Microsoft Intune

asked 2021-11-18T12:54:47.607+00:00
MatYC 81 Reputation points

Hi

Below is concerning ipads/iphones.

Our Intune enrolled users have a ‘company portal’ app. The users who have the company portal app download the apps that the company have added to Intune’s app section. That is fine & I refer to these as ‘business apps’

Separately, users have access to their own normal app store just like everyone else and can download apps as normal. That is fine & I refer to these as ‘personal apps’

The problem is that we do not want business apps to share data with personal apps. For example, we have ‘Microsoft outlook’ as a business app that we do not want it to be able to share with a personal app such as copying and pasting data or using the ‘open with button’. Microsoft outlook is just an example, we have lots of ‘business’ apps that we don’t want there to be any interaction with ‘personal apps’. Is this possible on Intune & if not is there an alternative MDM?

• Personal Apps are completely split with company apps (i.e. managed vs unmanaged). They will not be able to interact with each other in ANY WAY (copy data, ‘share’ through, ‘open with’)

Conditional Access (So on Intune you can configure ‘Conditional Access’ which allows us to control the devices and apps that can connect to company resources. Essentially it means we want to configure conditional access, so it only allows our cloud CRM system / SharePoint etc to be accessed ONLY on MDM enrolled devices.

Can make outlook only allow one account - prevent users to log in with there personal account in outlook.

Thanks
Matt

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
2,067 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-11-19T01:31:05.593+00:00
    Lu Dai-MSFT 20,896 Reputation points Microsoft Employee

    @MatYC Thanks for posting in our Q&A.

    For this issue, I agree with RahulJinda. App protection policy will meet your requirement. You can add the ‘business apps’ to the app protection policy and configure the settings under Data protection to prevent business apps sharing data with personal apps
    https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#data-protection

    For only allow MDM enrolled devices to access specific apps, it is suggested to add the apps in "cloud apps or actions" and select "Require device to be marked as compliant" in Grant access in the conditional access policy.
    https://learn.microsoft.com/en-us/mem/intune/protect/create-conditional-access-intune

    For preventing personal account to login in outlook, I find there is a setting "Allow only work or school accounts" in the App configuration policy.

    150841-image.png

    Hope it will help.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


3 additional answers

Sort by: Most helpful
  1. answered 2021-11-18T16:49:17.463+00:00
    Rahul Jindal [MVP] 6,156 Reputation points Microsoft MVP

    What you need is to implement APP (aka MAM) to secure your company data. I blogged about this a while back and I am sharing the link here for your reference.intune-application-protection-policies.html


  2. answered 2021-11-19T09:16:39.677+00:00
    MatYC 81 Reputation points

    Thank you so much guys. It is much appreciated. Have a great weekend

    No comments

  3. answered 2021-11-19T09:41:23.893+00:00
    MatYC 81 Reputation points

    One more question whenever I create protection policy I have option to choose Microsoft Apps but we want to use our corporate 'business apps' which are not included in Microsoft for example 'Mobile CRM'. Is the way I am able to include this app in protection policy and add it to Intune?

    No comments