#Ios app for office 365 license
You can easily use Group-based Licensing to ensure your users in the group have a required Intune license.As always, you can/should use Groups to target/scope your rollouts – this could be a new or existing on-prem AD group that syncs to AAD or a cloud-only AAD group.MAM Without Enrollment reference - HERE.At that point (almost immediately), the app will notify the user that it’s now under policy control and the app will close.If the user is targeted for any, the apps pull down the Policy settings and apply them.
Here, when the user signs in to the Office Mobile Apps with corporate credentials, the App “phones home” to your Intune MAM Service “back-end” and checks for any MAM Policies.Solution: Apply controls to Office Mobile Apps on mobile devices
Such as photos, personal email, files, etc.
Enable selective wipe of corporate data from IT (via the Intune Portal) or the end user (if/when they remove the corporate account from the Office apps) - but don’t affect anything else on the device.Require a PIN or biometric to open the Office Mobile Apps.Limit cut/copy/paste to ‘un-managed’ apps.Limit download/save as to a local device.Enable remote workers to create/update/save/collaborate on corporate content in O365 (SPO/OD/EXO) from un-managed mobile devices (BYO mobile phones and/or tablets) while reducing risks to that data.The information offered here is a part of that ‘ zero trust’ approach - but consider it just one piece of ‘low hanging fruit.’ This includes blocking legacy authentication, requiring managed apps, intelligent MFA, device-based trust, etc. Holistically, continue your work, driving towards a layered approach to security. However, if you're not there yet, this is a step towards that goal. If you're already blocking this, great - that is/was/continues to be our guidance. IMPORTANT: One of the goals of this post is to avoid impact to people already using the native apps on mobile devices to access O365.To that thought, I’m offering a “lighter hand” here - apply Intune MAM policy to Office Mobile Apps if/when they are used to access O365 content - but don't block existing native app access, nor require device enrollment into Intune (think: personal device or existing 3rd party MDM). With any rapid-deploy change, there is heightened worry around the IT version of the Hippocratic Oath - ‘ First, do no harm.’ This could be “ Don’t blow up my end-user’s experience (nor my Helpdesk)” or, it could be, “ Don’t drop my security posture to the floor.” In this post, I’ll offer a ‘cut to the chase’ option for Intune that can help enable remote workers on BYO/unmanaged or 3 rd party MDM-managed mobile devices with a minimum of impact to your current-state.