Share via

App protection policy for unenrolled devices Windows / MacOS

Michael Novak 81 Reputation points
2023-07-20T14:26:18.8633333+00:00

Hello,

I have been asked by the client if it is possible to use MAM without enrollment on Windows 10/11 and MacOS personal BYOD devices to control app security. They are reluctant to enroll their devices because administrator has the permission to remotely wipe the device. I gave them information that currently it is not possible, however, I'd like to know:

  1. If there is a way/possible workaround to somehow control app security on these platforms? I'd rather not use WIP as is has announced sunset plus using WIP with unenrolled devices is no longer supported.
  2. How come the user is able to use Office desktop apps on unenrolled Windows and MacOS devices? Is this because there is no conditional access policy to prevent use of these apps on unenrolled devices?
  3. Or, do I simply inform the client that they have to enroll their devices as personal devices into intune if they want to use app protection / control ?

Thanks

Michael

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,814 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
918 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,320 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 46,271 Reputation points Microsoft Vendor
    2023-07-21T02:40:32.38+00:00

    @Michael Novak, Thanks for posting in Q&A. Based on my researching, currently app protection policy does not support MacOS yet.

    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy#supported-platforms-for-app-protection-policies

    And for windows device, the Windows Information Protection without enrollment scenario in Microsoft Intune has been removed.

    https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-end-of-support-guidance-for-windows-information/ba-p/3580091

    And now Microsoft develop Microsoft Purview Information Protection and Data Loss Prevention to help organizations protect enterprise apps and data against accidental data leaks. You can consider using them instead. Here is a link with more details:

    https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-sunset-of-windows-information-protection-wip/ba-p/3579282

    For your second question, I would say yes, if no condition access policy blocks the access, the user is able to access office.

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments