While I recognize this is meant to be a primer rather than a deep-dive, there are a couple of inaccurate statements that were made that should be corrected to prevent people from believing incorrect information: 28:59 - This setting is to allow/disallow syncing of corporate contacts and calendar data with the native contacts and calendar apps on the device. 29:31 - This setting controls whether app notifications from protected apps are allowed and to what degree (e.g. if Outlook is being used for email, do you want to allow app notifications and potentially leak corporate data if the device is configured to show detailed app notifications on the lock screen).
Would love to see more iOS material. We are looking at Apple Business Manager, Automated Device Enrollment and a possible future state may include Managed Apple ID's. Great stuff as always, thanks guys!!
For App Protection Policy. What is the difference for the field "Target to apps on all devices". I notice I can pick No, which then sets the Management Type to "Apps in Android Work Profile". If I pick Yes, I believe it sets it to "All app types".
Good video but I have 3 observations: 1) FOR iOS devices, APP does not have the settings to get screenshot/videos. This is a iOS limitation rather than an APP limitation. This settings is enabled for Androids. 2) For iOS devices, APP does not force to install Microsoft Authenticator. In the example, it was trigger for another reason. Maybe the device is enrolled? It was not clarified 3) CA failed as per sign-ins logs so... the question on how APP and CA work was not answered.
Awesome video, learning a lot from you guys. Question for you. Earlier this year we disabled legacy auth with conditional access, similar to how you showed in the beginning of this video, except instead of one policy we split it into two. One blocking "Exchange ActiveSync" and the other blocking "Other clients". We did it this way because there were a good handful of users using ActiveSync, and we wanted to do that at a more gradual pace. That being said, do you see any issues with me leaving it separated like that? Or would you recommend I merge onto one and delete the other? Perhaps it doesn't matter but just want to make sure I'm not missing anything. (Note: all other policy settings like apps, users and groups, conditions, are all the exact same, other than those two settings.)
You mentioned using app protection policy on iphone, well if the user already has outlook app on iphone and you want to do a selective wipe of the data then you cant?
Yes you can. When you enforce app protection policies with CA assuming you mean BYOD, you can set it so that the device must be enrolled. You can then wipe your corporate data.
Quick Question....I have a set of Compliance Policies and Configuration Profiles in MEM admin center adn I have been asked to make a new set for an external comany we own and alter then policis etc for them. Can I copy them instead of having to set them all up again individually
Aaah. The good old copy paste. Sadly No. People have been begging for MS to get this in a single tenant, let alone a multi-tenant function. Can't win everything I suppose
Have you guys noticed that creating a CA policy for iOS that requires approved apps and an app protection policy for Office 365 breaks Teams for iOS devices? Teams is not on the list of applications that support this configuration. docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy . Microsoft is supposed to have a fix in place by the end of Q1 2021 but I'm not going to hold my breath. Do you guys have a work around for this? Maybe creating CA policies for iOS that target specific apps like Outlook, Excel, Word, etc, and removing the CA policy that targets Office 365. Then maybe creating a policy that targets Teams and only requires an approved app, but not an app protection policy? Your videos have been very helpful to us. Thanks so much!
CA does not target apps on an individual basis, otherwise it would be the ultimate weapon. CA controls the integration and your app policies can do what MS offers. Sadly they are sparse in certain places and problematic in others
hey guys! first of all, great video! I'm configuring the app protection in my new company and I set up the app PIN for the managed Apps which are all the MS Apps for iOS. So Outlook was the first App I opened up and it asked me to set a PIN for the App itself. So far so good but none of the other of the managed Apps is asking for the PIN or to set up a PIN. I wanted to get rid of the PIN for the managed Apps to test some other stuff and I can't get the PIN removed from Outlook. App protection policy is set to not require any PIN or biometric whatsoever for managed Apps and it still comes up in Outlook. Any advice for this?
Guys your vids are getting a bit confusing these days. Your all over the place. I am familiar with setting up CA's for legacy apps but after watching the beginning of the video I think I now know less. For example at 11:59 Steven goes back and selects more of the Clients Apps the policy will be applied too. This is done while Adam is talking about something else, then boom your on to another topic. Because there is no explanation of why the extra apps were chosen its hard to follow. Don't get me wrong, you are providing us with fantastic content, a lot of which has helped me in the past, but please reign in some of the craziness so we can follow what your trying to show us.
