SharePoint Unmanaged device 'block access' not working as expected

%3CLINGO-SUB%20id%3D%22lingo-sub-2319505%22%20slang%3D%22en-US%22%3ESharePoint%20Unmanaged%20device%20'block%20access'%20not%20working%20as%20expected%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2319505%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20enabled%20SharePoint%20unmanaged%20devices%20setting%20to%20'Block%20access'%20from%20unmanaged%20devices.%20I%20noticed%20that%20this%20automatically%20creates%20a%20conditional%20access%20policy%20that%20applies%20to%20all%20users%2C%20applies%20to%20SharePoint%20cloud%20app%2C%20has%20only%20one%20condition%20configured%20with%20client%20app%20set%20to%20Browser%20and%20session%20controls%20set%20to%20'Use%20app%20enforced%20restrictions'.%26nbsp%3BNow%20this%20policy%20works%20as%20per%20its%20definition%20i.e.%20it%20blocks%20access%20within%20the%20browser%20from%20an%20untrusted%20device.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20what%20about%20access%20from%20mobile%20and%20desktop%20clients.%20OneDrive%20syncs%20continues%20to%20work%20on%20unmanaged%20devices%20and%20so%20does%20users'%20access%20to%20documents%20within%20Office%20desktop%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20we%20missing%20something%3F%20Shouldn't%20the%20auto%20generated%20policy%20apply%20to%20all%20client%20types%20i.e.%20browser%20as%20well%20as%20mobile%20and%20desktop%20clients%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22SPO-Conditional-Access-Unmanaged-Device.PNG%22%20style%3D%22width%3A%20528px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277645iBA4097AC91316874%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SPO-Conditional-Access-Unmanaged-Device.PNG%22%20alt%3D%22SPO-Conditional-Access-Unmanaged-Device.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22SPO-Unmanaged-Block-Access.PNG%22%20style%3D%22width%3A%20574px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277646i7B3DE74506F70289%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22SPO-Unmanaged-Block-Access.PNG%22%20alt%3D%22SPO-Unmanaged-Block-Access.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2319505%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevice-based%20restrictions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Contributor

We have enabled SharePoint unmanaged devices setting to 'Block access' from unmanaged devices. I noticed that this automatically creates a conditional access policy that applies to all users, applies to SharePoint cloud app, has only one condition configured with client app set to Browser and session controls set to 'Use app enforced restrictions'. Now this policy works as per its definition i.e. it blocks access within the browser from an untrusted device.

 

However, what about access from mobile and desktop clients. OneDrive syncs continues to work on unmanaged devices and so does users' access to documents within Office desktop clients.

 

Are we missing something? Shouldn't the auto generated policy apply to all client types i.e. browser as well as mobile and desktop clients?

 

SPO-Conditional-Access-Unmanaged-Device.PNG

 

SPO-Unmanaged-Block-Access.PNG

 

 

 

0 Replies