions:
Device platforms
include: Android Conditions:
Filter for devices
Include filtered devices in policy
Rule syntax:
device.operatingSystem -ne "AndroidForWork"
Grant Block Filter for devices works a bit tricky: Specially the https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#policy-behavior-with-filter-for-devices with the different types of device states like: registered/unregistered/managed/unmanaged. I'm using an Include with negative operators here to make sure the policy does apply.
Please note: The OS type I'm targeting here is Not equals AndroidForWork. This means that every attempt made from other Android OS types (like AndroidEnterprise) will also be blocked. If you have other Android enrollment profiles, you will have to take that into account when you create your filter.
With this setup, I'm able to work with Outlook within the work profile, but it will block the sign-in when I try to add a work account outside the work profile. My sign-in logs confirm this behavior:
Try this with a test account and see if it works. If you only want to block Exchange Online, you could also choose "Office 365 Exchange Online" instead of "Office 365"
Oktay
- Hi - did it worked on your environment? Can you post a more detailed setup? Thanks in advance
- This doesn't work. I have tried with multiple combinations to restrict end users accessing O365 apps from personal profile through CA's. This simply doesn't work.
The key is that compliance policies require enrollment of the device, so you create an enrollment restriction policy blocking non Android Enterprise devices this stops users from enrolling the personal profile so they can not receive a compliance policy which means they are never compliant on the personal profile.
Rudy_Ooms_MVP Hi Rudy, everything you say is correct for the device settings and limiting (legacy) client access. The question is about using the 'personal' and 'work' profiles in Android for Work/Android Enterprise, and limiting O365 access to the 'work' profile, there still doesn't seem to be a way to do that.
