Friday 20 July 2018

Intune - Block app access based on unapproved device vendors and models

This is one the most recent new features to be published by the Intune team. We can now specify a list of Android manufacturers and iOS models and choose an action to be performed on the devices specified in the list. At the moment we have a choice of two actions:
  1. Block devices that are not specified from accessing an app
  2. Perform a selective wipe of corporate data on devices that are not specified
This sounded really cool to me so I tested to see if this was easy to configure. It is. It's as easy as typing a list of Android manufacturers and iOS models separated by a semicolon.

In Microsoft Intune, select Mobile apps > App protection policies and select Add a policy.


Enter a name and choose a platform (Android in this case). Select your required apps and configure your required settings as normal.

Now, in the Settings page, scroll to the bottom to the Access Actions settings.


You'll find an existing list of settings, values and actions.


Click on the drop down arrow to reveal some additional choices. Select Device manufacturer(s).


A new line is added. We now must configure the values and action.



Enter your required values. As soon as you type a semicolon you are prompted for another value. The Microsoft documentation has a warning about this. 

"On end-user devices, the Intune client will take action based on a simple matching of the strings specified in the Intune blade for Application Protection Policies. This depends entirely on the value that the device reports. As such, the IT administrator is encouraged to ensure that the intended behavior is accurate. This can be accomplished by testing this setting based on a variety of device manufacturers and models targeted to a small user group".

In other words Intune will not check that what you've typed is accurate. It will only recognize it as a series of strings.


Next, choose your required action. I want to block access to my app for all Android devices except Samsung and HTC devices. Click OK to create the policy as normal.


It's very similar for iOS devices except that you choose Device models.

There are a couple of additional considerations:
  1. On iOS devices, this feature requires the participation of applications (such as WXP, Outlook, Managed Browser, Yammer) to integrate the Intune APP SDK for this feature to be enforced with the targeted applications.
  2. On Android, this feature requires the latest Company Portal.
I think this is a very useful feature and I hope it helps you. Until next time......