Microsoft Docs

Intune App Protection Policies

Last Updated: October 26, 2023

Introduction to App Protection Policies

Microsoft Intune app protection policies (APP) help protect your organization's data by managing and protecting the apps that your users access. These policies allow you to wipe organizational data from an app without deleting the entire app. APP policies are applied to the data within an application, not to the device itself. This means you can protect organizational data on devices that are not managed by Intune.

Key Features and Capabilities

  • Data Encryption: Encrypt app data at rest.
  • Access Control: Require a PIN or biometric authentication to access the app.
  • Data Transfer Restrictions: Control how data can be moved between managed apps and unmanaged apps.
  • Save/Open Restrictions: Prevent saving organizational data to unapproved locations.
  • App-Level Wipe: Remotely remove organizational data from an app without affecting personal data.
  • Clipboard Control: Prevent copying data from managed apps and pasting into unmanaged apps.
  • Screen Capture Protection: Disable screen capture for managed apps.

How App Protection Policies Work

APP policies are assigned to user groups. When a user signs into their managed account within an app that supports APP, the policies are enforced. These policies apply to both managed and unmanaged devices, providing a consistent layer of data protection across your organization's mobile app ecosystem.

Supported Applications

Intune app protection policies can be applied to a wide range of applications, including Microsoft's own apps (like Outlook, Word, Excel, Teams) and many third-party applications that have integrated with the Microsoft Mobile Application Management (MAM) SDK.

Creating and Managing App Protection Policies

You can create and manage app protection policies through the Microsoft Intune portal. The process typically involves the following steps:

  1. Navigate to Apps > App protection policies.
  2. Click Create policy and select the platform (iOS/iPadOS or Android).
  3. Configure the policy settings, including data protection, access requirements, and app-level configurations.
  4. Assign the policy to user groups.

Policy Settings Categories

The policy settings are generally categorized as:

Category Description
Data Protection Controls how data is handled within and outside the managed app.
Access Requirements Configures authentication and unlock settings.
Conditional Launch Sets conditions that trigger specific actions or restrictions.
App Configuration Configures specific app settings (for supported apps).
Note: App protection policies do not require devices to be enrolled in Intune. This is also known as MAM without enrollment (MAM-WE).

Example Scenario: Protecting Email Data

Consider an organization that wants to ensure that sensitive email data in Outlook is protected. An APP policy can be configured to:

  • Require users to enter a PIN to open Outlook.
  • Prevent users from copying email content and pasting it into an unmanaged messaging app.
  • Prevent users from saving email attachments to personal cloud storage services.
  • Allow users to share email content with other managed apps within the organization.
Tip: Regularly review and update your app protection policies to adapt to evolving security threats and organizational needs.

Further Resources

// Example of an app protection policy configuration (conceptual)
{
  "policyName": "Corporate Data Protection",
  "platform": "Android",
  "dataProtection": {
    "transferToUnprotectedApps": "Blocked",
    "saveAsOtherDocument": "Blocked"
  },
  "accessRequirements": {
    "pinRequired": true,
    "requireTouchId": true
  },
  "conditionalLaunch": {
    "requireDeviceToPassComplianceCheck": true
  }
}