App Protection Policy
Overview
Application protection policies (APP) are regulations designed to guarantee the security and confinement of an organization’s data within a supervised application. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization’s data within an application. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use.
We can achieve Mobile Application Management (MAM) by leveraging App Protection Policy (APP). Configuration policies allow Intune to push certain requirements to devices.
Policies |Policy Name|Operating System|Include Group|Description| |–|–|–|–| |Android_Outlook|Android|BYOD_Android_Users|Android App protection policy for Microsoft Outlook app and unmanaged devices| |Android_Teams|Android|BYOD_Android_Users|Android App protection for Microsoft Teams app and unmanaged devices| |iOS_Outlook|iOS|BYOD_iOS_Users|iOS App protection policy for Microsoft Outlook app and unmanaged devices| |iOS_Teams|iOS|BYOD_iOS_Users|iOS App protection policy for Microsoft Teams app and unmanaged devices|
I will show one APP for reference- Android_Outlook Apps
|Settings|Configurations| |–|–| |Target to apps on all device types|No| |Device Types|Unmanaged| |Public Apps|Microsoft Outlook|
Data Protection
|Settings|Configurations|
|–|–|
|Prevent backups|Block|
Send org data to other apps|Policy managed apps|
|Save copies of org data|Block|
|Allow user to save copies to select services|OneDrive for Business Sharepoint|
|Transfer telecommunication data to|Any dailer app|
|Receive data from other apps|Policy managed apps|
|Open data into org documents|Block|
|Allow users to open data from selected services|Camera, Photo Library|
|Cut and copy character limit for any app|0|
|Screen Capture and Google Assistant|Disable|
|Approved Keyboards|Require|
|Select keyboards to approve|Gboard-the Google Keyboard: com.google.android.inputmethod.latin Samsung Keyboard: com.sec.android.inputmethod Google Indic Keyboard: com.google.android.apps.inputmethod.hindi Google Pinyin Input: com.google.android.inputmethod.pinyin Google Japanese Input: com.google.android.inputmethod.japanese Google Korean Input: com.google.android.inputmethod.korean Google Handwriting Input: com.google.android.apps.handwriting.ime Google voice typing: com.google.android.googlequicksearchbox Samsung voice input: com.samsung.android.svoiceime Samsung Keyboard (Honeyboard): com.samsung.android.honeyboard
Android AOSP Keyboard: com.android.inputmethod.latin|
|Encrypt org data|Require|
|Encrypt org data on enrolled devices|Not Required|
|Sync policy managed app data with native apps or add-ins|Block|
|Printing org data|Block|
|Restrict web content transfer with other apps|Any app|
|Org data notifications|Block org data|
Access Requirements |Settings|Configuration| |–|–| |PIN for access|Require| |PIN type|Numeric| |Simple PIN|block| |Select min length|6| Biometrics instead of PIN for Access|Allow| |Overide biometrics with PIN after timeout|Require| |Timeout(minutes of inactivity)|30| |Class 3 Biometrics|Require| |Override Biometrics with PIN after biometric updates|Not required| |PIN reset after number of days|Yes| |Number of days|Yes| |Number of days|180| |Select number of previous PIN values to maintain|5| |App PIN when device PIN is set|Require| |Work or school account credentials for access|Not required| |Recheck the access requirements after (minutes of inactivitry)|30|
Conditional launch |Settings|Configuration|Action| |–|–|–| |Max PIN attempts|5|Reset PIN| |Offline grace period|720|Block access(minutes)| |Offline grace period|5|Wipe data(days)| |Disabled account||Wipe data| |Jailbroken/rooted devices||Block access| |Min OS Version|10.0|Block access| |Min Patch version|Current Month-5 Months|Warn| |Min patch version|Current Month-6 Months|Block access| |Safetynet device attestation|Basic integrity and certified devices||
References
App protection policies overview - Microsoft Intune | Microsoft Learn
Create and deploy app protection policies - Microsoft Intune | Microsoft Learn
iOS/iPadOS app protection policy settings - Microsoft Intune | Microsoft Learn
Android app protection policy settings - Microsoft Intune | Microsoft Learn