Microsoft Intune Documentation

Comprehensive guides and resources for Microsoft Intune

Intune App Protection Policies

Last updated: October 26, 2023

Introduction to App Protection Policies

Microsoft Intune app protection policies (APP) help to protect your organization's data by managing and protecting the applications that your users access. APP helps to prevent sensitive data from being leaked when it is used on mobile devices and desktops.

With app protection policies, you can:

  • Wipe corporate data from an app without affecting personal data.
  • Encrypt app data.
  • Prevent copy/paste operations between managed and unmanaged apps.
  • Prevent apps from running on jailbroken or rooted devices.
  • Require a PIN for app access.

Key Concepts

Managed Apps

A managed app is an application that has Intune app protection policies applied to it. These policies can be configured through the Microsoft Endpoint Manager admin center.

Data Protection

App protection policies offer a robust set of data protection features, including:

  • Data Transfer Restrictions: Control how data can be moved in and out of managed apps. You can choose to block data transfer to other apps, allow it only to other managed apps, or allow it to all apps.
  • Backup Restrictions: Prevent app data from being backed up to cloud services like iCloud or Google Drive.
  • Save As Restrictions: Control where users can save files created within managed apps.
  • App PIN: Enforce a PIN code to access managed apps, adding an extra layer of security.
  • App Encryption: Encrypt data within managed apps to protect it even if the device is lost or stolen.

Device Compliance

While app protection policies primarily focus on app data, they can work in conjunction with device compliance policies to ensure a secure endpoint environment. However, app protection policies can be applied to devices that are not enrolled in Intune, making them a flexible solution for BYOD (Bring Your Own Device) scenarios.

Creating and Deploying an App Protection Policy

Follow these steps to create and deploy an app protection policy in the Microsoft Endpoint Manager admin center:

  1. Navigate to Apps > App protection policies.
  2. Click Create policy.
  3. Select the platform (iOS/iPadOS or Android).
  4. On the Basics page, enter a Name and optional Description for the policy.
  5. On the Apps page, select the apps to which you want to apply the policy. You can choose from public apps (available in app stores) or custom line-of-business apps.
  6. On the Data protection page, configure your desired data protection settings, such as restricting cut, copy, and paste, or encrypting app data.
  7. On the Access requirements page, configure settings for PIN requirements and sign-in credentials.
  8. On the Conditional launch page, you can configure policies that are triggered based on device compliance or other conditions.
  9. On the Assignments page, select the users or groups to whom this policy will apply.
  10. Review your settings and click Create.
Tip: Start with a minimal set of restrictions and gradually increase them based on your organization's security needs and user feedback.

Policy Settings Explained

Data Transfer

This section allows you to control the flow of data between managed and unmanaged applications. Options include:

  • Policy: Allow, Block, or use "Policy managed apps" (meaning, allow transfer only to other apps with app protection policies applied).
  • Paste from: Control whether users can paste data from managed apps into other apps.
  • Copy to: Control whether users can copy data from managed apps to other apps.

Encryption and Save Operations

Configure settings related to data encryption and saving files:

  • Require encrypted backup: Choose whether to encrypt app data when backed up.
  • Save copies of organizational data: Restrict users from saving copies of organizational data to personal storage locations.

Access Requirements

Enhance security with access controls:

  • Require PIN for access: Enforce a PIN to open managed apps.
  • Minimum PIN length: Set the minimum required length for the PIN.
  • Require simple PIN: Allow or disallow simple PINs (e.g., 1234).
  • PIN reset frequency: Define how often the PIN needs to be reset.

Best Practices

  • Target specific apps: Apply policies only to the apps that handle sensitive organizational data.
  • Use groups effectively: Assign policies to user groups rather than individual users for easier management.
  • Monitor policy compliance: Regularly review reports to understand how policies are being applied and identify any issues.
  • Communicate with users: Inform your users about the app protection policies and why they are in place.

App protection policies are a critical component of a comprehensive mobile device and application management strategy. By leveraging these policies, organizations can significantly reduce the risk of data leakage and enhance the overall security posture.

On This Page

Related Articles

Product Links