By default, there can only be one Global policy per tenant. However, you can use Intune Graph APIs to create extra global policies per tenant, but doing so isn't recommended. Creating extra global policies isn't recommended because troubleshooting the implementation of such a policy can become complicated.
The Teams app on Microsoft Teams Android devices does not support APP (does not receive policy through the Company Portal app). This means that app protection policy settings will not be applied to Teams on Microsoft Teams Android devices. If you have app protection policies configured for these devices, consider creating a group of Teams device users and exclude that group from the related app protection policies. Additionally, consider modifying your Intune Enrollment Policy, Conditional Access Policies and Intune Compliance policies so they have supported settings. If you cannot change your existing policies, you must configure (exclusion) Device Filters. Verify each setting against the existing Conditional Access configuration and Intune Compliance policy to know if you have unsupported settings. For related information see Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices. For information related to Microsoft Teams Rooms, see Conditional Access and Intune compliance for Microsoft Teams Rooms.
There are some exempt apps and services from which Intune may allow data transfer. See Data transfer exemptions for a full list of apps and services.All appsOpen data into Org documentsSelect Block to disable the use of the Open option or other options to share data between accounts in this app. Select Allow if you want to allow the use of Open. When set to Block you can configure the Allow user to open data from selected services to specific which services are allowed for Org data locations.Note:This setting is only configurable when the setting Receive data from other apps is set to Policy managed apps.This setting will be "Allow" when the setting Receive data from other apps is set to All apps.This setting will be "Block" with no allowed service locations when the setting Receive data from other apps is set to None.The following apps support this setting:OneDrive 6.14.1 or later.Outlook for Android 4.2039.2 or later.Teams for Android 1416/220.127.116.111173701 or later. AllowAllow users to open data from selected servicesSelect the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.Supported services:OneDrive for BusinessSharePoint OnlineCameraPhoto LibraryNote: Camera does not include Photos or Photo Gallery access. When selecting Photo Library in the Allow users to open data from selected services setting within Intune, you can allow managed accounts to allow incoming image/video from their device's local storage to their managed apps.All selectedRestrict cut, copy and paste between other appsSpecify when cut, copy, and paste actions can be used with this app. Choose from: Blocked: Do not allow cut, copy, and paste actions between this app and any other app.Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.Any app: No restrictions for cut, copy, and paste to and from this app.Any appCut and copy character limit for any appSpecify the number of characters that may be cut or copied from org data and accounts. This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.Default Value = 0Note: Requires Intune Company Portal version 5.0.4364.0 or later.0Screen capture and Google AssistantSelect Block to block screen capture and block Google Assistant accessing org data on the device when using this app. Choosing Block will also blur the App-switcher preview image when using this app with a work or school account.Note: Google Assistant may be accessible to users for scenarios that do not access org data.BlockApproved keyboardsSelect Require and then specify a list of approved keyboards for this policy. Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. This setting requires the app to have the Intune SDK for Android version 6.2.0 or later.Not requiredSelect keyboards to approveThis option is available when you select Require for the previous option. Choose Select to manage the list of keyboards and input methods that can be used with apps protected by this policy. You can add additional keyboards to the list, and remove any of the default options. You must have at least one approved keyboard to save the setting. Over time, Microsoft may add additional keyboards to the list for new App Protection Policies, which will require administrators to review and update existing policies as needed.To add a keyboard, specify: Name: A friendly name that that identifies the keyboard, and is visible to the user. Package ID: The Package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is =com.contoskeyboard.android.prod, then the Package ID is com.contosokeyboard.android.prod. This package ID is presented to the user as a simple link to download the keyboard from Google Play.
The Conditional Access framework provides you with a great configuration flexibility. However, great flexibility also means that you should carefully review each configuration policy before releasing it to avoid undesirable results. In this context, you should pay special attention to assignments affecting complete sets such as all users / groups / cloud apps.
If the information in the event isn't enough to understand the sign-in results, or adjust the policy to get desired results, the sign-in diagnostic tool can be used. The sign-in diagnostic can be found under Basic info > Troubleshoot Event. For more information about the sign-in diagnostic, see the article What is the sign-in diagnostic in Azure AD. You can also use the What If tool to troubleshoot Conditional Access policies.
Setting the policy prevents webpages with prohibited URLs from loading. It provides a list of URL patterns that specify forbidden URLs. Leaving the policy unset means no URLs are prohibited in the browser. Format the URL pattern according to this format ( =2095322 ). Up to 1,000 exceptions can be defined in URLAllowlist.
Leaving the policy unset means Microsoft Edge tries to detect if a server is on the intranet. Only then will it respond to IWA requests. If a server is detected as internet, then Microsoft Edge ignores IWA requests from it.
Setting the policy to Enabled means a default search is performed when a user enters non-URL text in the address bar. To specify the default search provider, set the rest of the default search policies. If you leave those policies empty, the user can choose the default provider. Setting the policy to Disabled means there's no search when the user enters non-URL text in the address bar.
I believe that the solution to this is quite simple. If the company has a strict policy on their data, it is irresponsible of you to keep your organization's data on your personal phone without the company having handle on that data. This means remove all your emails, chats, pictures of whiteboards, passwords and everything that is your organization's property. 2b1af7f3a8