App protection Policies
The App Protection policies need work. If I create an App Protection Policy that uses whether a device is enrolled or not as a condition, this doesn't work as you would expect.
This should look simply at whether or not a device is tied to an MDM at the least, or enrolled in Intune itself.
To make this work, you have to install the Company Portal app, which after logging in, sees right away that the phone is enrolled and even displays the date and time. This is not enough for the App Protection Policy however.
You then have to go through the enrollment process inside the Company Portal app - where you confirm the last 4 digits of the serial. This will finally be the trigger for your policy.
This is an extremely cumbersome process. Intune can tell if a device is enrolled to an MDM, especially if it's enrolled into Intune itself. There should be no reason to force a second enrollment via the Company Portal app. It's fine if you want to force the Company Portal app to be used but it should require no user interaction to know it's enrolled already since the app already knows before the process even begins.
A recent update has made this worse for Windows App Protection policies. The protected and exempt app list cannot be sorted, and the list of apps cannot be exported via clipboard to Excel. So there is no simply way to compare more than one protection policy app whitelist without using Graph API. What is the point of the columns without sorting capability? There should be an export button to download the list of apps whitelisted and exempted