This week a relatively short blog post related to conditional access. More specifically, about the ability to create a compliance policy with an apps that cannot be installed list. Before starting, let’s start with the minor detail that this is a Microsoft Intune hybrid only configuration at this moment. Introduced in Configuration Manager 1702. I’ll start this post with a short introduction, followed by the required configurations. Including how to find the required information. I’ll end this post with the end-user experience on an iOS and Android device.
Introduction
Let’s start with a short introduction about the apps that cannot be installed list. The apps that cannot be installed list is an additional rule that can be configured as part of a compliance policy. When the end-user installs an app from the apps that cannot be installed list, the end-user will be blocked when trying to access corporate email and other corporate resources that support conditional access. The end-user will be blocked until the app is removed from the device. This rule requires the app name and the app ID when adding an app to the apps that cannot be installed list, defined by the admin. The app publisher can also be added, but it’s not required.
This rule is supported on iOS 6+, Android 4.0+ and Samsung KNOX Standard 4.0+.
Configuration
Now let’s walk through the steps to add an app to the apps that cannot be installed rule of a compliance policy. Let’s start by getting the required app ID, followed by the steps to use that information in a compliance policy.
Get app ID
First get the app ID, as it’s required information for the apps that cannot be installed rule. An app ID is the identifier that uniquely identifies the app within the Apple and Google application services. I’ll use the OWA app as an example.
Android
The app ID for Android can easily be found in the Google Play store URL that was used to browse to the app. As an example see the app ID for the OWA app in the following URL (bold): https://play.google.com/store/apps/details?id=com.microsoft.exchange.mowa&hl=en
iOS
The app ID for iOS is a bit more challenging. To find the app ID, follow the next steps.
Configure compliance policy
After finding the app ID, it’s now time to use that information in a compliance policy. Below are the required steps for creating a compliance policy and adding the OWA app to the apps that cannot be installed list. After creating the compliance policy, simply deploy it like any other policy.
End-user experience
When the configuration is done, let’s have a look at the most important thing, the end-user experience. Below on the left is the end-user experience when connecting to corporate resource with conditional access enabled. This is a standard message for non-compliant devices. Below on the right is the additional information in the Company Portal app. In this case it will clearly show (at least on iOS) that the end-user must first uninstall the OWA app to get a compliant device. The first row is an iOS device, the second row is an Android device.
Note: From an administrator perspective, have a look at Monitoring > Overview > Deployments for a clear view of which end-users are non-compliant for the compliance policy.
Hi Peter,
first congratulation for your technical posts, are really usefull and well done!
I was wondering if there is a way, with SCCM Intune Hbrid configuration, to make a iOS whitelist of apps that can be installed (that I deploy in available/required from Company portal app), so that the user cannot install anything else from the app tore. Since for now I’ve blocked compeltely the store to achieve this goal, but it is a big problem, since this cause also the apps to not be updated.
Thank you for your help!
Best regards
Luca
Hi Luca,
Only for supervised devices you can show and hide apps of iOS devices.
Peter
Have you heard of anyone getting false positives when implementing this?
We had a policy for a specific app , but a handful of users who did not have
the app were blocked and saw the Compliance Issues page, but with
no app listed
—
Uninstall the following apps:
[blank]
We ended up disabling the policy
You’re my first about the false positives. If you’re seeing this, please don’t hesitate to create a service call Microsoft Intune. Eventually it must be fixed.