How to prevent employees downloading the Microsoft Teams app on mobile devices

Written by Saajid Gangat in Microsoft,Microsoft Teams,Microsoft Walkthroughs,Step-by-step Guides,Teams Guides Last Updated July 25, 2023

There are plenty of things an admin user delegated by a company can do in terms of securing software linked with the Microsoft suite. You can restrict access on an unmanaged device, restrict settings that prevent external members from accessing or editing files on your network, or even set policies that inhibit the use of certain software on certain platforms such as restricting OneDrive on a browser or the Office suite on certain user desktops.

However, things only get more complex when the demand for security grows and certain admin users are now looking for ways to inhibit access to downloading Microsoft Teams on employee smartphones. How do you prevent employees from downloading the Microsoft Teams app on mobile devices, and what can employers do to make this possible? The short answer to save time is you can’t actually block access, according to Microsoft agents who state, “We can’t block users from downloading and installing Teams app to mobile.” However, this won’t stop us from conducting research and find an alternate solution to achieve similar results.

Follow through and see how you can use different methods to come close to the scenario which prevents employees from downloading the Microsoft Teams app on mobile devices.

Step by step process – How to prevent employees downloading the Microsoft Teams app on mobile devices

  1. First, sign in to your Office 365 account.
  2. Use the app launcher and navigate to admin.
  3. In the admin dashboard, under “admin center”, click on “Azure Active Directory”(you may need to click “Show all” to access).
  4. Click on “All services”.
  5. Now click on “Azure AD Conditional Access”.
  6. Click on “New policy”.
  7. Name the policy.
  8. Configure, users and groups to “All Users”.
  9. Set – CA (cloud apps): (Include) “Microsoft Teams”
  10. Set conditions to, Client Apps > Configure “Yes” > Select Client Apps > check “Browser” and “Mobile apps and desktop clients”
  11.  Finally, Access Control, set as – Grant Access -> Check “Require Domain Joined” and “Require device to be marked as compliant”.

This is a simple and quick approach to guarantee that users are using Microsoft Teams on managed devices, allowing IT to monitor the device’s setup and ensure that it is healthy and compliant. Furthermore, if it becomes necessary, this policy may be changed to prevent users from accessing the Teams web client.

According to Microsoft Conditional Access, an Azure Active Directory function, works with Intune app protection settings to help secure your corporate data on devices your employees use. These restrictions apply to both Intune-enabled and non-enabled devices owned by employees. This is perfect if you want to restrict Team access on unmanaged and or managed devices situated within your company or offline situated on an unmanaged IP log.

App policy management in Microsoft Teams to prevent employees downloading the app on mobile devices

The Microsoft Teams admin centre is where you control app permission policies. You have the option of using the global (Org-wide default) policy or creating and assigning bespoke policies. Unless you develop and assign a custom policy, users in your company will be subject to the global policy. It may take a few hours for changes to take effect after you update or assign a policy.

In the Teams Admin section click on “Template policies”.

Now click on the pre-existing policy called “Global (Org-wide-default)”.

Now set the access policy within the Teams global panel.

Unfortunately, this will restrict access for all users as the global access policy is default and the only access policy manageable from Teams. Only preliminary edits are of course in-house users such as employees and other executive staff members can be left out of the policy and a restriction can be placed just on certain external staff or employees if necessary.

If your company is already using Teams, the app settings you put up in Tenant-wide settings in the Microsoft 365 admin centre are reflected on the Manage apps page’s org-wide app settings. If you’re new to Teams and are just getting started, the global policy allows all applications by default. This includes Microsoft-published apps, third-party apps, and apps created by your company.

For example, suppose you wish to restrict all third-party apps while allowing particular Microsoft apps for your HR staff. To begin, go to the Manage apps tab and double-check that the apps you wish to make available to the HR staff are authorized at the org level. Then, name your custom policy HR App Permission Policy, set it to block and allow the applications you want, and assign it to HR team members.

In Teams, set visitor permissions for channels to prevent employees downloading the app on mobile devices

Before you can alter guest rights, you must first add the individual to your team as a guest.

  • On the left side of the app, tap the Teams icon.
  • Select More choices from the team name. button with more choices > Organize your squad.
  • Select Guest permissions from the drop-down menu under Settings. Select the permissions you wish to utilize by checking or unchecking the boxes. You may now provide visitors the ability to create, amend, and remove channels.

Guests have fewer skills than team members, but they can still accomplish a lot in channels, which is where the real work in Teams happens! To control this, team owners can establish visitor access for channels. See Guest capabilities in Teams for additional information.

In-depth – Step by step process – How to prevent employees downloading the Microsoft Teams app on mobile devices

Step by step breakdown

  • First sign in to your Office 365 account.

Use your account details or if you have a current Skype account with the Office account in question, you can use this.

  • Use the application launcher to navigate towards “Admin”.

The launcher is illustrated by nine dots in the right corner, click on it and find “Admin” as shown above.

  • In the admin dashboard, under “admin center”, click on “Azure Active Directory”(you may need to click “Show all” to access).

In this example “Azure Active Directory” was pinned to the menu bar, however, in your dashboard you may need to click on “show all” which will bring you to the Azure Active directory panel.

  • Click on “All services”.
  • Now click on “Azure AD Conditional Access”.
  • Click on “New policy”.
  • Name the policy.
  • Configure, users and groups to “All Users”.
  • Set – CA (cloud apps): (Include) “Microsoft Teams”
  • Set conditions to, Client Apps > Configure “Yes” > Select Client Apps > check “Browser” and “Mobile apps and desktop clients”
  •  Finally, Access Control, set as – Grant Access -> Check “Require Domain Joined” and “Require device to be marked as compliant”.

That’s it for this Blog thank you for taking time out to read our content, please feel free to email our team about how it went if you followed the steps or if you need more help with the questions we answered in this Blog.

Saajid Gangat

Saajid Gangat has been a researcher and content writer at Business Tech Planet since 2021. Saajid is a tech-savvy writer with expertise in web and graphic design and has extensive knowledge of Microsoft 365, Adobe, Shopify, WordPress, Wix, Squarespace, and more! You can connect with Saajid on Linkedin.

Recent Posts