Creating and managing app protection policies in Microsoft Intune is a critical step for safeguarding sensitive organizational data on both managed and unmanaged devices. By implementing these policies, organizations ensure that mobile apps accessing work or school data adhere to predefined security settings. Whether the devices are corporate-owned or part of a Bring Your Own Device (BYOD) strategy, Intune offers a flexible solution to protect data, even on devices not fully managed by the organization.
Continue Reading
Getting started with app protection policies
Before diving into the process, it’s essential to understand that app protection policies (APP) can apply to any app, regardless of whether the device is managed by Intune or not. These policies offer flexibility, making it possible to secure data across various scenarios, from corporate-managed devices to personal, unmanaged ones. For a detailed overview of how these policies function, refer to the official Microsoft documentation on app protection policies.
Tailoring security to organizational needs
Intune app protection policies allow organizations to customize settings based on their specific requirements. However, deciding which policy settings to implement may not always be straightforward. Microsoft has categorized the APP data protection framework into three levels, each progressively enhancing security:
- Level 1: Enterprise Basic Data Protection
This entry-level configuration ensures apps are protected using basic security measures, such as PIN protection and encryption. Selective wipe capabilities are also included, allowing organizations to remove corporate data from a device without affecting personal data. For Android devices, attestation is validated, ensuring the integrity of the device. - Level 2: Enterprise Enhanced Data Protection
At this level, policies introduce mechanisms to prevent data leakage and impose minimum operating system (OS) requirements. This configuration suits most mobile users accessing work-related data. - Level 3: Enterprise High Data Protection
Designed for users handling high-risk data, this level incorporates advanced protection features, such as enhanced PIN settings and integration with mobile threat defense systems.
To review recommendations for each level and determine which apps should be protected, refer to Microsoft’s APP data protection framework.
Creating app protection policies for iOS and Android
Setting up app protection policies in Intune for iOS/iPadOS and Android devices involves a streamlined process. After signing into the Microsoft Intune admin center, follow these steps:
- 1. Navigate to Apps > App Protection Policies.
- 2. Select Create Policy and choose either iOS/iPadOS or Android.
- 3. On the basics page, input a policy name and, optionally, a description.
- 4. Define which apps will be protected. You can target:
- All Apps (Microsoft and partner apps with the Intune SDK),
- Microsoft Apps (those integrating the Intune SDK), or
- Core Microsoft Apps (e.g., Microsoft Edge, Office, OneDrive, Outlook).
For more granular control, you can also select specific public or custom apps. Public apps are commonly used apps supported by Microsoft Intune, while custom apps may include line-of-business (LOB) apps integrated using the Intune SDK or wrapped by the Intune App Wrapping Tool.
Next, you’ll configure data protection settings, including restrictions on actions such as cut, copy, and paste. These settings help prevent data leaks by limiting how users interact with corporate data.
Assigning and adjusting policies
Once the app protection policy is created, you must assign it to user groups for it to take effect. This can be done in the Assignments section, where you specify which groups of users should have the policy applied. You can also adjust existing policies by editing the assigned groups or the apps protected by the policy.
Microsoft Intune app protection policies provide flexibility, allowing organizations to create different policies based on whether the device is managed or unmanaged. For instance, stricter data loss prevention (DLP) controls might be applied to unmanaged devices, while a more relaxed policy could be used for fully managed devices.
Managing changes and updates
Policies are not static. If there’s a need to update the apps or user groups associated with a policy, this can be done by accessing the App Protection Policies section in the admin center and selecting the policy to modify. Additionally, app protection policies are designed to be adaptable, allowing IT administrators to refine settings as organizational needs evolve.
It’s important to note that app protection policies take time to apply to devices, and users will be notified when the changes are enforced. Always ensure that app protection policies are in place before setting conditional access rules to prevent any potential conflicts.
Conclusion
App protection policies in Intune provide organizations with robust tools to secure corporate data on mobile devices, whether they are managed or unmanaged. By implementing the right policy configurations, businesses can maintain control over sensitive information without hindering user productivity. To ensure comprehensive protection for your mobile workforce, consider leveraging AVASOFT’s expertise in Microsoft Intune to create and manage tailored app protection policies for your organization.
