Monitor policies on unmanaged devices (MAM-WE) 2/3

In my previous blog I showed how you can secure and configure applications on unmanaged devices. Now I’m going to demonstrate how to monitor policies on unmanaged devices.  To secure the data and configure the applications we used the following three policies:

  • Conditional Access policy
  • App protection policy
  • App configuration policy

Each policy has makes part of the complete solution. The conditional access policy is used to only allow access from the Outlook app. The App protection policy is used to secure data within the app and the App configuration policy is used to configure some global settings in Outlook. When you configure and assign policies to users it’s important to see if these are applied. For that reason I’m going to show you how to monitor policies on unmanaged devices using Intune.

Monitoring policies

To see if the policies are applied and to solve issues with policies it’s important to know where to look to solve issues.  When devices are managed by Intune you can select the policy and see how it’s been applied. To monitor policies on unmanaged devices you need to check Apps because only these are managed instead of the whole device. For each policy applied i’ve described how you can monitor the settings.

 

Conditional Access policy

The conditional access policy can be monitored using the Azure Active Directory. Within the Azure Active directory monitor sign-in requests. Each time a user tries to login with an application which is not allowed it will get logged. This can be done for all users or for single user. To view the sign-ins for one user first select the user and then sign-ins in the navigation pane. To view all sign-ins use the following steps.

1. In the MEM admin center select “Users” -> “Sign-ins” or click here. In the top press “Add filters” and select “Status” -> “Apply”

 

2. Select “Failure” to filter all failed attempts. You can add additional filters to get more specific results.

 

3. In the results you can see a Gmail and Email application which are trying to connect.

 

4. By selecting the failure you can view more details. You can select the entry “Gmail” to view more details about the failure. In the “Basic Info” tab the failure reason is displayed. Here you will see “Application does not meet the conditional access approved requirements”.

 

5. Now select the tab “Conditional Access” to view which conditional access policy was applied.

 

App Protection policy

The status of the app protection policy can be monitored in Intune. Because the devices are unmanaged it’s not possible to view the devices in Intune. To monitor App protection policies you need to perform the following steps:

 

1. In the MEM admin center select “Apps” -> “Monitor” -> “App protection status and press the cogwheel “Reports” on top of the page.

 

There are two ways to view the app protection in the apps monitor. The first option is an User report. This will show an overview of applications which are managed by app protection policies. It also displays If the user is licensed to use Intune.

 

2. Select in the navigation pane “User report” and press “Select user” to select the user you want to view.

 

3. If an App protection policy has been assigned, but not yet applied/synce you can also see it in the User report.

 

The other option is an App report. This will give you an overview of all users for each app per platform. You can select the protect status which you want to view. When users show up as unprotected this may be caused that the App protection policy was not assigned to this particular user.

 

4. In this screenshot you see all the users using Outlook on Android devices and are protected by the app protection policy for Outlook.

 

5. If you select Status -> “Unprotected” you will see all users which are using Outlook to connect to your tenant but are not protected.

 

App Configuration policy

The status of the app configuration policy can be monitored in Intune. This can be done in the same blade as the App Protection policy. To monitor App configuration policies you need to perform the following steps:

 

1. In the MEM admin center select “Apps” -> “Monitor” -> “App protection status and press the cogwheel “Reports” on top of the page.

 

Just as with the App protection policy there two ways to view the status. The first option is an User configuration report. This will show an overview of applications which are configured by an app configuration policy. It also displays If the user is licensed to use Intune.

 

2. Select in the navigation pane “User configuration report” and press “Select user” to select the user you want to view.

 

The other option is an App configuration report. This will give you an overview of all users for each app per platform. You can select the platform and App of which you would like to view the status.

 

3. In this screenshot you see all the users using Outlook on Android devices and are configured by the app configuration policy for Outlook.

 

In my next blog I will show how you can select wipe corporate data from apps protected with App protection policies.

Leave a Reply

Your email address will not be published.