1. Correct: Ticking them will allow managed apps to see unmanaged data and vice versa. Obviously this is downgrading the security of the device a little, so have a think about the consequences of doing so.
2. Tags are the answer. As the screenshot below, I've gone to profile configuration, and, because I want to EXCLUDE devices from this, I've selected WITHOUT ANY of the following tags and created a tag called ExemptFromStuff. I've then tagged the device with the same tag. This should exclude the device from this policy. Obviously, there's a tonne of flexibility here
![Screen Shot 2022-07-13 at 9.19.16 AM.png Screen Shot 2022-07-13 at 9.19.16 AM.png](https://community.meraki.com/t5/image/serverpage/image-id/24485iBFACD3988F944FE2/image-size/medium?v=v2&px=400)