Questions on device Security

Frequent Contributor
Hi Community, 
One of our customer raised the below queries on certain scenarios.
Scenario 1: One of the our partner raised this query, they have an issue with SharePoint is that when they create a label no action is applied on the site. They want to have a limited access policy (for all devices or non-corporate devices) on the site if they chose for example highly confidential label. For now it just shows the tag with no action.

Is there any other way to achieve this?

Scenario 2: Corporate devices need full offline and sync access. These are azure joined devices for their customer but other customers may have a hybrid joined device. Because intune doesn’t update compliancy consistently sometimes devices show as non-complaint even though they are. Partner tried to do this with conditional access but Partner think that has some limitations to achieve this.

Is there any other way to achieve this?

Scenario 3: Corporate device owners that want to work on a personal desktop device (no offline access, no outlook client connect, just office online access. No download possibility for outlook online, or sync or download files from sharepoint or onedrive. Just online access.

Can we set up a policy for this?

Scenario 4: Corporate device owners  with full offline access on personal desktop devices.

How can we protect data that is being used on a non-corporate windows desktop?

Scenario 5: BYOD, its basically the same scenario as the one above.
However, on personal windows desktops how can we protect data?
Any pointers would be of great help!!
7 Replies
Hi @Newlife

Lots of questions, I will try my best to answer them :)

Scenario 1:
You can block access to specific SPO sites from unmanaged devices through CA, but no way possible to block sites with a specific tag AFAIK

Check out this:

Scenario 2:
It's true that compliance updates very slow sometimes on Windows devices. I would recommend to set-up the grace period for non-compliant devices higher. That might solve your issue.

Scenario 3:
I do this one all the time. Set-up a CA policy that targets all apps (except browsers) and set the action to - require hybrid joined devices.

Scenario 4+5:
I would recommend looking into Windows Information Protection -

@Thijs Lecomte - Thanks a lot for your response. 


We have read the link you send over but couldn’t get it to work like we intended to. Because of limitations with conditional access etc.

However, is it somehow possible to setup these policies together to make sure that we understand every option and configure it the way it is meant to?

What do you mean, setup them up together?
Where are you getting stuck exactly? What scenario?

@Thijs Lecomte - Thanks for your prompt response. 


Basically, we need to differentiate the corporate owned devices and non-corporate devices and the options that are provided in CA are not sufficient it seems. I'll list out the missing features shortly. Thanks again!!


@Thijs Lecomte 


Here is the update, 


Customer talking about the issue outlined here:

As you recommended, requested to set-up the grace period for non-compliant devices higher, but that didn't help.  Is this a bug? do they need to raise MS support ticket?



I would advise to raise a support ticket
But my fear is that they will also tell you to increase the grace period.

To that did you set the grace period?

@Thijs Lecomte Yes, it's done and the issue persists for 3 months now :(