Apr 19 2022 06:44 AM
Apr 19 2022 06:44 AM
Yes, I know there are controls to prevent new apps from being used in an org. We use them.
We are finding more and more though, that people are looking for alternatives to Teams for doing various things. When we look at the use-cases and what they are looking to add, pretty much all the time, Teams can still meet their needs.
We have tried doing education and hands-on to show people what Teams can do.
We have stated over and over it's not just a matter of app capability but of security and privacy; we can much more closely safeguard the data when its in the O365 ecosystem.
We have done the work to show Teams abilities and a business case for data security, privacy and governance, yet people still persist to add new apps to the environment. One example is Asana. We've used it and honestly, it does the SAME exact things Teams does in connection with Planner and Outlook. Does it come down to an education issue? "Look, you can do all the same things in Asana as you can in Teams AND we can better secure the data."
Anyone have any advice? Thanks.
Apr 21 2022 12:06 AM
When it comes to Teams and all the apps you can as an admin be very helpful to your organization by using the Teams app setup policies and permission policies. You can pin apps for the users, be selective and install apps and messaging extensions as well. You can use custom policies too. By using this approach, in combination with organizational information, you will not only prevent sprawl but also narrow down what apps are available in Teams for the users to use, or simply highlight a couple by installing/pinning.
Apr 22 2022 06:09 AM
Apr 22 2022 06:59 AM - edited Apr 22 2022 10:13 AM
There are plenty tools in the M365 environment if the Teams app policies aren’t sufficient. You can block access with Defender for Endpoint, and apps with Defender for cloud apps as an example.
Apr 22 2022 10:42 AM
May 31 2022 09:11 AMSolution
It depends where the apps are surfaced, but generally speaking it's a combination of the Teams Admin Centre together with Intune (MAM or MAM + MDM) Defender for Cloud Apps/Defender for Endpoint. However, this will be dependent on how users use those apps. It will also depend on such extra actions such as preventing them in the 365 environment from signing up to trials.
For example, if you have users who just come in and use their desktop in the office then you could configure Defender for Cloud Apps and control it based upon the Perimeter Appliance, and ingest the logs in Defender for Endpoint and then, for example, use a combination of Intune and Applocker to prevent that. If the users are working from home outside the perimeter it could be a combination of DFE/DFCA and then Unsanction the apps. In terms of Mobile, with full MDM you can block the apple App Store and push out the apps you want.
But also just to add that ultimately, you can't prevent Shadow IT completely, because users can have personal devices and use things like WhatsApp. However, via the above methods it should give you pretty tight control over app usage for business devices.