Intune Android Enterprise - Personal owned work profile: Intune managed apps vs user installed apps

roy lee 51 Reputation points
2021-08-30T09:06:19.373+00:00

We are testing Intune MDM and MAM.

First target is Android device.

We want to limit mobile device to access O365 resources with Intune enrolled device and approved apps by conditional access.

For privacy, we allow BYOD android device with work profile.

As Intune can push apps as managed apps, but user can also install apps.

My question is what is the difference between using the managed apps and user installed apps?

If there is any advantage on using managed apps over user installed apps, how to restrict users to access O365 resources by Managed apps only?

Thanks.

Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
905 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,574 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,181 Reputation points Microsoft Employee
    2021-08-30T14:23:59.257+00:00

    what is the difference between using the managed apps and user installed apps?

    At a technical level, nothing. Apps in the "work profile" are exactly as implied, managed by the org and can have their data wiped and are subject to APP policies. Apps in the "personal profile" are not. Thus, this is mainly a privacy and control mechanism.

    how to restrict users to access O365 resources by Managed apps only?

    Conditional access accounts for the different profiles so as long as the CA profile requires the device to be managed, then only apps in the "work profile" will meet this criterion. In many (but not all) respects, it's almost like have two separate devices.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,366 Reputation points
    2021-08-31T02:26:07.267+00:00

    @roy lee Thanks for posting in our Q&A.

    Jason has explained it very clearly and I just add some information about Conditional access policy. App-based conditional access policy will make sure only managed apps can access O365 resources. We can read the following article as a reference:
    https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

    Hope it will help.


    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. roy lee 51 Reputation points
    2021-08-31T04:27:40.637+00:00

    @Jason Sandys and @Lu Dai-MSFT
    Thanks, you are right. When try to use the apps in personal profile, it prompt and ask to register the device.

    In some case like in China without google service, can I still protect company data by app policy and require approved clients in conditional access without enroll in Intune?