PROHIBITED APPS WITH INTUNE

Many organizations would like to avoid having mobile apps installed on devices accessing corporate information, as several mobile apps have recently been in the news. Most companies who have been using Configuration Manager to manage endpoints for many years immediately think of leveraging the software inventory to find where these apps are installed.


In any case, there are likely reasons companies block the application on an end-user's device that has access to corporate resources. The Microsoft Intune (Endpoint Manager) app allows you to block apps like these on iOS and Android.


  • Tracking down issues using inventory-based reporting is reactive. By using Intune, your organization can be proactive and set up policies to put conditions in place so that you are not reliant on inventory results to know what's happening.

  • The gathered inventory information can also differ from what is documented in mobile device inventories. There are differences based on the platform (iOS, Android, etc.) and enrollment method (personal, corporate).

  • The final issue is that even if you were able to always access the information from mobile device software inventory using Intune, there was no way to force an inventory to run on demand. The results may not be as up-to-date as they should be.

It is necessary to use another method for both operations systems. The iOS system does not have an option to stop an app from being installed, we must use the Compliance Policy, which blocks corporate data access immediately after a restricted app is installed. There is a way to block the installation of the app on Android devices.


Handle restricted app on Android devices with Intune

Personal devices with work profile. Intune users with these devices will have both a personal and a work account, with the personal account being accessing the public Google Play Store, while the work account can only get apps approved by you from the Managed Google Play Store. Intune automatically provisioned work profiles with managed Google Play accounts. In their personal profiles instead of work profiles, users install apps. Data sharing settings can be configured using configuration profiles on devices. Additionally, a BYOD work profile devices can be used by approving applications for installation along with Android Enterprise Configuration Profiles for Android, and App Protection Policies for Android. The personal profile can't be managed or inventoried.


Fully managed corporate devices. In the Managed Google Play Store, like on Android Enterprise Work Profile devices, users can only install apps that you, as the admin, approve. Our Intune platform can silently download approved apps including the ability to delete them on fully managed Android Enterprise devices.


The vast majority of applications along with those approved in the Managed Google Play Store can be installed from the public Google Play Store on fully managed devices, unlike work profiles. It is also possible to give users the option of adding their own accounts to fully managed devices, which would otherwise only be associated with a managed Google account.


Handle restricted app on iOS devices with Intune

Apple has never provided an automatic way to uninstall iOS apps except through one of its managed services. Intune must have pushed them or installed them via the Intune Company Portal.

  • Intune should report any devices with prohibited devices installed.

  • Once the malicious app is installed, we can push an uninstall command to it.

  • Azure AD Conditional Access can block access to corporate resources until users uninstall prohibited apps.

A Compliance Policy needs to be in place for iOS devices, which blocks non-compliant devices from accessing corporate data. We add the Bundle ID of TikTok to the Compliance Policy, so as soon as a user installs the app, the device is marked as non-compliant and access to corporate data is denied.

In the Apple App Store, use a browser to look up the Bundle ID of App. There is an app ID at the end of the URL. Look for the number after ID.




Copy the last numerical digit in URL and https://itunes.apple.com/lookup?id=945274928


A text file is downloaded. The Bundle ID can be found in the text editor by searching for bundleid, for Clash of Kings -Cok that`s com.elex-tech.ClashOfKings




Create a Compliance Policy


Provide name of the Compliance policy


Provide name and bundleID of the prohibited app




Create a device Config Policy (Device restrictions)



Provide Name of the policy


Select prohibited apps from the drop down list along with the required details



Once deployed, the iOS compliance policy will have the device check for those restricted apps. If they’re found, the device will be marked non-compliant and the apps that triggered the non-compliance will be detailed in the trusty devices with restricted apps report. The user will be prompted to uninstall those restricted apps to once again bring their device back into compliance.

504 views