Disallow O365 access from 'outside' of the Android for Work work profile?

%3CLINGO-SUB%20id%3D%22lingo-sub-126521%22%20slang%3D%22en-US%22%3EDisallow%20O365%20access%20from%20'outside'%20of%20the%20Android%20for%20Work%20work%20profile%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126521%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20block%20Android%20for%20Work%20users%20to%20connect%20to%20Office%20365%20with%20apps%20that%20are%20installed%20outside%20of%20the%20work%20profile%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%20on%20my%20Android%20for%20Work%20capable%20device%20I%20have%20a%20work%20profile%20with%20eg.%20Outlook%2C%20which%20I%20can%20use%20to%20read%20my%20mail.%20However%2C%20i'm%20also%20able%20to%20use%20the%20Outlook%20app%20in%20my%20personal%20space%20to%20connect%20to%20Office%20365%2C%20I%20was%20kinda%20expecting%20to%20only%20be%20able%20to%20connect%20to%20Office%20365%20from%20my%20work%20profile%20(%3F)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-126521%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-543820%22%20slang%3D%22en-US%22%3ERe%3A%20Disallow%20O365%20access%20from%20'outside'%20of%20the%20Android%20for%20Work%20work%20profile%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-543820%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20review%20this%20answer%2C%20and%20I%20would%20like%20to%20know%20if%20is%20this%20still%20valid%20or%20does%20now%20exist%20some%20way%20to%20achieve%20blocking%20access%20from%20non%20work%20profile%20apps%20to%2C%20for%20example%2C%20Outlook%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advanced%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126530%22%20slang%3D%22en-US%22%3ERe%3A%20Disallow%20O365%20access%20from%20'outside'%20of%20the%20Android%20for%20Work%20work%20profile%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126530%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%26nbsp%3B%20that's%20what%20I%20figured%2C%20but%20still%20I%20think%20its%20strange%20that%20you%20can't%20restrict%20access%20to%20O365%20to%20just%20the%20work%20profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20still%20need%20to%20have%20all%20kind%20of%20MAM%20policies%2C%20why%20would%20I%20still%20want%2Fneed%20Android%20for%20Work%20capability%3F%20It%20feels%20like%20AfW%20doesn't%20really%20add%20anything%20extra%20in%20regards%20of%20security....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-126524%22%20slang%3D%22en-US%22%3ERe%3A%20Disallow%20O365%20access%20from%20'outside'%20of%20the%20Android%20for%20Work%20work%20profile%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-126524%22%20slang%3D%22en-US%22%3ENo%2C%20however%2C%20you%20can%20use%20Intune%20Mobile%20Application%20Management%20to%20wipe%20the%20data%20from%20the%20personal%20profile%20which%20should%20address%20the%20concern.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapp-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fapp-management%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2151625%22%20slang%3D%22en-US%22%3ERe%3A%20Disallow%20O365%20access%20from%20'outside'%20of%20the%20Android%20for%20Work%20work%20profile%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2151625%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20seems%20to%20make%20the%20separation%20of%20the%20work%20profile%20completely%20pointless%20if%20you%20cannot%20stop%20users%20from%20accessing%20company%20data%26nbsp%3B%26nbsp%3Bfrom%20(the%20same)%20that%20apps%20they%20have%20installed%20in%20their%20personal%20profile.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20work%20profile%20setup%2C%20with%20outlook%20and%20the%20other%20office%20apps%20installed%2C%20which%20we%20can%20manage%20and%20wipe%20if%20needed%2C%20but%20there%20seems%20to%20be%20no%20way%20to%20prevent%20the%20user%20from%20also%20installing%26nbsp%3B%20the%20same%20apps%20in%20the%20personal%20profile%20and%26nbsp%3B%20directly%20accessing%20that%20data%20from%20those%20with%20no%20way%20of%20controlling%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is there a way to block Android for Work users to connect to Office 365 with apps that are installed outside of the work profile? 

 

For example on my Android for Work capable device I have a work profile with eg. Outlook, which I can use to read my mail. However, i'm also able to use the Outlook app in my personal space to connect to Office 365, I was kinda expecting to only be able to connect to Office 365 from my work profile (?)

6 Replies
No, however, you can use Intune Mobile Application Management to wipe the data from the personal profile which should address the concern.
https://docs.microsoft.com/en-us/intune/app-management

Yeah  that's what I figured, but still I think its strange that you can't restrict access to O365 to just the work profile.

 

If I still need to have all kind of MAM policies, why would I still want/need Android for Work capability? It feels like AfW doesn't really add anything extra in regards of security....

Hello@Joe Stocker 

I have review this answer, and I would like to know if is this still valid or does now exist some way to achieve blocking access from non work profile apps to, for example, Outlook?

 

Thanks in advanced

@Joe Stocker 

it seems to make the separation of the work profile completely pointless if you cannot stop users from accessing company data  from (the same) apps that they have installed in their personal profile.

 

We have a work profile setup, with outlook and the other office apps installed, which we can manage and wipe if needed, but there seems to be no way to prevent the user from also installing the same apps in the personal profile and  then directly accessing the company  data from those with, no way of controlling it (yes i know we could use MAM, but then why bother with the work profile at all)

 

The original post/reply is from some time ago now  so I'm hoping  Microsoft might have improved the situation since then with new options or policies etc to control this?

 

@Mike Sharratt 

Hey i'm having the same issue 

cant see the point working with "work profile" as long as the user can use the same app on personal profile . It  makes no sense 

365 must change that 

 

We use compliance policies and Conditional Access to address this. The personal side of the device is never considered compliant so CA stops them from ever signing into something like Outlook on the personal side of their device.