What is Shared iPad?
Enrolling device as a shared iPad sets it up so that it can be shared with more than one employee. Company owned iPads enrolled in Intune (or any other MDM) using automated device enrollment and without user affinity can be provisioned as shared iPads.
This option is typically used for kiosk, point of sale (POS), or shared utility devices. In company where front line workers or blue-collar workers works in a rotational shift and when they don't have desktop client assigned then Shared iPad can be big collaboration tool for them to access company resources like emails, quick chat, docs, reports etc.
In this blog, we are not going to talk about how to setup shared iPad or enrolled them in Intune as those details are already available on Microsoft Intune documentation. But this is mostly about excluding shared iPad devices from conditional access policies that might prevent users accessing company apps if device doesn't meet the required conditions.
Why to Exclude Shared iPads from CA Policies?
Conditional access policies can be used to allow or block access to company resources such as O365 apps, or any Payroll related app or ITSM tools on devices based on the device compliance and enrollment state.
Shared iPads are enrolled to Intune via Automated Device Enrollment process without user affinity. These devices are enrolled in Intune without Company Portal (Approach is same as Windows Autopilot), but they are always treated as unregistered devices in Azure AD which does not have any Join Type and registrations.
Even though Microsoft has claimed that app based and device based conditional access policy is not supported on Shared iPad in their known limitations, but in reality, app based conditional access policies are still getting applied if policy targeted users signed in to shared iPad and tried accessing app. (We created MS premier support ticket to get justification, but their response was like based on more user experience and test cases, we will update the document... Funny, isn't it?)
Our Current Scenario
We have multiple app based conditional access policies created in our tenant for iOS and Android devices, one of them is for O365 exchange online apps, where access is granted only for those devices which are compliant and has app protection policy assigned. Since Shared iPads are unregistered devices and Company Portal app is not supported hence whenever user was trying to sign into apps like Outlook or Teams, they were getting prompt to install Company Portal app. This is unexpected behavior on Shared iPads, and we wanted to provide seamless access to company resources to users.
As we know conditional access policy can only be targeted to "Users" group and it doesn't support "Device" group. Hence to exclude shared iPad devices the only supported option we had was Filters.
How Filter Works for Unregistered Devices?
Azure AD uses device authentication to evaluate device filter rules. For a device that is unregistered with Azure AD, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory. The best way to target policies for unregistered devices is by using the negative operator.
Microsoft has very precisely
documented the CA policy behavior with filter for devices. Hence to exclude shared iPad devices we had to come up with a solution that will use negative operators in query and also will not impact other MDM enrolled devices of users.
Filter Query to Exclude Shared iPads
As we know shared iPad doesn't have any join type registered in Azure AD and all the attributes are always evaluated as NULL hence, we used device trust type attribute and compared it with its possible values and also used AND operator to include device OS type just to make sure our query doesn't filter out devices other than shared iPads. And made sure that as soon as this rule is matched on any device then it should get "excluded".
device.trustType -ne "AzureAD" -and device.trustType -ne "Workplace" -and device.trustType -ne "ServerAD" -and device.operatingSystem -ne "Windows" -and device.operatingSystem -ne "AndroidForWork" -and device.operatingSystem -ne "Iphone" -and device.operatingSystem -ne "AndroidEnterprise"
Note: This query works without adding operating system attribute also so you can try with only TrustType too.
After applying this filter to CA policies responsible for iOS our shared iPads got excluded from them and user were not prompted to install company portal app.
How to Verify Filter is applied to Apps
Once filter is applied, on the next device sync ask the user to sign into any apps which were previously prompted to install Company Portal app because of CA policy. If filter is successfully applied, then this time user should not get any prompts and it should allow user to access app.
If you have access to Azure AD then as an admin you can go to sign-in logs of user and click on app which he had accessed on his shared iPad. Under activity details go to Conditional access tab and look for a CA policy which was responsible to prompt users for device registration. Policy result should result as "Not Applied" because of filter exclusion, and after clicking on policy if you go to Device condition it should result as "Unknown" (because of shared iPad unregistration state) and rule should be evaluated as Matched.
If you have any queries or would like to share your experience on unregistered devices then please feel free to comment.
Happy Learning! 😊
modern workplace microsoft
ReplyDeleteMicrosoft 365: This suite of productivity tools includes applications like Word, Excel, PowerPoint, Outlook, and Teams, which enable users to create, share, and collaborate on documents and communicate seamlessly within and outside the organization.