This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 0%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi,
We currently have conditional access configured to grant access to our O365 resources from an Intune compliant mobile device when it's not on our network, pretty standard and simple. We're looking to lock down the ability for users to connect to our O365 resources from only our defined Intune managed applications, which have an application protection policy assigned so we can ensure our data is protected. It was advised that if we set the setting under "Viewing corporate documents in unmanaged apps" to block, this should give us what we're looking for, however it does not. I currently have this enforced, and don't have the SharePoint application defined anywhere(not under apps, no app protection policies assigned, etc) but am still able to connect without an issue.
I'm trying to determine what's considered an unmanaged app, by this configuration because it doesn't appear to function as I'd expect.
Thanks,
Mike
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Firstly, the unmanaged app is an app that doesn’t have Intune app protection policies applied to it.
https://learn.microsoft.com/zh-cn/mem/intune/apps/app-protection-policy
After that, we can check which app has been targeted in app protection policy, as below sample: Outlook and Word apps are the policy managed apps:
In addition, only for apps have been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. There is the official list of Microsoft Intune protected apps that has been built using these tools and are available for public use.
For your request that to lock down the ability for users to connect to our O365 resources from only our defined Intune managed applications, which have an application protection policy assigned so we can ensure our data is protected. How about selecting multiple controls in Conditional access policies: Require device to be marked as compliant, Require approved client app and Require app protection policy (Preview)?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 50%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Hi,
Thanks, so much for the response. Your first line mentions how I'd expect the setting to work, but I set the "view corporate documents, in unmanaged apps" and the configuration was pushed down. I don't have the SharePoint application defined anywhere, but I was still able to sign into the app and access company resources without issue. Maybe I'm missing something here?
Thanks for the information about the conditional access policy and applying the approved client app and app protection policy, but it's still in preview and don't want to use that option till it's production ready.
Thanks,
Mike
Can I know if the devices have been enrolled in Intune through device enrollment or user enrollment? If the devices enrolled using Apple School Manager or Apple Business Manager with automated device enrollment (formerly DEP). This includes all supervised devices.
What you should do is enable the grant control of requiring app protection policies as well. That way your MAM scenario will get covered.