Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

How can we improve Microsoft Intune

Create a conditional access policy for Users not enrolled or on a compliant Device

Many of our users work from home and do not want their personal Windows computer to be either enrolled into our MDM suite or onto Azure AD. With our strict compliance regulations users are struggling to make their own Windows computer devices compliant.

Would it be possible to have a policy that is in the middle, where users can access emails, OneDrive for Business and SharePoint sites without the need to be on a domain joined computer or enrolled into our MDM suite. I would like to see this policy give the user access to all content but only from the browser such as IE and not from any applications as all the office packages are now mostly available to use in a web browser. This would mean that the user is just working in the cloud without the need to download any applications. I would also like this policy to stop users from downloading any content to their personal device so it just stays in the office applications that are cloud based while working in this way. This policy could be enforced by a user’s having to provide a two factor authentication to be able to access their OneDrive for Business and SharePoint Sites etc. from their own personal device.

Could we please look at implementing a policy such as this to help users work on their own personal device easier without the need to enrol on either Azure AD or MDM suite.

77 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • sso
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Andrew Walton shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    2 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Tim Beer commented  ·   ·  Flag as inappropriate

        Every company I see is desperate for this feature, some of the companies are not adopting EMS yet because of the lack of this feature.

        Nearly all companies currently have a lot of users who currently access their mail through their personal devices and often the same user is given a corporate device.

        At the moment the admin either has to tell users you must enrol all devices both personal and corporate which they don't want to do as they feel their personal devices should not have to enrol .

        Or the admin is restricted to only use MAM-WE, yet management want the corporate devices to be enrolled.

        Microsoft should offer both to the same user so that Conditional access can be targeted per device and user not just user

      • Anonymous commented  ·   ·  Flag as inappropriate

        I think first they should allow multiple conditional access policies. Mobile device and PCs should have separate configuration, as you might want to let some users access from non ad joined or compliant PC or Mac. In the other hand you can still want to inforce them to be compliant with their mobile device.

      Feedback and Knowledge Base