What does "Allow my company to manage this device" permit for BYOD

AX150 21 Reputation points
2021-04-20T06:43:46.003+00:00

Hello everyone,

I was referred here from the Teams forum.

I accidentally clicked this box when logging into MS Teams and being a software developer, I wanted to understand a lot more about what's actually happened to my personal PC, which just to be clear, is owned by me, not by my company. My natural reaction was to check the event log and I see this:

Product: Microsoft Intune Management Extension -- Installation completed successfully.

I can also see a "Work and School" account has been added and I think this means I’ve been added to their AAD.

I have read some of the InTune documentation but I am not sure how much of it is specific to corporate devices. For the following questions, please can you let me know whether the option exists specifically for a BYOD machine running Windows 10 Professional, Can InTune / AAD:

  • Take away local admin rights?
  • Wipe the hard drive remotely?
  • Deny access to the machine remotely?
  • Deploy arbitrary software to the machine?
  • Deny access to the Windows Store?
  • Determine which applications a user can run / install?
  • Install a trusted root certificate?
  • Route traffic through a corporate VPN?

Many, many thanks.

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,893 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
942 questions
0 comments
Accepted answer
  1. Lu Dai-MSFT 28,401 Reputation points
    2021-04-20T08:40:02.423+00:00

    @AX150 Thanks for posting in our Q&A. I will try my best to answer these questions:

    Q1: Yes, we refer to the following link to manage local administrators.
    https://www.petervanderwoude.nl/post/managing-local-administrators-via-windows-10-mdm/
    Note: Non-Microsoft link, just for the reference.

    Q2: We can wipe the device. The Wipe action restores a device to its factory default settings.
    https://video2.skills-academy.com/en-us/mem/intune/remote-actions/devices-wipe

    Q3: This policy can be configured to whether remote access to computers by using Remote Desktop Services
    https://video2.skills-academy.com/en-us/windows/client-management/mdm/policy-csp-remotedesktopservices#remotedesktopservices-allowuserstoconnectremotely

    Q4: The following article lists the type of apps in windows 10.
    https://video2.skills-academy.com/en-us/mem/intune/apps/apps-windows-10-app-deploy

    Q5: To clarify this, are you trying to block the private store or the public store? The policy you are using blocks the public store. There's no way to block the private store.
    https://video2.skills-academy.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-requireprivatestoreonly

    Q6: When deploying app via intune, we need to assign group to the app. If we assign the user group, only the devices that these users login will install the app. The following article shows how to assign apps to groups.
    https://video2.skills-academy.com/en-us/mem/intune/apps/apps-deploy

    Q7: We can deploy trusted certificate profiles via intune.
    https://video2.skills-academy.com/en-us/mem/intune/protect/certificates-trusted-root

    Q8: For this issue, I have done a lot of research. I find some information about Microsoft Tunnel, but I'm not sure if this is what you need.
    https://video2.skills-academy.com/en-us/mem/intune/protect/microsoft-tunnel-overview

    Hope the above information will help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AX150 21 Reputation points
    2021-04-20T10:13:33.297+00:00

    You have been incredibly helpful. Thanks so much.

    I apologise for my last question (8), it wasn’t asked clearly and I hope you didn’t spent too long on it. I think what I was really interested in was the ability to route browser traffic through corporate systems. Is it possible to change the network proxy settings, for example to add a “pac” script?

    Thanks again for your time, I appreciate it.

  2. AX150 21 Reputation points
    2021-04-21T03:15:11.16+00:00

    Thanks for your time.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.