This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 37%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ2%3C/text%3E%3C/svg%3E)
Hello,
I've asked few questions for this same scenario related to iOS enrollment in endpoint protection manager as company owned.
Earlier status: iOS devices was not managed and users were accessing emails, teams and one drive
Enrollment process I followed:
1-The scenario I followed is to add iOS serial number to enrollments
2-Created the required Apps /Policies to be pushed
3-Install Intune Company Portal manually and enroll the devices
Everything went smoothly and it was really promising till this week, when I discovered that approximately 30 employees just uninstall Intune Company Portal! Now is as before, they still able to open mails, teams and one drive
and I don't have any control.
I will re-enroll them again, but how can I block their abilities from uninstall Intune Company Portal?
Conditional Access is the easiest way (in my opinion) to force users to have their device managed and enrolled to allow them to get access to resources like email, teams etc.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview
If you are using Apple Business Manager and ADE (Automated device enrollment) I think there's a setting you can configure to block unenrollment as well.
@Timmy Andersson I have the policy in place. Would you mind advising what is wrong with my policy:
Policy Configuration:
Name: Enforce MFA for all users
Users or workload identities: assigned to a group that include all users "Not the services account" - No Excludes.
Cloud apps or actions: Selected Apps: Office 365, Microsoft Intune Enrollment
Conditions:
Device platforms: Not configured
Locations: Any location - Exclude 2: MFA Trusted IPs & Company HO "which is our LAN"
Client apps: Not configured
Device state (Preview): Not configured
Filter for devices: Not configured
Access controls:
Grant access: the only selected one is: Require multi-factor authentication
Session: 0 controls selected
Enable policy: On
@Timmy Andersson Any Idea?
Hi @JanNuaman-2253
The conditional access policy configured will not force users to have Company Portal installed on their mobile device. If you want to achieve that, you have to use app protection policies which will require the user to also install the company portal app. You can then also configure conditional access policies to require the app protection policy on these devices. Users will then be forced to install the company portal app.
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy
I think this is a good idea let me test it first.
@JanNuaman-2253 I am checking this thread. Thank MrSbaa for the valuable input. Is there any other assistance that we can provide?
If the reply is helpful, please accept his answer. It will make someone else who has the similar issue easily find the direction.
Thanks for your kindness in advance.
Thanks for your reminder!
MrSbaa provided a great suggestion. Unfortunately the configuration didn't work for iOS as iOS uses Microsoft Authenticator which doesn't enroll iOS devices.
So I cannot market as an answer to my request. But I would suggest it for Android devices.
@JanNuaman-2253 Thanks for your update. I have done a lot of research about this issue again. Honestly, there is no method to prevent users from uninstalling the company portal app in the device.
If you want to block access apps like mails when uninstalling Company portal app, I have an idea for your consideration. When we remove Company portal in the device, it will not check the compliance status and the device will be noncompliant. If we configure the setting "Require device to be marked as compliant" in the conditional access policy, the user doesn't have access to mail etc.
Or if the iOS device is ADE enrollment and set it in supervised mode, this mode allows an administrator more control over a device than in traditional BYOD scenarios.
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios#what-is-supervised-mode
With the limitation resource, it is just my idea. It may have the ability to make it.
Thanks for understanding.
@JanNuaman-2253, can you share your configuration (app protection policy + conditional access policy)? I have a similar setup in my LAB environment and was able to let this work on IOS devices as well. I am curious what you have configured currently. Also keep in mind that app protection policy is only supported with the Outlook app (not the native email app from IOS).
iOS use Microsoft Authenticator which doesn't enroll iOS devices.
That what I said.
You are telling me that compliance policy can block the uninstall of Inunte company portal?
@JanNuaman-2253 Compliance policy can't block the uninstall of Intune company portal. Compliance policy works with conditional access to prevent user accessing Outlook ect in the non-compliant devices.