February 20, 2024

Intune FAQ

My device won’t allow me to use Microsoft applications after initial set up of In-App Protection – what can I do?

If you are unable to fully set up In-App Protection on your device, it may be that your device is not compliant. This may be due to having an outdated firmware or operating system (OS) version installed on your device. On Apple devices, iOS 15 or higher is currently required, or, on Android, Android 11 is currently required. In this scenario, you will need to check to see if your device can be updated to a supported OS version.

If you cannot install an up-to-date OS, you will not be able to set up your device, and cannot use it to access University resources and services. Please contact the Digital Technologies Service Desk for further guidance.

The reason we must use compliant devices is to do with the requirements of Cyber Essentials. This scheme requires devices to be kept up to date and within certain compliance thresholds. One of the key areas which will fail the compliance check is the operating system version for iOS and Android.

There could be many other reasons, but the Company Portal app or the application protection policy will show you the reason the device is non-compliant.

I’ve been asked to set up a PIN when opening Microsoft Applications on my device – is this the same as my device PIN?

When opening a Microsoft Application, you will be required to set a 6-digit PIN. This is not the same PIN as you may already have on your device, and it is highly recommended that you set a different 6-digit PIN for your Microsoft Applications for extra security.

How do I deregister my device(s)?

Deregistering In-App Protection

To deregister In-App Protection on your devices you will need to remove your work account in all Microsoft apps you have installed (Outlook, Teams, OneDrive etc.). This will vary between apps and platforms, but the process will be similar.

Using Outlook as an example, you will first need to open the relevant app (Outlook), then tap your profile picture and select the settings cog that appears. Tap on your University/work email under “Email Accounts”, then scroll to the bottom and select “Remove Account”. Please note that if you have OneDrive set up, you will also need to scroll to “Storage Accounts” and repeat this process.

To fully deregister, you will need to do this in each Microsoft application installed on your device.

Deregistering Full Device Protection

To deregister from full device protection, you will need to open the Company Portal app, then select your device. Tap the three dots, then select “Remove Device”. This will remove the associated work partition/profile and any University data saved on the device.

I have In-App Protection set up on my device(s). How do I access other browser-based services?

If you wish to access any browser-based University services from your device with in-app protection, such as the Staff Directory etc., you will need to use Edge as your browser. This is because Edge is managed by Microsoft and is therefore compliant. If you have the Company Portal App installed and Full-Device Protection set up on your device, you should be able to access these services with no issues.

Why do I have to install Authenticator/Company Portal App for In-App Protection?

When installed, on an Apple device, the Microsoft Authenticator App works in the same way as the Microsoft Company Portal app (as well as providing you all the benefits of a faster MFA process when configured). It checks your device is compliant and allows you to use In-App Protection, rather than having to set up Full Device Protection.

Android users need to download the Microsoft Company Portal app to allow this same level of compliance check. You do not need to open/sign into the app or configure it for this to work, simply have it installed on your device.

For Full Device Protection on Apple or Android, you will need to install the Microsoft Company Portal app and configure it.

I don’t want to use my personal device for work-related activity – can I still use the Microsoft Authenticator App for MFA with University machines or services?

Yes. The Microsoft Authenticator App can still be used for Multi-Factor Authentication, even if your device is not registered with Intune.

If the FAQs above haven’t answered your question or helped resolve your issue, please contact the DT Service Desk on 01522 886500 or email dt@lincoln.ac.uk.

What can the University see on my device?

To access University resources from your device(s), you will need to register with Intune. Depending on the University resources you wish to access from your device, you will need to set up different levels of permissions.

In-App Protection allows you access to core Microsoft applications on your device – such as the Teams, Outlook and OneDrive apps.

Full Device Protection will cover your whole device so you can access other University services securely as well as the usual Microsoft applications – such as the Teams, Outlook and OneDrive apps.

Scroll down for more information on what the University can and cannot see on your device for each option.

What the University can and cannot see on your device if you use In-App Protection

What the University can see on your device with App Protection

If a device is registered with App Protection only, the University will be able to see the following information:

Device owner
Device name
Device platform
Device model, such as Google Pixel
Device manufacturer, such as Microsoft
Operating system and version, such as iOS 12.0.1

The University cannot see any personal information on the device, and we have no access to wipe the device. Only the University data that is stored within the protected app can be removed via the protection policy.

What the University cannot see on your device with App Protection

The University will never see:

Calling and web browsing history
Email and text messages
Contacts
Calendar
Passwords
Pictures, including what’s in the Photos app or camera roll
Files

On corporate-owned Android devices with a work profile:

Apps and data in your personal profile
Phone number

What the University can and cannot see on your device if you use Full Device Protection and Intune

What the University can see on your device with Full Protection and Intune installed

If you have chosen to register your personal device using the Full Device Protection through the Company Portal application, the University will be able to see the following information:

Device owner
Device name
Device serial number
Device model, such as Google Pixel
Device manufacturer, such as Microsoft
Operating system and version, such as iOS 12.0.1
Device IMEI
App inventory and app names, such as Microsoft Word
- On personal devices, your organisation can only see your managed app inventory, which includes work and school apps
- On corporate-owned devices, your organisation can see all apps installed on the device
- On corporate-owned devices with a work profile, which is limited to Android devices, your organisation can only see the apps installed in your work profile

In addition to the data the University can see, registering your device will also allow the University to have limited management of the device and to perform certain actions, including:

Remotely rest or wipe a lost or stolen device
Provide remote assistance

What the University cannot see on your device with Full Device Protection and Intune installed

The University will never see:

Calling and web browsing history
Email and text messages
Contacts
Calendar
Passwords
Pictures, including those in the photos app or camera roll
Files

On corporate-owned Android devices with a work profile:

Apps and data in your personal profile
Phone number

Written by: Alex Dunn

Last updated on: March 26, 2024