question

CochranJoel-9319 avatar image
0 Votes"
CochranJoel-9319 asked AnshulKumarMINDTREELIMITED-5501 commented

Applying Conditional Access

I've been struggling a bit with testing Conditional Access and Application Protection policies in our organization. I have been testing on Android and with two different user accounts: one with Azure AD Premium P1 and Intune, and the other without. My questions:

  • If we have an Application Protection policy to prohibit Managed apps from allowing downloading/screenshot/etc., will this be enforced on a user account that doesn't have Intune or Azure AD P1 licenses?

  • I'm really confused on how the application policies are enforced. I signed into Outlook (on Android) with an Microsoft Business Premium licensed user. CA and AP Policies made me install the Company Portal app. I did not sign into the Company Portal app, but it did enforce the policies (wouldn't allow a screenshot)

  • I tried the same thing with an Office 365 F3 user, and it made me add the Company Portal app, but did not prevent me from taking a screenshot.

  • I changed that user's license to MBP, waited about 15 minutes, and it still wouldn't prevent me. I even tried re-adding the Company Portal app, but it's not applying the policy.

I'm confused because it seems like the App Protection policy gets applied sometimes when the Company Portal app is just installed and not signed into.



azure-ad-conditional-accessmem-intune-conditional-access
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·
RahulJindal-2267 avatar image
1 Vote"
RahulJindal-2267 answered CochranJoel-9319 commented

Company portal app acts as a broker on Android devices for APP while it is the authenticator app on iOS. In case of Android you just need Company Portal installed for APP to apply. Sign-in is not required. The user will need an Intune license in order for Intune policies to apply.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. Just to clarify, for APP to apply on an iOS device, do you need the Company Portal app on it? Or does it happen automatically? OR...do you need the Company Portal app and also sign in?

This is a separate question, but I tried applying the "App PIN when device PIN is set = Not Required", but it still required the app PIN even though a device PIN was set. The device was not registered with the Company Portal app. Does it need to be enrolled into Intune for this to work?

0 Votes 0 ·
JarvisSun-MSFT avatar image
0 Votes"
JarvisSun-MSFT answered

@CochranJoel-9319 Thanks for posting in our Q&A.
The Company Portal app is required by Intune mobile application management (MAM) scenarios. On Android devices, the Authenticator app includes functions of the broker and might be used as the broker in some situations, such as when the Authenticator was installed before the Company Portal app.
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune
Hope it can help.




If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.