question

JanNuaman-2253 avatar image
0 Votes"
JanNuaman-2253 asked LuDaiMSFT-0289 commented

Endpoint protection manager

Hello,

I've asked few questions for this same scenario related to iOS enrollment in endpoint protection manager as company owned.

Earlier status: iOS devices was not managed and users were accessing emails, teams and one drive

Enrollment process I followed:
1-The scenario I followed is to add iOS serial number to enrollments
2-Created the required Apps /Policies to be pushed
3-Install Intune Company Portal manually and enroll the devices

Everything went smoothly and it was really promising till this week, when I discovered that approximately 30 employees just uninstall Intune Company Portal! Now is as before, they still able to open mails, teams and one drive
and I don't have any control.

I will re-enroll them again, but how can I block their abilities from uninstall Intune Company Portal?

mem-intune-generalmem-intune-enrollmentmem-intune-application-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimmyAndersson avatar image
0 Votes"
TimmyAndersson answered

Conditional Access is the easiest way (in my opinion) to force users to have their device managed and enrolled to allow them to get access to resources like email, teams etc.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview




If you are using Apple Business Manager and ADE (Automated device enrollment) I think there's a setting you can configure to block unenrollment as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanNuaman-2253 avatar image
0 Votes"
JanNuaman-2253 answered

@TimmyAndersson I have the policy in place. Would you mind advising what is wrong with my policy:

Policy Configuration:

Name: Enforce MFA for all users

Users or workload identities: assigned to a group that include all users "Not the services account" - No Excludes.

Cloud apps or actions: Selected Apps: Office 365, Microsoft Intune Enrollment

Conditions:
Device platforms: Not configured
Locations: Any location - Exclude 2: MFA Trusted IPs & Company HO "which is our LAN"
Client apps: Not configured
Device state (Preview): Not configured
Filter for devices: Not configured

Access controls:
Grant access: the only selected one is: Require multi-factor authentication
Session: 0 controls selected

Enable policy: On



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JanNuaman-2253 avatar image
0 Votes"
JanNuaman-2253 answered

@TimmyAndersson Any Idea?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MrSbaa avatar image
0 Votes"
MrSbaa answered LuDaiMSFT-0289 commented

Hi @JanNuaman-2253

The conditional access policy configured will not force users to have Company Portal installed on their mobile device. If you want to achieve that, you have to use app protection policies which will require the user to also install the company portal app. You can then also configure conditional access policies to require the app protection policy on these devices. Users will then be forced to install the company portal app.

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I think this is a good idea let me test it first.

0 Votes 0 ·

@JanNuaman-2253 I am checking this thread. Thank MrSbaa for the valuable input. Is there any other assistance that we can provide?

If the reply is helpful, please accept his answer. It will make someone else who has the similar issue easily find the direction.

Thanks for your kindness in advance.

0 Votes 0 ·

Thanks for your reminder!

MrSbaa provided a great suggestion. Unfortunately the configuration didn't work for iOS as iOS uses Microsoft Authenticator which doesn't enroll iOS devices.

So I cannot market as an answer to my request. But I would suggest it for Android devices.

0 Votes 0 ·
Show more comments