My CAP is blocking me from accessing teams online and it's stating I don't have a app protection policy. If you can only define EDGE in the app protection policy, how did you get it to work?
Hi Dean, I have more than 50 corporate iPad which are not under any vendor ABM or MDM and they all needs to be enrolled under our ABM. Is there any way to bulk enrol the devices under the ABM instead of manually doing it one by one using the Apple Configurator? I am using Intune as a MDM solution. Please suggest. Thanks
Hey, this could be done via your partner where you bought the devices. But your partner/vendor must be able to do so / allowed to do this. In Germany there are only a few official partners who can add devices to ABM.
The issue I am facing is that the work account gets registered under the local laptop work or school account after the MAM app protection policy for MS Edge is applied locally on the personal Windows laptop. Because of this, the user is able to login to local Teams, OneNote, Onedrive apps under the work account, but these applications cannot prevent copy and paste of information including files to other external applications. The app protection policy does work for the Office products within the Edge browser. How can I prevent the user from logging in to company O365 environment from the locally installed Teams, OneNote, Onedrive applications from the personal Windows laptop but allow all company O365 apps/data from MS Edge where the app protection policy works?
It would be nice if they had app protection policies for installed Office apps (just like they do on iOS and Android) but they don't. Seems like they want to push everyone to web based; even the new Outlook is just a web based app. They seem to forget that not everyone has constant or fast Internet access.
Hi Dean, A unique requirement I am facing, We have a CA policy applied to Windows devices, when accessing the Outlook app it will require BYOD devices to be enrolled and compliant to a compliance policy.. But, when the same user accesses OWA on a internet cafe machine, only a App protection policy needs to apply to that session .. the issue I am facing is that, both the App and OWA reports as a "Browser" to the CA policy.
Hi.. After trying all the steps.. i am getting an error code of 53003. Test id not able to login chrome browser as per policy APP but getting an error in edge browser.
Can we enforce a policy wherein end user could not install any software and prompt to have admin rights to install or block them when they try to install non compliance software. Thank you!
Hye dean, May i know is this features only works on window 11? because I can't log in even though I'm using a work account in the edge browser@@DeanEllerbyMVP
In testing I noticed that you have to be logged into Edge for this to work. That negates the point of this protection policy IMO. Staff have their corporate laptops but if they need to access their email from a friend's computer they will end up signing into Edge and the device gets registered in Entra. Might as well just block devices not joined in Entra rather than having staff signing into Edge with their tenant ID on non-corporate devices (which they won't sign out of or have the knowledge to delete their profile).
Hi Dean, very nice tutorial! Just a question: what are the dynamic rules for the 'Personal Device Users ' EntraID Group?
My CAP is blocking me from accessing teams online and it's stating I don't have a app protection policy. If you can only define EDGE in the app protection policy, how did you get it to work?
nice one, what is the roadmap for this? Will this only support the browser based scenario or will it extend to the fat apps ?
Hi Dean, I have more than 50 corporate iPad which are not under any vendor ABM or MDM and they all needs to be enrolled under our ABM. Is there any way to bulk enrol the devices under the ABM instead of manually doing it one by one using the Apple Configurator? I am using Intune as a MDM solution. Please suggest. Thanks
Hey, this could be done via your partner where you bought the devices. But your partner/vendor must be able to do so / allowed to do this. In Germany there are only a few official partners who can add devices to ABM.
The issue I am facing is that the work account gets registered under the local laptop work or school account after the MAM app protection policy for MS Edge is applied locally on the personal Windows laptop. Because of this, the user is able to login to local Teams, OneNote, Onedrive apps under the work account, but these applications cannot prevent copy and paste of information including files to other external applications. The app protection policy does work for the Office products within the Edge browser. How can I prevent the user from logging in to company O365 environment from the locally installed Teams, OneNote, Onedrive applications from the personal Windows laptop but allow all company O365 apps/data from MS Edge where the app protection policy works?
Conditional access - block the use of desktop apps
It would be nice if they had app protection policies for installed Office apps (just like they do on iOS and Android) but they don't. Seems like they want to push everyone to web based; even the new Outlook is just a web based app. They seem to forget that not everyone has constant or fast Internet access.
Great feature. Thanks Dean!
Thanks!
Hi Dean, A unique requirement I am facing, We have a CA policy applied to Windows devices, when accessing the Outlook app it will require BYOD devices to be enrolled and compliant to a compliance policy.. But, when the same user accesses OWA on a internet cafe machine, only a App protection policy needs to apply to that session .. the issue I am facing is that, both the App and OWA reports as a "Browser" to the CA policy.
Hi..
After trying all the steps.. i am getting an error code of 53003.
Test id not able to login chrome browser as per policy APP but getting an error in edge browser.
I'm trying to add Edge app for windows MAM but it says "Can't find any apps". Do you know anything about it?
Can we enforce a policy wherein end user could not install any software and prompt to have admin rights to install or block them when they try to install non compliance software. Thank you!
Thank you, very interesting! Now, I am not sure why I would still use "App Enforced Restrction"...
That's a good point! Perhaps this is the evolution of that?
Do you need to enable WIP in Automatic Enrollment?
For the policy to take effect, does this require that the user be signed into the Edge browser with work profile/creds?
Yes, it does.
Hye dean,
May i know is this features only works on window 11?
because I can't log in even though I'm using a work account in the edge browser@@DeanEllerbyMVP
In testing I noticed that you have to be logged into Edge for this to work. That negates the point of this protection policy IMO. Staff have their corporate laptops but if they need to access their email from a friend's computer they will end up signing into Edge and the device gets registered in Entra. Might as well just block devices not joined in Entra rather than having staff signing into Edge with their tenant ID on non-corporate devices (which they won't sign out of or have the knowledge to delete their profile).
What about preventing a user from using the Outlook App on a personal device?
You can achieve that with Conditional Access on it's own, but it's limited to allow or block (or require MFA i guess)
what licnses i need to enable to be able to use MAM>
tried screenshotting? wonder if that works
Guess that it will work. I believe this will also work on a protection policy in Android/iOS.
Not tried! let me give it a go on a physical device, as I assume it will work fine on a virtual.
@@patrick__007 it does on iOS
screen shots?