Agree on this. Steve immediately before this was going on about just applying to 'Mobile apps and desktop clients', then reverses the decision and selects everything else except 'Mobile apps and desktop clients', then while Adam's distracting everyone with small talk about MAM configuration on the tenant Steve sneaks back in and ticks 'Mobile apps and desktop clients' as well! Maybe a simple subtitle added post-production saying 'Steve made a mistake, just tick all the things' would have sufficed. Edit: Or indeed, don't tick anything! No need to configure the Client apps bit at all if you're just ticking all the boxes?
Solid points here. The uploads and friendly banter is good, but there was an error and skimmed over. Just to clarify. The tick boxes were the types of sources for data access, legacy authentication needs to be off and nobody really should have that running in their environment anyway. That being said desktops apps and mobile is what to target.
Hybrid AutoPilot is good, but not worth your time. It creates two entries in Azure AD and turns into a compliance nightmare albeit it works like a charm. Best bet if you need to stay Hybrid and you want to automate, is to use WDS and set your GPOs for auto enrollment. It works a treat for us and provisioning time is 12 mins and 1 hour end to end.
Can you block ios native mail but still allow callender? Personal devices like to have personal callander togeather with work callnders? Thank for a nice video.
Yes. Through iOS Configuration Profiles assuming it's a corporate SUPERVISED device.You choose the mail option and set it to "calendar only" after hiding the native mail app. Go to settings and calendar to get the sync going.
While I recognize this is meant to be a primer rather than a deep-dive, there are a couple of inaccurate statements that were made that should be corrected to prevent people from believing incorrect information:
28:59 - This setting is to allow/disallow syncing of corporate contacts and calendar data with the native contacts and calendar apps on the device.
29:31 - This setting controls whether app notifications from protected apps are allowed and to what degree (e.g. if Outlook is being used for email, do you want to allow app notifications and potentially leak corporate data if the device is configured to show detailed app notifications on the lock screen).
This episode came out at the perfect time as I am rolling out Intune App Protection as opposed to work profiles for BYOD in my organization
Same here! perfect timing. Much less user-interaction required using APP instead of whole enrolling personal devices with work profiles for sure.
Would love to see more iOS material. We are looking at Apple Business Manager, Automated Device Enrollment and a possible future state may include Managed Apple ID's. Great stuff as always, thanks guys!!
We have a little bit of iOS content and are working on getting some hardware that we can demo with.
Awesome video! Thanks for sharing!
For App Protection Policy. What is the difference for the field "Target to apps on all devices". I notice I can pick No, which then sets the Management Type to "Apps in Android Work Profile". If I pick Yes, I believe it sets it to "All app types".
Good video but I have 3 observations:
1) FOR iOS devices, APP does not have the settings to get screenshot/videos. This is a iOS limitation rather than an APP limitation. This settings is enabled for Androids.
2) For iOS devices, APP does not force to install Microsoft Authenticator. In the example, it was trigger for another reason. Maybe the device is enrolled? It was not clarified
3) CA failed as per sign-ins logs so... the question on how APP and CA work was not answered.
Would this also block downloading attachments from Outlook/Teams to your phone?
explain to us : app configuration policy in Microsoft Intune
Awesome video, learning a lot from you guys. Question for you. Earlier this year we disabled legacy auth with conditional access, similar to how you showed in the beginning of this video, except instead of one policy we split it into two. One blocking "Exchange ActiveSync" and the other blocking "Other clients". We did it this way because there were a good handful of users using ActiveSync, and we wanted to do that at a more gradual pace. That being said, do you see any issues with me leaving it separated like that? Or would you recommend I merge onto one and delete the other? Perhaps it doesn't matter but just want to make sure I'm not missing anything. (Note: all other policy settings like apps, users and groups, conditions, are all the exact same, other than those two settings.)
I know it's been a while since you posted, but yes if the policies are identical then just tick the box and keep one policy.
✨
I'd like to learn more about the App Configuration Policies for iOS. It seems very limited in Intune. Is there any use for this?
A major use if your planning to have a DLP plan and stop users from uploading all your corporate data probably from MS to Apple
You mentioned using app protection policy on iphone, well if the user already has outlook app on iphone and you want to do a selective wipe of the data then you cant?
