Oct 02 2024 07:45 AM
Hello Experts,
We have iOS iPhone Devices managed via Microsoft Intune.
We want to prevent users from Adding any other Microsoft work account into Company Mobile iPhone which is Enrolled via Intune. So User can use only his Company Work account and not any other Company's Work\School account.
Please suggest if there is way to achieve this.
Oct 02 2024 08:33 AM
To prevent or block company users from adding another Microsoft work or school account on iOS devices managed via Intune, you can apply specific device configuration policies and conditional access policies within Microsoft Intune and Azure Active Directory.
Step 1: Configure Conditional Access Policies in Azure AD
You can create a Conditional Access policy that blocks sign-in attempts from other work or school accounts on devices that are managed by Intune.
1. Go to Azure Active Directory:
- Open the Azure portal and navigate to Azure Active Directory.
2. Create a Conditional Access Policy:
- In the Azure AD portal, select Security from the left-hand menu, and then select Conditional Access.
- Click New policy.
3. Target the policy to iOS devices:
- In the Assignments section, under Users and Groups, select All Users or a specific group of users you want to restrict.
- Under Cloud Apps or Actions, select All cloud apps or limit it to specific apps (e.g., Exchange Online, SharePoint).
- In the Conditions section, under Device platforms, select iOS to apply this policy only to iOS devices.
4. Control sign-ins:
- In the Access controls section, under Grant, choose Block access for users trying to sign in with any other Microsoft work or school account.
5. Require device compliance:
- If you want to ensure that only enrolled and compliant devices can access the company account, select Require device to be marked as compliant.
6. Enable the policy:
- Review the settings, and when you're ready, set the policy to On and click Create.
Step 2: Restrict Accounts in Intune via App Protection Policies
Use App Protection Policies to restrict access to specific apps (such as Outlook, Teams, or OneDrive) to only the enrolled company account. This prevents users from adding other work or school accounts to those apps.
1. Go to Microsoft Endpoint Manager Admin Center:
- Navigate to Microsoft Endpoint Manager Admin Center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).
2. Create an App Protection Policy:
- Go to Apps > App protection policies.
- Click Create policy, and choose iOS/iPadOS as the platform.
3. Configure Policy Settings:
- Under Targeted apps, select the apps you want to protect, such as Microsoft Outlook, Teams, OneDrive, etc.
- Under Targeted users, select the user group(s) where you want this policy applied.
- In the Data protection section, under Restrict which accounts can be used in this app, select Allow only work or school accounts.
4. Block Multi-account Sign-in:
- Under Conditional Launch, configure the Restrict Accounts setting to Block multi-account sign-in. This will prevent users from adding another work or school account to the targeted apps.
5. Deploy the Policy:
- Save the configuration and deploy the policy to the targeted user groups.
Step 3: Restrict Device Enrollment to a Single Account
You can also restrict device enrollment to only one corporate account through Enrollment Restrictions.
1. Go to Microsoft Endpoint Manager Admin Center:
- Go to Devices > Enrollment restrictions.
2. Create a New Enrollment Restriction:
- Click on Create restriction and select Device limit restriction.
3. Set the Device Limit:
- Set the limit to 1 device per user, if applicable, or configure the restriction to allow only one managed account per device.
4. Assign the Policy:
- Assign this enrollment restriction to the appropriate user groups.
Step 4: Use Device Compliance Policies
You can configure Device Compliance Policies to restrict access to devices based on compliance requirements. If a device is found to have multiple work or school accounts, it can be flagged as non-compliant, restricting its access to corporate resources.
1. Go to Endpoint Manager Admin Center:
- Go to Devices > Compliance policies > Policies.
2. Create a New Compliance Policy:
- Click on Create Policy, and select iOS/iPadOS as the platform.
3. Configure the Compliance Settings:
- Under the Compliance settings, configure restrictions such as requiring the device to be enrolled and compliant with the policies.
4. Deploy the Compliance Policy:
- Deploy this compliance policy to the appropriate groups.
Final Notes:
- Conditional Access will prevent users from signing in with other work or school accounts when accessing company resources, while App Protection Policies can block users from adding secondary accounts within specific apps.
- Ensure you test the policies on a subset of users before a full rollout to avoid unintended disruptions.
By implementing these steps, you can effectively restrict your users from adding other work or school accounts on iOS devices managed by Intune.