This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 5%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
We are slowly migrating to InTune but would also like to prevent anyone from adding company data (either through Exchange Online, O365 apps like Outlook, Teams, OneDrive) onto a device until it's enrolled with InTune. We seem to have it working for those trying to add to a new device, however, if they already have a device with those apps on it, they can still work fine. I added my test user to this policy yesterday and the test device is still getting new emails in Outlook as see the notification, but can't open it. I can however open any of the emails that were sent prior to the CA policy. Also, OneDrive stopped working but MS Teams is still working and can send chats.
We need all the MS apps to stop and basically wipe but that doesn't seem possible? Stopping the sign in only stops new data but all the emails are still in the app.
I've tried using the "Sign-in frequency" setting in the session part, which does work those these types of scenarios, however, during our testing, it eventually starting forcing those already enrolled on a compliant device in InTune every hour as well, which clearly we do not want to use.
We want to use a single group so as we start adding users to InTune there will be a bunch of users that are already compliant then adding new ones to force them to enroll etc. I've tried so many different variations of settings with MS Support (in both InTune and Azure) but no one seems to know how to do this. I thought this was a pretty basic need ie we don't want anyone that it's the CA group to use company data unless the device is enrolled with InTune.
Hello @MG , in this scenario CA will block access to Outlook however it won't block the user from seeing already downloaded or cached messages. In order to remove them you will have to remove or reset the Outlook profile. What type of devices/OS are the ones where the policies are not working as expected? Have you tested them using the What If tool?
For now I'm just working with Android devices with either personally owned work profile and corporately owned work profile types. Is it possible to reset/remove an Outlook profile just from a single device from Azure/O365 without affecting their Windows one? When it's a personally owned device, we can't let them leave all of the work email on the device in case they quit.
After another day it appears the Teams app is now finally requesting a signin so that's good.
I will try the What If Tool. Didn't know about it.
The also big issue is that now all the work contacts sync'd from Outlook are still on these devices and there is no prompt. That's a major data leak I have to figure out.
It also appears that new emails are still showing on the device with the CA policy as I see the full email in the notification ie they can read the email there. This CA Policy really doesn't seem to work as it's supposed to.
Hello @MG , please give us as much detail as possible to try to reproduce your issue: device, os, location, user account, ca policies settings, expected result, current result, etc.
I've included all of the screenshots of all of the settings. These are for Android devices. My location is Canada.
I've modified the policy to be a full Block now (versus screenshot showing Grant). My expected results would be to BLOCK the apps completely. On my test device, new emails are still showing in the notification area so the user can read the full summary of the email and can still open and access all emails on the device prior to the policy being applied. Nothing is actually blocked; It's just preventing the sign-on which is not a block at all.
Hello @MG , thanks for the information. I'm reaching the product team about this and will come back to you ASAP.
Hello @MG , we're going to need to Create an Azure support request. for this one. If you don't have a support plan, then let me know to enable a one-time free support case for you.
I have had 3 InTune cases as well as 2 more with Azure. They have been of zero help.
Hello @MG , apologies for the delay. I will send you a private message so you can send me your other cases.