How Can We Control Which Devices Our Users Can Install Microsoft 365 Apps On

Maranya, Damon 326 Reputation points
2023-06-20T14:42:03.6533333+00:00

We are a company that routinely deals with Personal Health Information (PHI) which is protected by HIPAA regulations, and as a result have a need to control what types of data end up on which devices.

We are looking for a way to restrict which devices a user can install Microsoft 365 apps that have the potential to cache sensitive data locally on devices not managed by our IT department.

My initial thought was to restrict how users can register devices with AAD. But as far as I can tell, since we use Autopilot and Intune that is not possible.

The next best option is going to be to restrict the installation of apps that typically store at least some protected data locally. The big ones that I can think of are Outlook, OneDrive, and to a lesser extent OneNote.

We basically need to restrict our users to the web client versions of these applications as that is the only way to ensure that PHI data is not being stored in an insecure manner on a personal device.

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
0 comments No comments
{count} votes

Accepted answer
  1. Deron Braun 86 Reputation points
    2023-06-20T21:30:43.6266667+00:00

    Hi Damon,

    I would recommend turning off the ability for users to install the apps themselves.

    The following link covers this as well as deployment options.

    Choose whether users can install Office on their own devices
    https://learn.microsoft.com/en-us/deployoffice/manage-software-download-settings-office-365#choose-whether-users-can-install-office-on-their-own-devices

    Have a wonderful day,
    Deron Braun

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.