Confused about Intune and Conditional Access
Posted by Direct-Mongoose-7981@reddit | sysadmin | View on Reddit | 6 comments
Hi, I can't seem to work this out
I setup a iOS policy to say if the device is none compliant then don't allow access to 365, this works on initial setup of a device.
But, If a device that has already been setup falls out of compliance, it still has access to 365 mail etc. It seems that I would have to manually revoke their sessions to get the device to lose it's access.
Is this expected?
bjc1960@reddit
When ours go non-compliant, they kick people out. I know because they starting pinging everyone. I don't know how fast that happens. "our concern" is ensuring only employees have mail access. We can wipe/revoke for terminations.
juggy_11@reddit
Question is - are you sure you wanna block just because of non-compliance?
Devices fall out of compliance all the time, for a number of reasons. Sounds like a headache waiting to happen from a device management standpoint.
My 2 cents.
Direct-Mongoose-7981@reddit (OP)
That’s what I am trying to prove, I’m doing this in a lab.
Cormacolinde@reddit
You need policies to block non-compliant devices. There’s no “deny all” at the end of CA policies.
Direct-Mongoose-7981@reddit (OP)
Even then it doesn't seem to apply conditional access to ActiveSync on iOS unless you reauth so it keeps it's access.
Direct-Mongoose-7981@reddit (OP)
Worked it out, needed to use "filter for device" settings