Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Overview
The Global Secure Access client supports bring your own device (BYOD) scenarios so users can access company resources. As a tenant administrator, enable Global Secure Access traffic profiles for members, including internal guests. The client supports automatic Microsoft Entra device registration.
Important
To block access from BYOD, configure conditional access policy to allow access only from a compliant device.
Windows
- Supports secure access on Microsoft Entra registered Windows devices.
- Only private application traffic is supported. Enable Private Access traffic profiles for these users.
- If the device isn’t registered or joined, the client registers the device to your tenant during first sign-in.
- If the device isn’t joined and has multiple registrations, the user selects the tenant at sign-in with Microsoft Entra user of the tenant.
- Supports an account picker in the sign-in flow to make it easier to sign in with a different account.
- The account picker appears by default on Microsoft Entra-registered devices.
- To enable the account picker or to switch to another tenant on Microsoft Entra-joined devices, enable the Sign out option. For details, see Hide or unhide menu buttons in the system tray.
Important
On Windows devices that are Microsoft Entra joined or hybrid joined, the client connects to the joined tenant by default.
Android
- BYOD support without device enrollment is available using Microsoft Authenticator or the Microsoft Intune Company Portal through Microsoft Entra device registration.
- On the device:
- Install Microsoft Authenticator from the App Store and register the device to the tenant or install the Company Portal app (no device enrollment required).
- Install the Microsoft Defender app from Google Play and complete sign-in.
- A device-wide VPN profile is created. The Global Secure Access tile is off by default; the user must turn it on to send Private Access traffic.
- Enable private traffic profiles for these users.
iOS
- BYOD support without device enrollment is available using Microsoft Authenticator through Microsoft Entra device registration.
- On the device:
- Install Microsoft Authenticator from the App Store and register the device to the tenant.
- Install the Microsoft Defender app from App Store and complete sign-in.
- A device-wide VPN profile is created. The Global Secure Access tile is off by default; the user must turn it on to send Private Access traffic.
- Enable private traffic profiles for these users.
macOS
BYOD support without device enrollment is available through Microsoft Entra device registration.
- Install and register the device using the Company Portal (no device enrollment required).
- Enable private traffic profiles for these users.
Platform behavior
| Platform/device state | Connection target | Microsoft Entra tunnel | M365 tunnel | Internet tunnel | Private tunnel | Notes |
|---|---|---|---|---|---|---|
| Windows Microsoft Entra Joined and Hybrid joined device | Client connects to the tenant to which device joined. | ✅ | ✅ | ✅ | ✅ | Enable the Sign out option in the client to allow users to sign out and switch to an external tenant. Allows user to switch to a resource tenant using external user access(B2B). |
| Windows Microsoft Entra Registered device | User selects a tenant at first sign-in. | ❌ | ❌ | ❌ | ✅ | Can switch to other tenant by selecting Sign out option on the client. Allows user to switch to a resource tenant using external user access(B2B). |
| MacOS Microsoft Entra Registered device with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | ✅ | ✅ | ✅ | ✅ | Uses Company Portal to Microsoft Entra register the device. |
| Android Microsoft Entra Registered with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | ✅ | ✅ | ✅ | ✅ | Applies to enrolled devices with Company Portal. For unmanaged devices, Microsoft Entra registration can be done with Company portal and Authenticator app. |
| iOS Microsoft Entra Registered with and without device enrollment | User selects a tenant at first sign-in; remains connected to that tenant | ✅ | ✅ | ✅ | ✅ | Applies to enrolled devices with Company Portal. For unmanaged devices, Microsoft Entra registration can be done with Authenticator app. |
Summary
- ✅ Device join takes precedence on Windows.
- ✅ Registered devices choose a tenant at initial sign-in.