question

roylee-9083 avatar image
0 Votes"
roylee-9083 asked LuDaiMSFT-0289 commented

Intune Android Enterprise - Personal owned work profile: Intune managed apps vs user installed apps

We are testing Intune MDM and MAM.

First target is Android device.

We want to limit mobile device to access O365 resources with Intune enrolled device and approved apps by conditional access.

For privacy, we allow BYOD android device with work profile.

As Intune can push apps as managed apps, but user can also install apps.

My question is what is the difference between using the managed apps and user installed apps?

If there is any advantage on using managed apps over user installed apps, how to restrict users to access O365 resources by Managed apps only?

Thanks.

mem-intune-application-managementmem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

what is the difference between using the managed apps and user installed apps?

At a technical level, nothing. Apps in the "work profile" are exactly as implied, managed by the org and can have their data wiped and are subject to APP policies. Apps in the "personal profile" are not. Thus, this is mainly a privacy and control mechanism.

how to restrict users to access O365 resources by Managed apps only?

Conditional access accounts for the different profiles so as long as the CA profile requires the device to be managed, then only apps in the "work profile" will meet this criterion. In many (but not all) respects, it's almost like have two separate devices.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

roylee-9083 avatar image
0 Votes"
roylee-9083 answered LuDaiMSFT-0289 commented

@Jason-MSFT and @LuDaiMSFT-0289
Thanks, you are right. When try to use the apps in personal profile, it prompt and ask to register the device.

In some case like in China without google service, can I still protect company data by app policy and require approved clients in conditional access without enroll in Intune?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@roylee-9083 App protection policy can be deployed to unenrolled devices. In fact, conditional access is a feature in Azure AD. The requirement of the conditional access is that the device is registered in Azure AD.

0 Votes 0 ·

The requirement of conditional access is the device is registered in AAD?

I am thinking of setup the conditional access with grant permission, require approved client app, require app protection policy.

0 Votes 0 ·

The requirement of conditional access is the device is registered in AAD?

No. Nothing about the device itself needs to be known for CA itself. Some of the conditions you specify in your CA policy may require the device to be AAD registered, but CA itself does not.

0 Votes 0 ·

For some grant access, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. More details we can read the following article as a reference.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#grant-access

0 Votes 0 ·
LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered

@roylee-9083 Thanks for posting in our Q&A.

Jason has explained it very clearly and I just add some information about Conditional access policy. App-based conditional access policy will make sure only managed apps can access O365 resources. We can read the following article as a reference:
https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

Hope it will help.


Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.