Manage Copilot in Edge & Microsoft 365 Apps on Mobile devices using Intune

-
 
I have finally jumped on the Copilot bandwagon and started familiarizing myself with the feature. For those who are unware or getting to know it like me, then it is Microsoft's latest AI-powered productivity tool that uses large language models (LLMs) and integrates data with the Microsoft Graph and Microsoft 365 apps and services. I don't intend to do a deep dive into what Copilot is as there is plenty of material available online for that, but I will like touch base on commercial data protection and what organizations can do to manage Copilot on mobile devices using Intune.

According to Microsoft,

To provide chat responses, Copilot uses global data centers for processing and may process data in the United States. Optional, Bing-backed connected experiences don't fall under Microsoft's EU Data Boundary (EUDB) commitment. They also don't fall under the terms of the Data Protection Addendum (DPA) which requires company data to remain inside geographic or tenant boundaries.

What about Organizations with strict data restriction policies?

In an enterprise setting, Microsoft has enabled commercial data protection to help business and educational organizations protect corporate data. This means that through Commercial data protection,  organizations can protect data whenever users access corporate resources with eligible work or school accounts against the use of Copilot. For this, organizations can now use the 'Commercial data protection for Microsoft Copilot' service plan under their Office 365 license to manage Copilot for their users. However, in absence of the required licenses or in case where organizations are not ready to fully rollout Copilot, they can chose to disable Copilot feature altogether. I have explored the configuration and will be covering the details for managing Copilot for Edge and Microsoft 365 Apps on mobile devices.

How to manage Copilot for Edge on Mobile devices?

Copilot for Edge can be managed using an app configuration profile against both managed devices and managed apps. During my testing, I found managed apps configuration to give more consistent results. Also, the same can work for both managed and un-enrolled devices. Therefore, I will be covering the configuration through a managed apps enrollment type.

2. Go under Apps->App configuration policies->Add->Managed Apps.
3. Provide a name.
4. Under Selected apps, add Microsoft Edge for both Android and iOS.
5. Add the necessary configuration settings as shown below -


6. Under General configuration settings, configure the following:

com.microsoft.intune.mam.managedbrowser.Chat value false (Default is true)
com.microsoft.intune.mam.managedbrowser.ChatPageContext value false (Default is true)


7. Deploy to all users or a user based group.

How to manage Copilot for Microsoft 365 Apps on Mobile devices?

Copilot for Microsoft 365 Apps can be managed using an app configuration profile against both managed devices and managed apps. Just like for Edge, I have used a managed apps enrollment type here as well.

2. Go under Apps->App configuration policies->Add->Managed Apps.
3. Provide a name.
4. Under Selected apps, add Microsoft Edge for both Android and iOS.
5. Add the necessary configuration settings as shown below -


Note: I have added other Office apps as well, but you don't need to if you are not using them in your organization.

6. Under General configuration settings, configure the following:

com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed value false (Default is true)


7. Deploy to all users or a user based group.

End User Experience

On Android -

When both Microsoft Edge: AI Browser & Microsoft 365 (Office) are installed on the device and the management policy for Copilot has not yet applied from Intune, then the feature will be enabled as shown below -

  

After the policy is applied, Copilot button will disable and the settings will no longer be accessible either.

 

On iOS -

Just like in Android, when both Microsoft Edge: AI Browser &  Microsoft 365 (Office) are installed on the device and the management policy for Copilot has not yet applied from Intune, then the feature will be enabled as shown below -



After the policy is applied, Copilot button will disable and the settings will no longer be accessible.


From a compliance point of view, it can verified in Intune under App Configuration Status Reports -

Caveats:

1. App Configuration status report can take a while to update.
2. Managed Devices app configuration policy type for managing Copilot can give inconsistent results, just like it did during my testing. See below -

On Android, the policy didn't apply and threw an unknown error against Edge policy.


On iOS, the policy applied, but also threw the same Unknown error as above.

Final thoughts..

Copilot is accessible from copilot.microsoft.com, Bing.com/chat, Edge, and Windows. It’s also available through the Copilot, Bing, Edge, Microsoft Start, and Microsoft 365 mobile apps. Eligible users who sign in to Copilot services with Entra ID get commercial data protection. The important bit is that all chat data is processed by Microsoft and with commercial data protection, the data isn't retained nor used to train the underlying large language models. In my opinion, this is very important as data in all forms is like gold dust in today's fast moving day and age of Internet.

Comments

  1. abdullhananAugust 21, 2024 at 4:33 PM

    Thank you for bringing your best to work every single day. You are a pleasure to work with. Great job!
    Adobe GenP

    ReplyDelete
  2. Nanfor IbéricaAugust 27, 2024 at 8:19 PM

    Gracias por compartir tu blog aquí.

    SC-400: Microsoft Information Protection Administrator

    ReplyDelete
  3. Chuck BushSeptember 19, 2024 at 11:04 AM

    Thanks for the great post! The insights on managing Copilot in Edge for Microsoft 365 are incredibly useful. It’s impressive how these features can simplify workflows and enhance productivity. Understanding these tools is essential, especially for those of us in the managed IT services field. Your detailed explanations make it easier to implement these changes effectively. I appreciate your effort in sharing such valuable information.

    ReplyDelete
  4. IT FashionNovember 7, 2024 at 10:53 PM

    "Great article! You always have a way of making complex topics easy to understand.
    Adobe Express
    Fortnite"

    ReplyDelete
  5. huda victorNovember 20, 2024 at 1:39 PM

    Thanks for sharing it but I saw people who are using non genuine, cracked or pirated Office versions may face problems in the future so I searched and bought Microsoft Office 2024 Home and Business from ODosta Store which I think is a Microsoft product reseller.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from starting pr
Read more