Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

Disallow O365 access from 'outside' of the Android for Work work profile?

Occasional Contributor

Is there a way to block Android for Work users to connect to Office 365 with apps that are installed outside of the work profile? 

 

For example on my Android for Work capable device I have a work profile with eg. Outlook, which I can use to read my mail. However, i'm also able to use the Outlook app in my personal space to connect to Office 365, I was kinda expecting to only be able to connect to Office 365 from my work profile (?)

21 Replies
No, however, you can use Intune Mobile Application Management to wipe the data from the personal profile which should address the concern.
https://docs.microsoft.com/en-us/intune/app-management

Yeah  that's what I figured, but still I think its strange that you can't restrict access to O365 to just the work profile.

 

If I still need to have all kind of MAM policies, why would I still want/need Android for Work capability? It feels like AfW doesn't really add anything extra in regards of security....

Hello@Joe Stocker 

I have review this answer, and I would like to know if is this still valid or does now exist some way to achieve blocking access from non work profile apps to, for example, Outlook?

 

Thanks in advanced

@Joe Stocker 

it seems to make the separation of the work profile completely pointless if you cannot stop users from accessing company data  from (the same) apps that they have installed in their personal profile.

 

We have a work profile setup, with outlook and the other office apps installed, which we can manage and wipe if needed, but there seems to be no way to prevent the user from also installing the same apps in the personal profile and  then directly accessing the company  data from those with, no way of controlling it (yes i know we could use MAM, but then why bother with the work profile at all)

 

The original post/reply is from some time ago now  so I'm hoping  Microsoft might have improved the situation since then with new options or policies etc to control this?

 

@Mike Sharratt 

Hey i'm having the same issue 

cant see the point working with "work profile" as long as the user can use the same app on personal profile . It  makes no sense 

365 must change that 

 

We use compliance policies and Conditional Access to address this. The personal side of the device is never considered compliant so CA stops them from ever signing into something like Outlook on the personal side of their device.

@TonyKelly What configuration you have on the CA and Compliance policy to make that happen ? 

@abra07 

 

We normally create multiple compliance policies for each os etc. This one is an example of an android workprofile compliance policy 

 

Rudy_Ooms_0-1625386139283.png

 

When this is configurede you could create an CA policy something like this

*Target the proper platforms:

 

Rudy_Ooms_1-1625386191929.png

*Target the client apps

Rudy_Ooms_0-1625391500141.png

 

 

*Of course select the users :) and make sure you create an exclusion group for every ca policy you make

Rudy_Ooms_2-1625386235760.png

*Target the apps (or choose office 365)

Rudy_Ooms_3-1625386272499.png

*And to make sure to require compliant devices

Rudy_Ooms_4-1625386305938.png

 

 

 

 

 

I have similar policies to that , but it still lets you add and use Outlook/O365 in the personal profile. You can require a device to be 'compliant', and require the use of Outlook etc , but there seems to be no way (that i have found) to stop the use of Outlook in the personal profile, and only allow it in the work profile.
When the ca rules are implemented like i shown above there should be no way a personal non compliant android device could access your exchange online environment. There must be something wrong, what happens when you look at the what if in the ca ?
Just to be sure…you also configured a specific ca rule to make sure activesync/legacy auth/other clients is blocked?

@Rudy_Ooms_MVP  Hi Rudy, everything you say is correct for the device settings and limiting (legacy) client access. The question is about using the 'personal' and 'work' profiles in Android for Work/Android Enterprise, and limiting O365 access to the 'work' profile, there still doesn't seem to be a way to do that.   

thanks for Sharing Rudy, thoses CA and compliace policies will allow a compliant personnal device to connect to O365 so an up to date device with the required security can access O365 from the personnal profile after enrolling the device into intune for example.

The key is that compliance policies require enrollment of the device, so you create an enrollment restriction policy blocking non Android Enterprise devices this stops users from enrolling the personal profile so they can not receive a compliance policy which means they are never compliant on the personal profile.

This doesn't work. I have tried with multiple combinations to restrict end users accessing O365 apps from personal profile through CA's. This simply doesn't work.
Hi - did it worked on your environment? Can you post a more detailed setup? Thanks in advance

Hi @Avadhootfacctumcom, Try CA with Filter for devices. My setup is like this:

CA policy: block O365 outside workprofile


Assignmentstestuser@yourtenant.com 
Cloud apps or actionsOffice 365 

Conditions:

Device platforms

include: Android 

Conditions:

Filter for devices

Include filtered devices in policy

Rule syntax:

device.operatingSystem -ne "AndroidForWork"

GrantBlock 

 

Filter for devices works a bit tricky: Specially the behavior with the different types of device states like:  registered/unregistered/managed/unmanaged. I'm using an Include with negative operators here to make sure the policy does apply.

 

Please note: The OS type I'm targeting here is Not equals AndroidForWork. This means that every attempt made from other Android OS types (like AndroidEnterprise) will also be blocked. If you have other Android enrollment profiles, you will have to take that into account when you create your filter.

 

With this setup, I'm able to work with Outlook within the work profile, but it will block the sign-in when I try to add a work account outside the work profile. My sign-in logs confirm this behavior:

 

2022-05-27_12h09_38.jpg

 

2022-05-27_12h11_57.jpg

 

Try this with a test account and see if it works. If you only want to block Exchange Online, you could also choose "Office 365 Exchange Online" instead of "Office 365"

 

Oktay

 

@Avadhootfacctumcom 

 

i eventually got it to work (M'soft have changed things since i last tried), the company portal app is much better than it used to be)

Using a conditional access policy, for all cloud apps/or just 365,  that required the device is enrolled AND using a known app (or app policy), along with an app policy too.

 

with that i couldn't use Outlook (or Teams or Onedrive or anything 365) in the personal profile :)