App protection for OneDrive app on iPhone perceives phone always as unmanaged even if it is managed

Tobias 0 Reputation points
2023-09-12T13:07:00.9233333+00:00

Dear Microsoft,

I try to create app protection polices for iOS, filtert by managed an unmanaged devices. For this, I use the new filter feature for the policies.

My filter for the unmanaged devices:

(app.deviceManagementType -eq "Unmanaged") and (app.osVersion -notContains "17.")

Why '-notContains "17."'? Because I want to split iOS 16 and 17 as well.

The policy for the managed devices is not deployed now.

First it looks great. Outlook, Teams, OneDrive, etc. on private iPhones are protected now.
Managed iPhones are untouched, excepted OneDrive. OneDrive on managed iPhones falsely receive the policy as well.

It seams like, that Intune perceives OneDrive always as unmanaged. No mater if it runs on a managed or unmanaged iPhone.

OneDrive on the managed iPhone was installed over the Company Portal App.

For me, this looks like a Bug.

Please let me know, if you need more information.

Thanks a lot for your support.

Tobi

OneDrive Management
OneDrive Management
OneDrive: A Microsoft file hosting and synchronization service.Management: The act or process of organizing, handling, directing or controlling something.
1,116 questions
Microsoft Intune iOS
Microsoft Intune iOS
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.iOS: An Apple mobile operating system.
185 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,341 Reputation points
    2023-09-13T02:28:12.32+00:00

    @Tobias Thanks for posting in our Q&A. From your description, did you mean that you only deployed this app protection policy to unmanaged iOS devices, but managed iOS devices also applied this policy? If there is anything misunderstanding, please correct me.

    To clarify this issue, we appreciate your help to collect device data with Microsoft Edge:

    1.Open Microsoft Edge for iOS and Android on your device.

    2.In the address bar, type "about:intunehelp".

    3.Microsoft Edge for iOS launches in troubleshooting mode.

    https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/troubleshoot-app-protection-policy-deployment#step-6-collect-device-data-with-microsoft-edge

    Please check if the managed device's OneDrive app really applied the app protection policy deployed to unmanaged devices.

    If there is anything update, feel free to let us know.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Tobias 0 Reputation points
    2023-09-13T11:39:41.41+00:00

    @Lu Dai-MSFT thanks for your quick response.

    That's right, I only deploy the app protection policy to unmanaged iOS devices. Managed iOS devices should stay untouched.

    I have to add, that I also deploy a app protection policy for Android, but everything is working like expected there. No problems. The filter for managed and unmanaged is working perfectly fine.

    Thanks for the hint with Edge. I didn't know, that I can get more information's with it.
    I used to look in Teams and Outlook under "Privacy Settings" to check if a policy is active or not.

    If I get it right, than Edge is telling me, that the policy is deployed to all apps on the managed iPhone as well. But if i take a look in the apps, the policy is taking no effect. Only in OneDrive the policy takes effect. It should take effect in non app on the managed iPhone.

    Here are the log files.

    I assigniert the policy to a group, in which only I am. My user owns three devices, a Windows Laptop, a Android Smartphone and a iPhone. I also use my private iPhone to check the policy on a unmanaged device.
    The policy is assigned as follows.

    | Group | Group Members | Filter | Filter mode | | -------- | -------- | -------- | -------- | | Microsoft Intune - user - Tobias * | 0 devices, 1 users | Filter - iOS Apps - v16 and older unmanaged | Include | *last Name was removed.

    The Policy:

    @odata.type                             : #microsoft.graph.iosManagedAppProtection
    displayName                             : Test - iOS - App protection - Unmanaged Devices - v16 and older
    description                             : Tobias
                                              03.05.2023
    
                                              Diese Richtlinie schützt Unternehmensdaten auf unmanaged iOS 16 und älter.
    createdDateTime                         : 03.05.2023 06:52:01
    lastModifiedDateTime                    : 13.09.2023 07:55:50
    id                                      : T_f58ca6ce-899d-4cab-9337-abe822582bbd
    version                                 : "71015e2d-0000-0d00-0000-65016b060000"
    periodOfflineBeforeAccessCheck          : PT12H
    periodOnlineBeforeAccessCheck           : PT5M
    allowedInboundDataTransferSources       : allApps
    allowedOutboundDataTransferDestinations : managedApps
    organizationalCredentialsRequired       : False
    allowedOutboundClipboardSharingLevel    : managedAppsWithPasteIn
    dataBackupBlocked                       : True
    deviceComplianceRequired                : True
    managedBrowserToOpenLinksRequired       : False
    saveAsBlocked                           : True
    periodOfflineBeforeWipeIsEnforced       : P90D
    pinRequired                             : False
    maximumPinRetries                       : 5
    simplePinBlocked                        : False
    minimumPinLength                        : 4
    pinCharacterSet                         : numeric
    periodBeforePinReset                    : PT0S
    allowedDataStorageLocations             : {oneDriveForBusiness, sharePoint}
    contactSyncBlocked                      : True
    printBlocked                            : True
    fingerprintBlocked                      : False
    disableAppPinIfDevicePinIsSet           : False
    minimumRequiredOsVersion                : 16.6.1
    minimumWarningOsVersion                 :
    minimumRequiredAppVersion               :
    minimumWarningAppVersion                :
    managedBrowser                          : notConfigured
    isAssigned                              : True
    appDataEncryptionType                   : whenDeviceLocked
    minimumRequiredSdkVersion               :
    deployedAppCount                        : 132
    faceIdBlocked                           : False
    customBrowserProtocol                   :
    

    Thanks a lot for your support.

    Tobi