Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!
Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.
Would be great for feedback on still wanting to allow guest access to Microsoft Teams files to other businesses that are approved, they wouldn't have a corporate device?
We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.
Hi Edwards, I want to block all cloud application except teams and outlook for phone device. I created a conditional access policy to block all cloud application except outlook and teams. Its working fine but teams is still blocking. I m not sure what are the teams related services need to exclude in the policy. Could you please make a video for the same
Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.
Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?
Thank you for this, working like a charm. a question though, what happens to the users logged in already on personal devices? do they get logged out? cause in my testing, the logged in user stayed logged in
I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks
Applying that policy prevents work devices from enrolling in Intune via Autopilot b/c the initial Device Ownership is not Corporate yet b/c it hasn’t enrolled. How do you resolve this issue?
Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?
Hey Jonathan, thanks for your video, it helped us a lot!! We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?
Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?
All you need is for one Business Premium license in the tenant to enjoy the features. I am not suggesting you do that, in my view each person who is using Premium features should have a Premium license.
Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???
How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)
Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?
Hi Jonathan, is it possible to apply this CA policy for Multiple Office365 Tenants to the same applications on one device? I have providing with company's laptop and access multiple tenents on this windows laptop.
Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?
we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?
Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?
@@bearded365guy - thanks for the reply. using the CA you used in this video what would we need to change to allow access to the browser but block downloads?
@@bearded365guy My understanding is that when autopiloting a vbox-created instance, the serial no. shown in Intune only contains zeros. This is not the case with using Hyper-V or VMware.
Dude, your videos are epic! I gained so much knowledge on this topic of CA and App Policies.
Very powerful, but not user friendly. We learned to consult this with clients and make them clear what this really means. Our best scenario is to block unmanaged devices to Sharepoint but allow access via the Browser (limited experience). But even this gives issues (not technically but on user level). I am all for it, but this does not work for SMB, mostly. Bu great video again!
Yep, it’s strict
Just found your channel. Loving it. Do you think you could do a full video on setting up a test tenant? Was thrown into supporting Azure after it was setup so would be very helpful setting up my own to learn what I missed and to have something to test.
Love this ! explained perfectly !
Great info, but how does it work with Hybird Entra installs where AD is installed on-prem?
@@andrewenglish3810 You can still use lots of these policies with Hybrid setups.
Would be great for feedback on still wanting to allow guest access to Microsoft Teams files to other businesses that are approved, they wouldn't have a corporate device?
We block personal device enrolment and have setup conditional access policy to only allow compliant intune devices. We allow online usage only for personal devices with app enforced restrictions also.
That works too 😀
Hi Edwards, I want to block all cloud application except teams and outlook for phone device. I created a conditional access policy to block all cloud application except outlook and teams. Its working fine but teams is still blocking. I m not sure what are the teams related services need to exclude in the policy. Could you please make a video for the same
if your devices are entra hybrid joined, you can just check that box in Grant, and not have to do any filtering.
Thank you for your videos. We would like to learn how to stop users to upload anything from company devices to 3rd party apps for e.g. web WhatsApp, Dropbox Google drive or online PDF editors.
Stay tuned
Excellent. Some great tips here. In the opposite direction, how would you go about setting up Conditional Access for a small startup where everyone is using their own laptops? What would you turn off, what would you leave on? Any special case policies?
Johnathan, your videos and style of presentation have been helpful. Does your organization (you) also do live events?
Yes, sometimes!
best content, with real world scenarios as usual keep it up
Thank you for this, working like a charm. a question though, what happens to the users logged in already on personal devices? do they get logged out? cause in my testing, the logged in user stayed logged in
no need to configure client apps. It's applied to all by default.
I've implemented all of your CA policies and they're great, but this one blocks re-adding an Autopilot device to Intune after a Wipe. Any suggestions? Thanks
Applying that policy prevents work devices from enrolling in Intune via Autopilot b/c the initial Device Ownership is not Corporate yet b/c it hasn’t enrolled. How do you resolve this issue?
Hi Jonathan, thanks for the great video. I am curious as to your using an OR statement for the filter. Is there an historical reason for using just DeviceOwnership not equals Company?
I really don't see the point of using both of those statements. Isn't it enough to use only one?
Hello Jonathan how are you?
I have one question, is there some CA to block access to personal emails in web browsers on devices managed?
Hi, got your email. Will respond!
Hey Jonathan, thanks for your video, it helped us a lot!!
We're trying to make an "exclusion" for a specific URL, we want to allow the Windows 365 URL, can you explain how can we make this filter, please?
Hi Mr. Edwards, It would be great to receive a respond from you. I have a question. If I enrolled a device (for example a windows laptop) to intune using administrator account who has microsoft365 Business Premium then I change the owner of that device to another user which only has Business Standard license. At that moment will that device no longer be enrolled since that user doesn't have Intune license?
All you need is for one Business Premium license in the tenant to enjoy the features. I am not suggesting you do that, in my view each person who is using Premium features should have a Premium license.
Great presentation and please don’t take it personally.. But, is there or can there be another company which prompts user who used UNAUTHORISED DEVICE to provide password and the second factor???
Yes, that would be possible.
Great video really appreciated
How setup the same for only Intune enrolled Windows, MacOS, Android devices(BYOD android through Company portal and Fully Company Managed Android Enterprise)
Could you explain, for we numpties, where the policy resides? You used intunes which suggests a policy on the endpoint but I don’t think you have set up a client on personal laptop. Does policy set up in intune sit in M365?
Hi Jonathan, is it possible to apply this CA policy for Multiple Office365 Tenants to the same applications on one device? I have providing with company's laptop and access multiple tenents on this windows laptop.
@@amanhanda9127 No, i don’t think it would be.
Just thinking out loud. Wouldn't a compliance requirement CA Policy also block personal computers? If they don't have intune.. they can't access anything?
A device can be owned personally and be compliant. This is to simply block all personal devices. Much stronger 💪
we have O365 E5 licenses is that enough? what is the minimum license required? could you explain a little bit if this works with a Azure AD registered device ? or only Azure AD Joined Device ?
This works with Azure AD P1
Great Video Jonathan
Jonathan, thanks for these video's. We have been trying to do this but still allow access from a browser on a personal device but cannot download content or enroll a personal device in intune. Any ideas?
Yes, you can block downloads on unmanaged devices
@@bearded365guy - thanks for the reply. using the CA you used in this video what would we need to change to allow access to the browser but block downloads?
Either Device filter to include personal ownership or to exclude corporate owned. Any reason for using VBox instead of Hyper-V ?
I’ve always kind of liked vbox 😀
@@bearded365guy My understanding is that when autopiloting a vbox-created instance, the serial no. shown in Intune only contains zeros. This is not the case with using Hyper-V or VMware.
Though the devices are corporate and registered with intunes, we are being locked out. Any idea?
What polices do you have setup?
@@bearded365guy block from personal devices, block outside the named region. The devices are being recognised as corporate
When do you use this over only allow compliant devices?
For me, a compliant device is slightly different. A personal owned device could be compliant.
hey the videos good but the policy doesnt work, any idea why? Have you tested this first?
It should work.
interesting ca policies usually apply right away. This one took some time, i can now see it is working. Thanks! @@bearded365guy
How this is possible without intune? :)
It isn’t
@@bearded365guy :(
Thanks for the video but it didnt work
hi, i thought so too but it just took some time to go into effect..
+
An On-Ee-Un.