Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. App protection policies overview
In this articleApp protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it, and can be managed by Intune. Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization's data within an application. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use. How you can protect app dataYour employees use mobile devices for both personal and work tasks. While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. You'll also want to protect company data that is accessed from devices that are not managed by you. You can use Intune app protection policies independent of any mobile-device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department. App protection policies on devicesApp protection policies can be configured for apps that run on devices that are:
Important You can create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern Authentication. Before using this feature, make sure you meet the Outlook for iOS/iPadOS and Android requirements. App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services. Benefits of using App protection policiesThe important benefits of using App protection policies are the following:
There are additional benefits to using MDM with App protection policies, and companies can use App protection policies with and without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by App protection policies while the personal device is protected by App protection policies only. If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device. You can also apply a MAM policy based on the managed state. So when you create an app protection policy, next to Target to all app types, you'd select No. Then do any of the following:
Supported platforms for app protection policiesIntune offers a range of capabilities to help you get the apps you need on the devices you want to run them on. For more information, see App management capabilities by platform. Intune app protection policies platform support aligns with Office mobile application platform support for Android and iOS/iPadOS devices. For details, see the Mobile apps section of Office System Requirements. Important The Intune Company Portal is required on the device to receive App Protection Policies on Android. App protection policy data protection frameworkThe choices available in app protection policies (APP) enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management. The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies. How app protection policies protect app dataApps without app protection policiesWhen apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. The arrows in the following diagram show unrestricted data movement between both corporate and personal apps, and to storage locations. Data protection with app protection policies (APP)You can use App protection policies to prevent company data from saving to the local storage of the device (see the image below). You can also restrict data movement to other apps that aren't protected by App protection policies. App protection policy settings include:
Data protection with APP on devices managed by an MDM solutionThe below illustration shows the layers of protection that MDM and App protection policies offer together. The MDM solution adds value by providing the following:
The App protection policies add value by providing the following:
Data protection with APP for devices without enrollmentThe following diagram illustrates how the data protection policies work at the app level without MDM. For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level. However, there are some limitations to be aware of, such as:
Apps you can manage with app protection policiesAny app that has been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. See the official list of Microsoft Intune protected apps that have been built using these tools and are available for public use. The Intune SDK development team actively tests and maintains support for apps built with the native Android, iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance or plugins for app developers using anything other than our supported platforms. End-user requirements to use app protection policiesThe following list provides the end-user requirements to use app protection policies on an Intune-managed app:
App protection policies for Microsoft Office appsThere are a few additional requirements that you want to be aware of when using App protection policies with Microsoft Office apps. Outlook mobile appThe additional requirements to use the Outlook mobile app include the following:
Word, Excel, and PowerPointThe additional requirements to use the Word, Excel, and PowerPoint apps include the following:
Managed location needed for OfficeA managed location (i.e. OneDrive) is needed for Office. Intune marks all data in the app as either "corporate" or "personal". Data is considered "corporate" when it originates from a business location. For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account). Skype for BusinessThere are additional requirements to use Skype for Business. See Skype for Business license requirements. For Skype for Business (SfB) hybrid and on-prem configurations, see Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB OnPrem with Azure AD, respectively. App protection Global policyIf a OneDrive administrator browses to admin.onedrive.com and selects Device access, they can set Mobile application management controls to the OneDrive and SharePoint client apps. The settings, made available to the OneDrive Admin console, configure a special Intune app protection policy called the Global policy. This global policy applies to all users in your tenant, and has no way to control the policy targeting. Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are protected with the selected settings by default. An IT Pro can edit this policy in the Intune console to add more targeted apps and to modify any policy setting. By default, there can only be one Global policy per tenant. However, you can use Intune Graph APIs to create extra global policies per tenant, but doing so isn't recommended. Creating extra global policies isn't recommended because troubleshooting the implementation of such a policy can become complicated. While the Global policy applies to all users in your tenant, any standard Intune app protection policy will override these settings. App protection featuresMulti-identityMulti-identity support allows an app to support multiple audiences. These audiences are both "corporate" users and "personal" users. Work and school accounts are used by "corporate" audiences, whereas personal accounts would be used for consumer audiences, such as Microsoft Office users. An app that supports multi-identity can be released publicly, where app protection policies apply only when the app is used in the work and school ("corporate") context. Multi-identity support uses the Intune SDK to only apply app protection policies to the work or school account signed into the app. If a personal account is signed into the app, the data is untouched. App protection policies can be used to prevent the transfer of work or school account data to personal accounts within the multi-identity app, personal accounts within other apps, or personal apps. Important Regardless of whether an app supports multi-identity, only a single "corporate" identity can have an Intune App Protection Policy applied. For an example of "personal" context, consider a user who starts a new document in Word, this is considered personal context so Intune App Protection policies are not applied. Once the document is saved on the "corporate" OneDrive account, then it is considered "corporate" context and Intune App Protection policies are applied. Consider the following examples for the work or "corporate" context:
Note Outlook has a combined email view of both "personal" and "corporate" emails. In this situation, the Outlook app prompts for the Intune PIN on launch. Important Although Edge is in "corporate" context, users can intentionally move OneDrive "corporate" context files to an unknown personal cloud storage location. To avoid this, see Manage restricted web sites and configure the allowed/blocked site list for Edge. Intune app PINThe Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application. PIN prompt PIN prompt, or corporate credential prompt, frequency
For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Recheck the access requirements after (minutes) value is met again for the app that is not the main input focus. So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. The user is focused on app A (foreground), and app B is minimized. After the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN would be required. Note In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting. Built-in app PINs for Outlook and OneDrive Intune
PIN security Protecting against brute force attacks and the Intune PIN Intune PIN and a selective wipe For example, a PIN set for Outlook for the signed in user is stored in a shared keychain. When the user signs into OneDrive (also published by Microsoft), they will see the same PIN as Outlook since it uses the same shared keychain. When signing out of Outlook or wiping the user data in Outlook, the Intune SDK does not clear that keychain because OneDrive might still be using that PIN. Because of this, selective wipes do not clear that shared keychain, including the PIN. This behavior remains the same even if only one app by a publisher exists on the device. Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a single app, the Intune SDK does not know if there are any other apps on the device with the same publisher. Thus, the Intune SDK does not clear the PIN since it might still be used for other apps. The expectation is that the app PIN should be wiped when last app from that publisher will be removed eventually as part of some OS cleanup. If you observe the PIN being wiped on some devices, the following is likely happening: Since the PIN is tied to an identity, if the user signed in with a different account after a wipe, they will be prompted to enter a new PIN. However, if they sign in with a previously existing account, a PIN stored in the keychain already can be used to sign in. Setting a PIN twice on apps from the same publisher? In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK. Another change was introduced in the Intune SDK for iOS v 14.6.0 that causes all PINs in 14.6.0+ to be handled separately from any PINs in previous versions of the SDK. Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12 AND after 7.1.12 from the same publisher (or versions before 14.6.0 AND after 14.6.0), they will have to set up two PINs. The two PINs (for each app) are not related in any way (i.e. they must adhere to the app protection policy that's applied to the app). As such, only if apps A and B have the same policies applied (with respect to PIN), user may set up the same PIN twice. This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with Intune Mobile App Management. Over time, as applications adopt later versions of the Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher becomes less of an issue. Please see the note below for an example. Note For example, if app A is built with a version prior to 7.1.12 (or 14.6.0) and app B is built with a version greater than or equal to 7.1.12 (or 14.6.0) from the same publisher, the end user will need to set up PINs separately for A and B if both
are installed on an iOS/iPadOS device. If an app C that has SDK version 7.1.9 (or 14.5.0) is installed on the device, it will share the same PIN as app A. An app D built with 7.1.14 (or 14.6.2) will share the same PIN as app B. App data encryptionIT administrators can deploy an app protection policy that requires app data to be encrypted. As part of the policy, the IT administrator can also specify when the content is encrypted. How does Intune data encryption process Data that is encrypted
For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered "corporate". Selective wipeRemotely
