Whitelist required apps and block rest all

Aishwarya R M 0 Reputation points
2024-04-12T10:16:54.42+00:00

Is there any way to allow only few applications and block rest all applications from downloading or accessing?

Is there a policy creation feasibility from intune to allow download of only approved applications and block rest all applications from downloading to users systems?

Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
876 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shawn Collins 505 Reputation points
    2024-04-14T14:16:22.1366667+00:00

    Yes, Microsoft Intune provides the capability to control application access on managed devices, including allowing the download and installation of only approved applications while blocking others. This can be achieved through the use of App Protection Policies and App Configuration Policies in Intune. Here’s how you can set up these policies to restrict application downloads to only those approved:

    Step 1: Define Approved Applications

    First, you need to define a list of approved applications. This can be managed by creating application protection policies that specify which apps are allowed.

    Step 2: Create App Protection Policies

    App Protection Policies in Intune are primarily used for managing and securing apps on both enrolled and unenrolled devices. Here’s how to set up these policies:

    1. Go to the Microsoft Endpoint Manager admin center.
    2. Navigate to Apps > App protection policies.
    3. Click on Create policy and select the platform (iOS/iPadOS, Android, or Windows 10 and later).
    4. Configure the policy to protect your data within the apps you approve. Specify settings such as data transfer restrictions, authentication requirements, and other security settings.

    Step 3: Configure App Control Policies (for Windows)

    For Windows devices, you can use the AppLocker or Windows Information Protection (WIP) features in Intune to define which applications users can install:

    1. Navigate to Endpoint Security in the Microsoft Endpoint Manager admin center.
    2. Go to Attack surface reduction.
    3. Select Create Policy and choose Windows 10 and later as the platform.
    4. Choose App and Browser Control or Application Control for configuring rules related to approved applications.

    Step 4: Deploy Conditional Access Policies

    Use Conditional Access policies to enforce restrictions based on conditions you specify:

    1. Navigate to Security in the Microsoft Endpoint Manager admin center.
    2. Go to Conditional Access.
    3. Create a new policy that applies to all users but includes conditions that restrict app access based on your security requirements (like requiring a compliant device).

    Step 5: Enforce Compliance Policies

    Ensure that devices comply with your organization's standards:

    1. Navigate to Devices > Compliance policies in the admin center.
    2. Create and configure policies that devices must adhere to, ensuring they can only access approved applications.Yes, Microsoft Intune provides the capability to control application access on managed devices, including allowing the download and installation of only approved applications while blocking others. This can be achieved through the use of App Protection Policies and App Configuration Policies in Intune. Here’s how you can set up these policies to restrict application downloads to only those approved: Step 1: Define Approved Applications First, you need to define a list of approved applications. This can be managed by creating application protection policies that specify which apps are allowed. Step 2: Create App Protection Policies App Protection Policies in Intune are primarily used for managing and securing apps on both enrolled and unenrolled devices. Here’s how to set up these policies:
      1. Go to the Microsoft Endpoint Manager admin center.
        1. Navigate to Apps > App protection policies.
          1. Click on Create policy and select the platform (iOS/iPadOS, Android, or Windows 10 and later).
            1. Configure the policy to protect your data within the apps you approve. Specify settings such as data transfer restrictions, authentication requirements, and other security settings.
      Step 3: Configure App Control Policies (for Windows) For Windows devices, you can use the AppLocker or Windows Information Protection (WIP) features in Intune to define which applications users can install:
      1. Navigate to Endpoint Security in the Microsoft Endpoint Manager admin center.
        1. Go to Attack surface reduction.
          1. Select Create Policy and choose Windows 10 and later as the platform.
            1. Choose App and Browser Control or Application Control for configuring rules related to approved applications.
      Step 4: Deploy Conditional Access Policies Use Conditional Access policies to enforce restrictions based on conditions you specify:
      1. Navigate to Security in the Microsoft Endpoint Manager admin center.
        1. Go to Conditional Access.
          1. Create a new policy that applies to all users but includes conditions that restrict app access based on your security requirements (like requiring a compliant device).
      Step 5: Enforce Compliance Policies Ensure that devices comply with your organization's standards:
      1. Navigate to Devices > Compliance policies in the admin center.
      2. Create and configure policies that devices must adhere to, ensuring they can only access approved applications.
    0 comments
  2. Crystal-MSFT 43,126 Reputation points Microsoft Vendor
    2024-04-15T02:54:35.55+00:00

    @Aishwarya R M, Thanks for posting in Q&A. For the app download, it only has the feature to only allow apps to be downloaded from a private store. For other type of app, the download cannot be prevented by Intune.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#app-store

    To help prevent undesired apps from running on your managed Windows devices, there's a feature named Microsoft Intune App Control for Business policies can do this. Here is a link with more details for your reference:

    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-app-control-policy

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.