This week is all about a relatively new functionality for limiting access to apps on iOS and Android devices during non-working time. Working time settings allow organizations to enforce policies that limit access to apps and to mute notification messages from apps during non-working time. Muting notifications is something that was already possible by using global quiet time, as described in this earlier post. Limiting access, however, is something relatively new that can be used for limiting access to specific apps during non-working time. That can be achieved by using app protection policies to block or warn users from using Microsoft Teams and Microsoft Edge on their iOS and Android devices, during non-working time. For that, a new setting is introduced in the conditional launch configuration of the app protection policy. In combination with muting notifications that provides organizations with more capabilities to basically protect users against themselves. This post will have a closer look at the configuration options for limiting access during non-working time, followed with the steps for configuring those options.
Note: At this moment limiting access during non-working time is available for Microsoft Teams and Microsoft Edge.
Configuring app protection policies to limit access
When looking at the configuration of limiting access to apps on iOS and Android devices during non-working time, it all seems to start with the app protection policies. There is, however, something important to keep in mind. That configuration relies on an integration of the tenant with the Working Time API. That API can be used by a workforce management system to actually bring a user in or out of working time. The steps to integrate a workforce management system with that API, are documented here in the Microsoft docs. The actual configuration to limit access is within the conditional launch section of the app protection policy. Using that configuration without integrating with the API, will result in users getting blocked due to a missing working time status. The following ten steps walk through the basics of creating an app protection policy for Microsoft Teams and Microsoft Edge on iOS/iPadOS devices, with focus on the conditional launch configuration for non-working times.
Important: The configuration relies on an integration of the tenant with the Working Time API.
- Open the Microsoft Intune admin center portal navigate to Apps > App protection profiles
- On the Apps | App protection policies page, click Create policy > iOS/iPadOS
- On the Basics page, specify a valid name to distinguish the profile from other similar profiles and click Next
- On the Apps page, as shown below in Figure 1, provide at least the following information and click Next
- Public apps: Select Select public apps > Microsoft Teams and Microsoft Edge as the apps to protect
- On the Data protection page, configure the required data protection settings and click Next
- On the Access requirements page, configure the required access requirements and click Next
- On the Conditional launch page, as shown below in Figure 2, configure at least app conditions and click Next
- Select Non-working time as setting and specify Warn as action
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the required assignment by selecting the applicable user group and click Next
- On the Review + create page, review the configuration and click Create
Note: The configuration steps for Android devices are similar to the described steps for iOS/iPadOS devices.
Experiencing limited access during non-working time
After configuring the app protection policy for limiting access to Microsoft Teams and Microsoft Edge during non-working time, it’s time actually test the user experience. The best way to experience the configuration is by actually warning or blocking the user during non-working time. That’s also the easiest to verify, as that behavior can also be experienced without integrating the tenant with the Working Time API. As soon as the non-working time conditional launch configuration is applicable, Microsoft Teams will try to confirm that the user is actually clocked in (as shown below in Figure 3). When the conditional launch configuration is set to warn the user about the non-working time, the user will receive a warning notification (as shown below in Figure 4) when the user is not clocked in. Something similar is applicable for the block notification (as shown below in Figure 5). Main difference is that, in that case, the user actually can’t access the app during non-working time.
Note: The user will receive similar notifications when the tenant is not integrated with the Working Time API.
More information
For more information about limiting access to apps during non-working, refer to the following docs.
- iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Learn
- Limit access to Microsoft Teams when frontline workers are off shift – Microsoft 365 for frontline workers | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
This is quite draconian, to be honest, but it would help with some employees playing Candy Crush and watching TikTok at work. 🙂
Totally agree, Warren!
Also, with the requirement of the Working Time API, the use cases are also pretty slim at this moment.
Regards, Peter