Issue with SharePoint and Teams access
Hello everyone, I have the following question. My device is being currently involved in two different tenants (my main work and customer environment). When I try to login in azure portal, or devOps, I have no issue with the access. When I try to open customer's SharePoint page, or use Teams with the account registered in customer environment, I experience an issue with authentication. Firstly, I get a window where it is stated " Tenant Namerequires you to secure this device before you can access email, files and data. If you go to other apps or sites, they may recognize that you are signed in. You can enroll your device with...". When I continue, I got another error with error code: 530003. Device Platform is: macOS. Device state: unregistered. Thanks in advance for your assistance!
Guidance on Intune MDM/MAM Setup
Hello All, We are implementing Intune for MDM and MAM on iOS and Android devices. If a user (with an Entra account) has two devices, one corporate-owned and one personal, then how can we ensure that: 1. The corporate device is enrolled as MDM. 2. The personal device is enrolled as MAM. Additionally, is it possible to block all device enrollments by default and only allow devices to enroll via serial/IMEI numbers using a policy? Thanks
File types restriction on Android OneDrive
Hi guys, I have an intune to manage android tablet in my company and I am trying to make a policy to restrict downloading (Make available offline), but i don't know how to achieve that. i can't find anything relevant in internet. I would really appreciat it if anyone can help me with that. Summary of the desired result: users of android tablets can make sharepoint folders available offline but only for specific files (pdf, docx,pptx,xlsx) and other file types shouldn't be available offline because of their big size such as (dwg,dxf,stp). Thank you in advance!App Protection Policy Intune iOS Restrict Cut Copy Paste but allow certain third party apps only
The restriction of cut copy and paste is chosen as Microsoft apps only. Even if we push the apps from Company portal as managed apps, even VPP apps, the App protection policy is not getting applied on those apps. Apps are like SAP, Concur, Salesforce, etc,. were used global and widely across many organisations and how are you overcoming these policy restriction by MS Intune on iOS Devices. We have to secure - so that no data should be moved out to any third party apps, also in the meanwhile, we have Business apps like above mentioned to get things done. Tried methods and not working- Sending the UPN as app configuration policy using the third party apps also. Added Custom bundle-id for those apps in the App protection policy. in App PP - under Data Protection - add apps to exempt - also tried with no results. In our existing policy we have chosen "selected apps mode" for app protection policy. and all these apps were selected as Microsoft apps, and its working fine as expected. The cut copy and paste will work only on those apps which we have chosen as selected apps. Remaining all apps the cut copy and paste will be blocked. Now we have a scenario of business apps usage and we have deployed those via Company portal as iOS Store app, users downloaded and using it already. From app management, it shows as managed apps. Requirement here is to have cut, copy and paste from Outlook, Teams to those business apps.Company portal says rooted device but it's not - Android
Hi everyone, We came across a situation where one of our Android user is not able to access Outlook and Teams due to rooted device. We configured only App protection (MAM) policy in Intune and blocked access from Jailbroken/rooted devices. Only the MAM policy as been applied on the device and the device is not enrolled with Intune. So far, we have followed below troubleshooting, Rejoined the device again, however after sometime, the error will be appeared again. Check whether the device is rooted or not (Go to Settings > About phone > Status Information > Phone Status). Phone status says official. I believe this means not a rooted device. Below is the error message from the company portal Device Status in Azure AD (Not enroll with Intune) I would appreciate if anyone can help me whether I have anything else try out before I create a support case with Microsoft. Thanks, Dilan[New Blog Post] Selective Wipe Corporate Data on unmanagmed devices (iOS/iPadOS and Android)
1. Introduction This blog aims to detail the Mobile Application Management for un-managed iOS/iPadOS devices and un-managed Android devices. This blog is intended to demonstrate how to utilize selective wipe corporate data. When a device is stolen, or lost or an employee leaves the company, you want to be sure there is no corporate data left on the device. This can be achieved by performing a selective wipe. After the selective wipe is requested, the corporate data will be removed from the app. This will be performed the next time the app is started. This guide will touch on three aspects as follow: Conditional Launch Device based wipe request (Stolen/Lost device) User based wipe request (Employee leave the company) How to initiate a wipe There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional Launch in the App protection policy or by manuallyinitiating a wipe request (Device based wipe and User base wipe). 2.1.Conditional launch When you configure an app protection policy a selective wipe will be configured. This is part of theconditional launch. One of the default settings is “Offline grace period -> 180 days”. After 180 days offline you need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed. 2.2.Manually initiate a wipe request Here are two ways to manually initiate a wipe request. There is a device based wipe request and a user based wipe request. To initiate a wipe select in the MEM admin center “Apps” -> “App selective wipe” or presshere.In the top of the app selective wipe blade, you can select “Wipe request” (device based wipe) or “User-Level Wipe” (user based wipe). 2.2.1.Device based wipe request With a device based wipe request a wipe can be initiated for each user device registered with an app protection policy.If a user has lost the device and a new device is in use. Then a device based wipe can be used to only wipe the previous device. Press the button “Create wipe request” in top of the page. 2.Press “Select user” to select the user of which you want to wipe a device. After the user has been selected the devices belonging to the user will be displayed. Select the device you want to wipe and press “Create”. 3.The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy. You will return to the app selective wipe blade where you can monitor the removal process of the user. Pending requests can be deleted by right-clicking the request and selecting “Delete wipe request”. 4.After successfully performing a wipe, the device will be removed from the device overview that was display on step 2. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request has been made. 2.2.2.User based wipe request When performing a user-based wipe request a wipe request will be sent to all apps on all the devices. This wipe you may want to perform when a user leaves the company and you want to be sure that all data is removed from all devices associated with the user. In the app selective wipe page select “User-level wipe” and press “add” to select the user for which you want to perform a user-level wipe. 2.Now the user has been selected wipe requests will be sent to all the devices of the user. As long as the user is on the list. The user will continue to get wipe commands at every check-in from all devices. To allow sign-in on a device you first need to remove the user from the list. 1.The wipe action can be monitored using theUser report(“Apps” -> “Monitor” -> “Reports”) or click here. Important: The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was made. Author Shady Khorshedis a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.
Config protection policy to share with a third-party app only
Hi all, I want to share a document from Teams via third-party app only (Ex: Telegram). I configure Teams using Intune app protection policies. I tried sending to configSend org data to other apps, andusingPolicy managed apps with Open-In/Share filtering. ConfigSelect apps to exempt with Telegram appID and app name but not work. I want to ask if this approach is correct and if Microsoft allows us to do that? Thanks.
Firewall Off despite policy being enabled
In Firewall and network protection, It says Firewall is off for all Network types. However it should be on. Is this normal/expected? However, In Sec. providers, Firewall is enabled. ========== In PS, Firewall appears to be enabled too. C:\Windows\System32>netsh advfirewall Show allprofiles Domain Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Private Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Public Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 Ok. =========== In the Intune Firewall Policy the three options are enabled:Monitor low disk space for computers
Hi All, We have a requirement to monitor low disk space, particularly on devices with less than 1GB of available space. We were considering creating a custom compliance policy, but this would lead to blocking access to company resources as soon as the device becomes non-compliant. Therefore, we were wondering if there are any other automated methods we could use to monitor the logical disk space (primarily the C drive) using Intune or Microsoft Graph. Thanks in advance, Dilan