Yes you can. When you enforce app protection policies with CA assuming you mean BYOD, you can set it so that the device must be enrolled. You can then wipe your corporate data.
only Android has the option to disable screen grab
Quick Question....I have a set of Compliance Policies and Configuration Profiles in MEM admin center adn I have been asked to make a new set for an external comany we own and alter then policis etc for them. Can I copy them instead of having to set them all up again individually
Aaah. The good old copy paste. Sadly No. People have been begging for MS to get this in a single tenant, let alone a multi-tenant function. Can't win everything I suppose
Have you guys noticed that creating a CA policy for iOS that requires approved apps and an app protection policy for Office 365 breaks Teams for iOS devices? Teams is not on the list of applications that support this configuration. docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy . Microsoft is supposed to have a fix in place by the end of Q1 2021 but I'm not going to hold my breath. Do you guys have a work around for this? Maybe creating CA policies for iOS that target specific apps like Outlook, Excel, Word, etc, and removing the CA policy that targets Office 365. Then maybe creating a policy that targets Teams and only requires an approved app, but not an app protection policy? Your videos have been very helpful to us. Thanks so much!
CA does not target apps on an individual basis, otherwise it would be the ultimate weapon. CA controls the integration and your app policies can do what MS offers. Sadly they are sparse in certain places and problematic in others
hey guys! first of all, great video!
I'm configuring the app protection in my new company and I set up the app PIN for the managed Apps which are all the MS Apps for iOS.
So Outlook was the first App I opened up and it asked me to set a PIN for the App itself. So far so good but none of the other of the managed Apps is asking for the PIN or to set up a PIN. I wanted to get rid of the PIN for the managed Apps to test some other stuff and I can't get the PIN removed from Outlook. App protection policy is set to not require any PIN or biometric whatsoever for managed Apps and it still comes up in Outlook. Any advice for this?
These policies take time to change, something you'll need to bear in mind. We normally allow 24 hours. As it takes time to "ring" across the network
Guys your vids are getting a bit confusing these days. Your all over the place. I am familiar with setting up CA's for legacy apps but after watching the beginning of the video I think I now know less. For example at 11:59 Steven goes back and selects more of the Clients Apps the policy will be applied too. This is done while Adam is talking about something else, then boom your on to another topic. Because there is no explanation of why the extra apps were chosen its hard to follow. Don't get me wrong, you are providing us with fantastic content, a lot of which has helped me in the past, but please reign in some of the craziness so we can follow what your trying to show us.
Agree on this. Steve immediately before this was going on about just applying to 'Mobile apps and desktop clients', then reverses the decision and selects everything else except 'Mobile apps and desktop clients', then while Adam's distracting everyone with small talk about MAM configuration on the tenant Steve sneaks back in and ticks 'Mobile apps and desktop clients' as well! Maybe a simple subtitle added post-production saying 'Steve made a mistake, just tick all the things' would have sufficed.
Edit: Or indeed, don't tick anything! No need to configure the Client apps bit at all if you're just ticking all the boxes?
Solid points here. The uploads and friendly banter is good, but there was an error and skimmed over. Just to clarify. The tick boxes were the types of sources for data access, legacy authentication needs to be off and nobody really should have that running in their environment anyway. That being said desktops apps and mobile is what to target.
Please provide intune sdk support for react native apps
You’ll have to take the up with Microsoft. We have no control over that.
Please some hybrid ad content, maybe hybrid auto pilot
Hybrid AutoPilot is good, but not worth your time. It creates two entries in Azure AD and turns into a compliance nightmare albeit it works like a charm. Best bet if you need to stay Hybrid and you want to automate, is to use WDS and set your GPOs for auto enrollment. It works a treat for us and provisioning time is 12 mins and 1 hour end to end.
@@Schnitzer325ci haha i know the me of 10 months ago was doing hybrid. But now going fully cloud all customers
Can you block ios native mail but still allow callender? Personal devices like to have personal callander togeather with work callnders?
Thank for a nice video.
Yes. Through iOS Configuration Profiles assuming it's a corporate SUPERVISED device.You choose the mail option and set it to "calendar only" after hiding the native mail app. Go to settings and calendar to get the sync going.