wipe data
For more information about remote wipe for MDM, see Remove devices by using wipe or retire. For more information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps. Full device wipe removes all user data and settings from the device by restoring the device to its factory default settings. The device is removed from Intune. Note Full device wipe, and selective wipe for MDM can only be achieved on devices enrolled with Intune mobile device management (MDM). Selective wipe for MDM Selective wipe for MAM If the user is using the app when selective wipe is initiated, the Intune SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account. When On-Premises (on-prem) services don't work with Intune protected apps Secure way to open web links from managed apps App protection experience for iOS devicesDevice fingerprint or face IDsIntune app protection policies allow control over app access to only the Intune licensed user. One of the ways to control access to the app is to require either Apple's Touch ID or Face ID on supported devices. Intune implements a behavior where if there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint, or face. If the Intune user does not have a PIN set, they are led to set up an Intune PIN. The intent of this process is to continue keeping your organization's data within the app secure and protected at the app level. This feature is only available for iOS/iPadOS, and requires the participation of applications that integrate the Intune SDK for iOS/iPadOS, version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can be enforced on the targeted applications. This integration happens on a rolling basis and is dependent on the specific application teams. Some apps that participate include WXP, Outlook, Managed Browser, and Yammer. You can use the iOS/iPadOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to managed apps only or no apps. Intune app protection policy cannot control the iOS/iPadOS share extension without managing the device. Therefore, Intune encrypts "corporate" data before it is shared outside the app. You can validate this encryption behavior by attempting to open a "corporate" file outside of the managed app. The file should be encrypted and unable to be opened outside the managed app. Universal Links supportBy default, Intune app protection policies will prevent access to unauthorized application content. In iOS/iPadOS, there is functionality to open specific content or applications using Universal Links. Users can disable an app's Universal Links by visiting them in Safari and selecting Open in New Tab or Open. In order to user Universal Links with Intune app protection policies, it's important to re-enable the universal links. The end user would need to do an Open in <app name> in Safari after long pressing a corresponding link. This should prompt any additional protected app to route all Universal Links to the protected application on the device. Multiple Intune app protection access settings for same set of apps and usersIntune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. In general, a wipe would take precedence, followed by a block, then a dismissible warning. For example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system setting that warns a user to update their iOS/iPadOS version will be applied after the minimum iOS/iPadOS operating system setting that blocks the user from access. So, in the scenario where the IT admin configures the min iOS operating system to 11.0.0.0 and the min iOS operating system (Warning only) to 11.1.0.0, while the device trying to access the app was on iOS 10, the end user would be blocked based on the more restrictive setting for min iOS operating system version that results in blocked access. When dealing with different types of settings, an Intune SDK version requirement would take precedence, then an app version requirement, followed by the iOS/iPadOS operating system version requirement. Then, any warnings for all types of settings in the same order are checked. We recommend the Intune SDK version requirement be configured only upon guidance from the Intune product team for essential blocking scenarios. App protection experience for Android devicesNote App protection policies are not supported on Intune managed Android Enterprise dedicated devices. If your users on Android Enterprise dedicated devices have APP policies applied for another device, then you'll want to take the following steps:
Note that users targeted with APP policies on non-dedicated devices will not be impacted. Microsoft Teams Android devicesThe Teams app on Microsoft Teams Android devices does not support APP (does not receive policy through the Company Portal app). This means that app protection policy settings will not be applied to Teams on Microsoft Teams Android devices. If you have app protection policies configured for these devices, consider creating a group of Teams device users and exclude that group from the related app protection policies. Additionally, consider modifying your Intune Enrollment Policy, Conditional Access Policies and Intune Compliance policies so they have supported settings. If you cannot change your existing policies, you must configure (exclusion) Device Filters. Verify each setting against the existing Conditional Access configuration and Intune Compliance policy to know if you have unsupported settings. For related information see Supported Conditional Access and Intune device compliance policies for Microsoft Teams Rooms and Teams Android Devices. For information related to Microsoft Teams Rooms, see Conditional Access and Intune compliance for Microsoft Teams Rooms. Device biometric authenticationFor Android devices that support biometric authentication, you can allow end users to use fingerprint or Face Unlock, depending on what their Android device supports. You can configure whether all biometric types beyond fingerprint can be used to authenticate. Note that fingerprint and Face Unlock are only