Feb 20 2019 07:43 AM - edited Feb 20 2019 07:44 AM
We have Outlook and Teams (and other mobile apps) deployed using MAM. A user gets an e-mail message in Outlook that says "Your teammates are trying to reach you in Microsoft Teams." The message includes a "Reply in Teams" button. If the user clicks the button, a browser window opens briefly. Then Teams opens but displays an error: "This action is not allowed by your organization." [GO BACK]. The user is able to get to the message in Teams, but only by navigating to it rather than being led to it through the Outlook link. Is this happening as a result of a policy I have applied, or is this a known issue affecting all environments?
Feb 21 2019 09:06 AM
This is most likely caused by a policy you've set that restricts managed data being accessed by unmanaged apps (check Config Policy and App Protection Policy). To resolve the problem, ensure that Teams has an app protection policy applied to it and that it is recognized as a policy-managed app. The alternative is to loosen the security of the policies to allow managed data to be opened in unmanaged apps.
Feb 21 2019 02:46 PM
OK, so .... Both Outlook and Teams are selected under Intune App Protection - Targeted apps. Under Properties > Data Protection, I have both "Send Org data to other apps" and "Receive data from other apps" set to "Policy managed apps" and I have no apps selected to exempt. I do not have a browser set as a targeted app, and I notice that a browser window opens briefly before Teams opens. Is that the problem -- that Teams is not allowed to receive data from an unmanaged browser? I tried including a browser in my targeted apps list, but I couldn't figure out how to get a mobile device to use the native browser sometimes and a managed browser only in connection with managed apps ... and nobody wants to be forced to use the managed browser all the time on their personal devices.
Should I set "Receive data from other apps" to "All apps?" I'm more worried about data leakage FROM managed apps than having outside data come TO managed apps, so this seems like a reasonable step.
Feb 22 2019 09:08 AM
The quickest option would definitely be to set Receive data from other apps to All apps. Otherwise, you'd need to publish an app protection policy for Intune Managed Browser or Edge and ensure the client has the app installed to act as a "middle-man" between policy-managed apps.
Feb 25 2019 03:16 PM
Thanks, that change in policy did the trick (at least on my own phone).
Are you aware of a way to tell Android and iOS devices to use a managed browser for links contained in managed apps while leaving the default app for web links up to the device owner for non-managed apps? In my initial testing when I installed Edge I didn't see a way to do this, and I don't want to saddle my users with a managed browser for everything on their personal devices.
Feb 26 2019 05:30 AM
Yes, for each of your app protection policies you can set Share web content with policy managed browsers to Required in the Data protection section.