question

dilannanayakkara-8008 avatar image
0 Votes"
dilannanayakkara-8008 asked dilannanayakkara-8008 commented

Outlook Managed App restriction on Intune (MAM)

Hi All,

I have created a MAM policy on Intune and applied two different users, but literally one person is using the both email addresses on his mobile phone(iOS). However, when he tries to add second user account, it will display the below error message.

201474-image.jpg

appreciate the help!

PS: if this is the limitation of MAM policy in Intune, Can we do the same restriction by enrolling the mobile device to the Intune. essentially, we want to block copy paste from outlook to third-party apps like WhatApps, Messenger etc. this is the iOS device and if we want to enroll with Intune, we could go ahead with BYOD-Device Enrollment option in Intune.


Thanks,
Dilan


mem-intune-generalmem-intune-device-configurationsmem-intune-enrollmentmem-intune-application-management
image.jpg (127.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EswarKoneti-MVP avatar image
0 Votes"
EswarKoneti-MVP answered dilannanayakkara-8008 commented

The feature that you are trying is not supported at the moment and is design limitation. Only one work account allowed is allowed to use on intune managed device.

Thanks,
eswar
www.eskonr.com

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EswarKoneti-MVP Thank you very much for the reply. appreciate if you can help with below concerns.

Our ultimate goal is to restrict copy-paste activities between work and personal applications.

  • as per understanding, when we enroll the device without App protection policy, we can add multiple accounts right?


  • so when it comes to Android, by default unable to share data between Work and personal profile and this shouldn't be the problem as long as we can add multiple accounts on personal owned work profile enrollment. Is this correct?


  • so when it comes to iOS devices, if we choose BYOD-Device enrollment without app protection policies, again we can add multiple accounts right? in this case our challenge is to block copy-paste activates and I saw a settings "Allow copy/paste to be affected by managed open-in" under iOS device restrictions policy, Can we use this settings to block the copy-paste activities?

201440-2022-05-12-21-56-09.jpg


Thanks,
Dilan




0 Votes 0 ·
Crystal-MSFT avatar image
0 Votes"
Crystal-MSFT answered dilannanayakkara-8008 commented

@dilannanayakkara-8008, For your question, here are my answers for the reference:
Q1: as per understanding, when we enroll the device without App protection policy, we can add multiple accounts right?
A1: Yes, you can.


Q2: so when it comes to Android, by default unable to share data between Work and personal profile and this shouldn't be the problem as long as we can add multiple accounts on personal owned work profile enrollment. Is this correct?
A2: Yes, By default, the Andrid OS might prevent users from sharing data in the work profile with the personal profile. Data in the personal profile can be shared in the work profile. And not the entire device is managed. Management capabilities only affect the work profile that is created on the device during enrollment. All Android apps and data outside the Android enterprise portion of the device remain personal and under the control of the end user.
https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enterprise-overview#work-profile-management
For the best experience, always sign in to work apps with your work account, and sign in to personal apps with your personal account. Here is a link with more details for the reference:
https://docs.microsoft.com/en-us/mem/intune/user-help/what-happens-when-you-create-a-work-profile-android


Q3: so when it comes to iOS devices, if we choose BYOD-Device enrollment without app protection policies, again we can add multiple accounts right? in this case our challenge is to block copy-paste activates and I saw a settings "Allow copy/paste to be affected by managed open-in" under iOS device restrictions policy, Can we use this settings to block the copy-paste activities?
A3: Yes, for BYOD without app protection policy, in outlook, we can still add multiple work accounts. For the setting "Allow copy/paste to be affected by managed open-in", when I set it as yes and also set "Block viewing corporate documents in unmanaged apps" with yes, deploy outlook via Intune, then the copy paste from outlook to other unmanaged app, the action will be blocked.
https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-ios#settings-apply-to-all-enrollment-types

Hope it can help.


If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 10
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@EswarKoneti-MVP Thank you very much for your extended support.

I have tested the scenario (Q3 and A3), but when I applied the configuration settings "Allow copy/paste to be affected by managed open-in" appeared as not applicable. I have tried both "Block viewing corporate documents in unmanaged apps" and "Block viewing non-corporate documents in corporate apps" and also with only "Block viewing corporate documents in unmanaged apps". the status for "Allow copy/paste to be affected by managed open-in" is not applicable in both cases.

further, I have deployed outlook from Intune as available application. Please refer the below screenshots,



201826-2022-05-13-18-05-05.jpg

201831-2022-05-13-20-18-25.jpg


0 Votes 0 ·
Crystal-MSFT avatar image Crystal-MSFT dilannanayakkara-8008 ·

@dilannanayakkara-8008, From your description, I know the "Allow copy/paste to be affected by managed open-in" shows not applicable. Here, I would like to confirm if we deploy the outlook via iOS store app like below:

202122-image.png
After the outlook which deploy via Intune, is installed, try to check status in company portal to update the device setting to see if it can be applied. Meanwhile, what is our iOS version? On my test device which is working, it is with version as 15.4.1

0 Votes 0 ·
image.png (74.2 KiB)

@EswarKoneti-MVP thank you very much for the reply.

Below is my configurations and my iOS version of testing device is 14.7.1.


202515-2022-05-17-7-12-47.jpg



Further just to know, below scenarios does it consider as a managed or unmanaged app when deploy the application via Intune as Available. however for this testing I have installed Outlook from the company portal.

Install application via Apple store before joining to the Intune?
Install application via Apple store after joining to the Intune (not from company portal) ?


thanks again





0 Votes 0 ·
Show more comments