Conditional Access to Corporate Devices whilst allowing MAM-WE to Personal
Most users in companies have multiple devices, a mix of corporate and personal.
Most users don't mind enrolling Corporate devices but do not want to enrol personal devices but want access to email on those devices as well.
It should be possible to ensure the corporate devices must enroll, but the personal devices are only affected by MAM-WE policies so the personal devices for the same user do not need to enrol but only need to register.
Maybe add an option to say if device in Corporate Identifiers it must enrol or make the conditional access policy able to read an Azure AD Device Group, so if the device is in a group it must enrol.
Any news on this? Take into account Intune already make this distinction, with the enrollment restrictions options we can block the enrollment for personal devices and allow only the pre-loaded serials to enroll, we need exactly that distinction embedded in the conditional access policies, requiring a compliant device for all pre-loaded serials, ignoring personal devices in this policy.
We thought we had this beat with Device State, configure = yes, and including all device state which in theory we thought would only include hybrid join and compliant devices in the scope (after enrollled in Intune) but the policy was still redirecting us to enroll in Intune :(
Please look into adding this feature soon (I guess that will be sometime in the next couple of years).
For a cloud only environment there is no way to differentiate between corporate and personal devices accessing resources. Allowing CA to work with device groups would be ideal for this.
There are many company resources for which my clients want to block personal devices while still allowing corporate devices access. However, we still want users to be able to enroll personal devices to use other resources.
A control of this nature to restrict CA policies to corporate/personal devices OR allow them to apply to dynamic device groups would be greatly appreciated.
In this new age of GDPR I'm very surprised it hasn't received more votes from cloud only customers! Certainly my clients who all operate cloud only environments are all tearing their hair out for this!!!
Shanib Rahman commented
I agree. When CA is turned on with device state then BYOD are prompted to enrol. We have configured SharePoint CA for unmanaged devices and MAM-WE at the same time. We are now unable turn this rule on and block non-compliant managed devices. As a work around we have configured MAM for enrolled devices but it doesn't cover all the device compliance requirements.
Please let us know if there is way to do this now and if there is going to be anything done about this.
Jean Chavez commented
I agree with this idea, it is very important to have the option to apply Compliance (Registration) only for corporate devices and for personal devices only apply MAM policies, this for the same user.
We need this asap, since Intune has all the information required I agree that could be fairly simple to require enrollment for devices with pre-loaded serials and all else not allowed to enroll but still have the MAM and Conditional Policies. Thanks for the suggestion Tobias, but in that scenario you are not enforcing the enrollment of corporate devices (pre-loaded serials) and that's required for this idea.
This is already possible. You can use a combination of Conditional Access rules and MAM without enrollment policies to do this.
You can design scenarios that fit your exact requirements, but a simple example:
Create an Exchange Conditional Access Policy for Android and iOS that allows compliant devices (-> Intune managed) OR approved client apps.
Target MAM policies to the Outlook app on unmanaged devices.
-> users can (only) use the Outlook app on their personal device without enrolling, and you can still control company data in this app, without managing personal devices.
Could not agree more! This a VERY common use case. Strange that MS did not already implement it.
It should be fairly easy to implement the logic in the CA code. The feature to add corporate identifiers is already in place.
This makes sense to me
Would be great to have this ability. E.g. to enforce SaaS apps via SAML and conditional access to adhere tot MAM-WE. Now one only has the option to select MFA, Compliant, Hybrid AD or approved client app.
Twan van Beers commented
Yes totally agree! Why on earth would personal devices need to be fully MDM enrolled, however it is natural to want coporate devices to be autoenrolled into Intune MDM