available for devices manufactured to support these biometric types and are running the correct version of Android. Android 6 and higher is required for fingerprint, and Android 10 and higher is required for Face Unlock. Company Portal app and Intune app protectionMuch of app protection functionality is built into the Company Portal app. Device enrollment is not required even though the Company Portal app is always required. For Mobile Application Management (MAM), the end user just needs to have the Company Portal app installed on the device. Multiple Intune app protection access settings for same set of apps and usersIntune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. In general, a block would take precedence, then a dismissible warning. For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from access. So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch version that results in blocked access. When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. Then, any warnings for all types of settings in the same order are checked. Intune app protection policies and Google's SafetyNet Attestation for Android devicesIntune app protection policies provide the capability for admins to require end-user devices to pass Google's SafetyNet Attestation for Android devices. A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune service. How often the service call is made is throttled due to load, thus this value is maintained internally and is not configurable. Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. If there is no data, access will be allowed depending on no other conditional launch checks failing, and Google Play Service "roundtrip" for determining attestation results will begin in the backend and prompt the user asynchronously if the device has failed. If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a Google Play Service "roundtrip" for determining attestation results will begin and prompt the user asynchronously if the device has failed. Intune app protection policies and Google's Verify Apps API for Android devicesIntune App Protection Policies provide the capability for admins to require end-user devices to send signals via Google's Verify Apps API for Android devices. The instructions on how to do this vary slightly by device. The general process involves going to the Google Play Store, then clicking on My apps & games, clicking on the result of the last app scan which will take you into the Play Protect menu. Ensure the toggle for Scan device for security threats is switched to on. Google's SafetyNet Attestation APIIntune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled devices. Google has developed and maintained this API set for Android apps to adopt if they do not want their apps to run on rooted devices. The Android Pay app has incorporated this, for example. While Google does not share publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have rooted their devices. These users can then be blocked from accessing, or their corporate accounts wiped from their policy enabled apps. Check basic integrity tells you about the general integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Check basic integrity & certified devices tells you about the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check. Devices that will fail include the following:
See Google's documentation on the SafetyNet Attestation for technical details. SafetyNet device attestation setting and the 'jailbroken/rooted devices' settingGoogle Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the time when the "roundtrip" for determining attestation results executes. If end user is offline, IT admin can still expect a result to be enforced from the jailbroken/rooted devices setting. That being said, if the end user has been offline too long, the Offline grace period value comes into play, and all access to work or school data is blocked once that timer value is reached, until network access is available. Turning on both settings allows for a layered approach to keeping end-user devices healthy which is important when end-users access work or school data on mobile. Google Play Protect APIs and Google Play ServicesThe app protection policy settings that leverage Google Play Protect APIs require Google Play Services to function. Both the SafetyNet device attestation, and Threat scan on apps settings require Google determined version of Google Play Services to function correctly. Since these are settings that fall in the area of security, the end user will be blocked if they have been targeted with these settings and are not meeting the appropriate version of Google Play Services or have no access to Google Play Services. Next stepsHow to create and deploy app protection policies with Microsoft Intune Available Android app protection policy settings with Microsoft Intune Available iOS/iPadOS app protection policy settings with Microsoft Intune FeedbackSubmit and view feedback for What is the most secure option for the type of pass code that can be entered to access a mobile device?A strong password is the most secure screen lock option.
What type of network uses an unsecured public network such as the Internet as if it were a secure private network?What is VPN? Basically, VPN is a generic term to describe a combination of technologies allowing one to create a secure tunnel through an unsecured or untrusted network, such as public networks like the Internet.
What is Bluetooth's rate of transmission?In the most widely used mode, transmission power is limited to 2.5 milliwatts, giving it a very short range of up to 10 metres (33 ft).
What is it called when unsuspecting users visit an infected website and their browsers download code that targets a vulnerability in the user's browser?What is it called when unsuspecting users visit an infected website and their browsers download code that targets a vulnerability in the user's browser? Extensions. 14. Which of the following expands the normal capabilities of a web broswer for a specific webpage? Private Browsing.
|