Disclaimer

At the writing of this article, all the App Monitoring features were functional, and just recently I noticed an error in the Intune tenant as you might have this in your tenant as well. Hence, #Microsoft has not yet released an official statement.

1.   Introduction

This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to monitor policies on unmanaged devices. To secure the data and configure the applications we used the following three policies:

• Conditional Access policy
• App protection policy
• App configuration policy

Each policy makes part of the complete solution. The conditional access policy is used to only allow access from the Outlook app (For example). The App protection policy is used to secure data within the app and the App configuration policy is used to configure some global settings in Outlook. When you configure and assign policies to users it’s important to see if these policies are applied. For that reason, we are going to demonstrate how to monitor policies on unmanaged devices using Intune.

1.    Monitoring policies

To see if the policies are applied and to solve issues with policies, it’s important to know where to look to solve issues. When devices are managed by Intune you can select the policy and see how it’s been applied. To monitor policies on unmanaged devices you need to check Apps because only these are managed instead of the whole device. For each policy applied it is described how you can monitor the settings.

2.1.       Conditional Access Policy

The conditional access policy can be monitored using the Azure Active Directory. Within the Azure Active directory monitor sign-in requests. Each time a user tries to log in with an application which is not allowed it will get logged. This can be done for all users or for a single user. To view the sign-ins for one user first select the user and then sign-ins in the navigation pane. To view all sign-ins use the following steps.

1.    in the MEM admin center select “Users” -> “Sign-ins” or click here. At the top press “Add filters” and select “Status” -> “Apply”
   

    

   2.   Select “Failure” to filter all failed attempts. You can add additional filters to get more specific results.

    

   3.   In the results you will see the cause of the failure. e.g. a Gmail and Email application which are trying to connect.
   
   
2. By selecting the failure you can view more details. You can select the entry “MFA” to view more details about the failure. In the “Basic Info” tab the failure reason is displayed. Here you will see “Authentication failed during strong authentication request”.

   
   
   

   5.   Now select the tab “Conditional Access” to view which conditional access policy was applied.

2.2.       App Protection Policy

The status of the app protection policy can be monitored in Intune, if the devices are unmanaged. However, it’s not possible to view the devices in Intune. To monitor App protection policies, you need to perform the following steps:

1.     In the MEM admin centre select “Apps” -> “Monitor” -> “App protection status and press the “Reports” on top of the page, or click here.

There are two ways to view the app protection on the app's monitor. The first option is the User report, This will show an overview of applications which are managed by app protection policies. It also displays If the user is licensed to use Intune.

1.     Select in the navigation pane “User report” and press “Select user” to select the user you want to view.

The other option is an App report. This will give you an overview of all users for each app per platform. You can select the protected status which you want to view. When users show up as unprotected this may be caused that the App protection policy was not assigned to this particular user.

1.     In this screenshot you see all the users using Outlook on iOS/iPad devices and are protected by the app protection policy for Outlook.

    

   4.    If you select Status -> “Unprotected” you will see all users who are using Outlook to connect to your tenant but are not protected.

2.3.    App Configuration Policy

The status of the app configuration policy can be monitored in Intune. This can be done in the same blade as the App Protection policy. To monitor App configuration policies, you need to perform the following steps:

1.    In the MEM admin center select “Apps” -> “Monitor” -> “App protection status and press the “Reports” on top of the page.

Just as with the App protection policy, there are two ways to view the status. The first option is a User configuration report. This will show an overview of applications which are configured by an app configuration policy. It also displays If the user is licensed to use Intune.

1.    Select in the navigation pane “User configuration report” and press “Select user” to select the user you want to view.

The other option is an App configuration report. This will give you an overview of all users for each app per platform. You can select the platform and App of which you would like to view the status.

1.    In this screenshot you see all the users using Outlook on iOS/iPadOS devices and are configured by the app configuration policy for Outlook.

Author

Shady Khorshed is a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.