Limit the app store on work phones to an approved list.
On iOS supervised and Android Enterprise you can replace the App Store/Play Store with your own catalog of approved apps. For pure work phones this is clean: user only installs what you published. For BYOD it is wrong, you would touch the personal side.
Try this first
- 1iOS: create an Intune Device Configuration Profile that hides App Store, push apps via App Configuration Policies.
- 2Android Enterprise: Managed Google Play already provides a shielded store, only apps you approve appear.
- 3Build the list: Outlook, Teams, OneDrive, Authenticator, Edge, plus your sector apps (Exact, AFAS, accounting app, ConnectMaster, etc).
- 4User requests a new app via email or a Teams channel, you approve centrally.
When to bring us in
We build the first list with your team leads, configure Managed Play / Intune catalog, and set up the request flow.
See also
- Work and personal apps blur together on the same phoneAndroid Enterprise and iOS-with-Intune can enforce a work profile, isolating business apps in a separate container.
- Setting up Microsoft 365 on a new phoneOutlook, Teams, and OneDrive run smoothest if you install Authenticator first and sign the others in afterwards.
- Moving Authenticator to a new phoneMicrosoft Authenticator has built-in cloud backup. Run it before wiping the old device, otherwise everything has to be re-added by hand.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.