Conditional Access
427 TopicsAccess Issues due to supervised Device
Hello we have Supvised (ADE) and user affinity iOS devices in our company. The users can log on to their device via their Modern Auth and the whole thing is managed with Intune. As a company, we have access to Azure Virutell clients (Win 11) hosted by our customers. If I now want to access this virtual Azure client via my supervised iPad and the iOS AppWindows App, I receive the message: ‘Warning: incorrect configuration. The administrator wants the apps on this device to be managed via the ‘xxx’ account. [...] To access company data via the ‘yyy’ account, you must unregister your device from the company portal’ Is it possible to define exceptions in Intune so that I can log on to the virtual client with credentials other than those stored in the company portal? best regards38Views0likes3Comments[New Blog Post] Selective Wipe Corporate Data on unmanagmed devices (iOS/iPadOS and Android)
1. Introduction This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to utilize selective wipe corporate data. When a device is stolen, or lost or an employee leaves the company, you want to be sure there is no corporate data left on the device. This can be achieved by performing a selective wipe. After the selective wipe is requested, the corporate data will be removed from the app. This will be performed the next time the app is started. This guide will touch on three aspects as follow: Conditional Launch Device based wipe request (Stolen/Lost device) User based wipe request (Employee leave the company) How to initiate a wipe There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manuallyinitiating a wipe request (Device based wipe and User base wipe). 2.1.Conditional launch When you configure an app protection policy a selective wipe will be configured. This is part of theconditional launch. One of the default settings is “Offline grace period -> 180 days”. After 180 days offline you need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed. 2.2.Manually initiate a wipe request Here are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request. To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or presshere.In the top of the app selective wipe blade, you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe). 2.2.1.Device based wipe request With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy.If a user has lost the device and a new device is in use. Then a device based wipe can be used to only wipe the previous device. Press the button “Create wipe request” in top of the page. 2.Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”. 3.The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right-clicking the request and selecting “Delete wipe request”. 4.After successfully performing a wipe, the device will be removed from the device overview that was display on step 2. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request has been made. 2.2.2.User based wipe request When performing a user-based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure that all data is removed from all devices associated with the user. In the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe. 2.Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from the list. 1.The wipe action can be monitored using theUser report(“Apps” -> “Monitor” -> “Reports”) or click here. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made. Author Shady Khorshedis a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.5.3KViews2likes5CommentsExclude/Allow Particular non-managed devices from Conditional access policy without enrolling
Hello Experts How to Exclude or Allow some Personal ( Non-company Managed) Particular devices from Conditional access policy without enrolling or joining them to Intune or Entra. For Example I have created some Conditional access polices and now We want to allow some personal devices to be able to Login to Office or Outlook from some two or three personal Android devices which are Unmanaged or not company managed. Can we achieve using these Devices unique ID or ICCID ? If possible please give some hint or clue. Thank you.151Views0likes2CommentsMicrosoft Graph Command Line Tools Blocked by CA
Hi All I hope you are well. Anyway, I recently turned ON a Conditional Access Policy Template, "Require MDM-enrolled and compliant device to access cloud apps for all users (Preview)" this seems to work fine until our IT Admins try to use the AutoPilot script which gets blocked based on: Microsoft Graph Command Line Tools Any ideas on how to allow AutoPilot /Microsoft Graph Command Line Tools through CA? Info appreciated261Views0likes11CommentsWork or School Account Problem just after Hybrid AD Joined Autopilot
Hi All, We are doing the Hybrid AD joined Autopilot and the issue is just after finish the process and user has signed in, there is a notification for sign in again to fix your work or school account. if we are not sign in and let be there, we didn't get company portal app installed for about 3 to 4 hours. however, if we click the notification and sign in the user account, we will get the company portal app installed within 5 minutes. if we go to Account settings, we could see hybrid ad joined done properly and policies has been pushed by Intune too (image2). We have deployed the Company Portal app to All users at the moment. I want a help to identify is this by design or something wrong with our configurations? image1: image2: Thanks, Dilan1.7KViews2likes4Comments[NEW] Podcast06: Setup MAM for Windows In Intune
Podcast06: Setup MAM for Windows In Intune. Upcoming Podcast joines me Joery Van den Bosch to focus MAM on securing and managing mobile applications within an organization. Through MAM, organizations can control app configurations, protect data, manage access, and ensure apps are updated. This approach is especially valuable for securing corporate data on personal devices, without requiring full device enrollment. Key Benefits of MAM: Enhanced Data Security Increased Flexibility App Protection Policy Levels: Level 1 – Basic Data Protection. Level 2 – Enhanced Protection. Level 3 – High Data Protection. Youtube: https://youtube.com/shorts/GNWsX1B_Io8?si=I7EySot5pTgVBXa618Views0likes0CommentsCompany portal failing to install error 0x87D1041C
Hello Everyone, I have added company portal (offline version) from Microsoft store for Business and deployed it to 6 autopilot enrolled windows 10 laptops. All laptops are with same hardware & configurations. Out of all laptop, company portal application is getting failed in one windows 10 laptop. I have tried to uninstall and re-install it but it's showing same error every time in that particular laptop. However apps are getting published in company portal in that laptop. then why in Endpoint manager it's showing failed to install with error code0x87D1041C.48KViews0likes17CommentsConflict status after having 2 Local user group membership Policy
Hello, I have an issue with applying two "Local User Group Membership" policies on a PC. The Intune policy report shows a conflict between having two "Local User Group Membership" policies despite having different configurations. For example, one is a Global Policy, which applies an admin privilege to all PCs, and the other one is more specific to a certain group, and it is just about giving remote access to the PCs on this group. So, my question is, why does Intune mark these two policies as a conflict of each other? If it is not possible to have two "Local User Group Membership" policies applying to the PC. Is there a way to have a global policy for admin users on the PC and one more private policy for remote user access using "Local User Group Membership"?1.8KViews0likes14CommentsAllow Chrome / Firefox through Conditional Access
Hi All I hope you are all well. Anyway, we have rolled out a CA policy that requires users to be on an Intune enrolled and compliant Windows device. So far, so good. However, a lot of our end users are Front Line Workers who will use browser based Office Web Apps for email etc. The problem is that the CA policy only allows access to M365 resources on Microsoft Edge browser, other browsers such as Chrome, FF get the "you cannot get to there from here" message. The majority of our end users won't know the difference between browsers and will just use anything, so is there a way to extend the CA policy to Chrome and FireFox? Info appreciatedSolved552Views0likes15Comments