HomeAbout Me
Endpoint management
Protecting users and their mobile devices in Microsoft 365
Ola Ström
Ola Ström
November 01, 2022
5 min

Table Of Contents

01
What you can do with APP?
02
The basics
03
Creating a policy
04
Summary and next steps
Protecting users and their mobile devices in Microsoft 365

Today, we are using our mobile devices a lot, this could be either phones or tablets. Within the corporate world, mobile device management is often used to secure the devices. Mobile device management, MDM, is great, but that has a strong focus on securing the device. What about securing the data, and securing data on unmanaged devices?

Within the Microsoft Intune product suite, there is something called Application Protection Policies, or APP for short. This is a security layer which can be added to supported applications, even if the device is not managed. This is usually referred to as Mobile Application Management, or MAM.

Since Microsoft is calling this feature APP, that is the term we will keep to.

What you can do with APP?

APP can be used to put policies on apps where you store corporate data, and you can also use APP as a condition in Conditional Access, that a managed app needs to be used to access the data. This means that no matter what mobile device you add your corporate account to, the settings will apply even if the device is not managed. When the account is removed, settings are removed. The settings we apply ONLY applies for the corporate bubble in the application, so if you have a personal account in OneDrive, that wont be affected.

This means that we can set policies on an application level which controls what the users is allowed to do, and not do. We can also put conditions on the application which needs to be fulfilled before gaining access, not really like Conditional Access but we do have a few switches such as making sure that the device is not rooted/jailbroken and that we are running above a certain version of the OS.

A typical thing you would do with APP is to limit the possibility of copy/paste to applications which are not managed, to minimize the risk of that things are being copied in a uncontrolled way. You would also typically control how and where corporate data can be saved, only allowing SharePoint and OneDrive for Business for instance.

The basics

Application Protection Policies (APP) is only available in Intune, but you do not need to manage your devices with Intune, but you will need licenses to use Intune for your user (e.g. M365 E3/E5 licenses or EMS E3/E5 licenses).

You also need an Azure AD, since we are dependent on your identity to get the settings out to the devices.

To configure APP, we will head into the Intune portal (endpoint.microsoft.com), which means that you also need a admin user in Intune. Typically the Azure AD role Intune Administrator is what you would use as an administrator, but Global Administrator or such will work to.

Figure 1: Microsoft Intune
Figure 1: Microsoft Intune

We will find the APP settings if we head to Applications > App Protection Policies

Figure 2: APP in Microsoft Intune
Figure 2: APP in Microsoft Intune

Creating a policy

To create our APP policy, click “+ Create policy” and select what platform you want to configure (iOS/iPadOS or Android).

Figure 3: Create an APP policy
Figure 3: Create an APP policy

Give your new policy a name and press next

Figure 4: Create an APP policy and filling out basics
Figure 4: Create an APP policy and filling out basics

On the next page you will select what apps will be targeted and if you want to apply these to all devices, managed or unmanaged devices. In this example we will apply the policy to all devices, so we will leave the “Target to apps on all devices” to the default Yes. If you select no here, you will need to create additional app configurations for each application you are distributing from Intune to your managed devices. On “Target policy to” we can select what applications we what to target this to. In this example, we will target all apps, since we want to make sure that we secure all our apps. Then press Next.

Figure 5: Create an APP policy and filling out apps
Figure 5: Create an APP policy and filling out apps

On the Data Protection tab, we will configure which settings we want to use to protect our data. These settings are different depending on which platform you configure this for. In this example I’m configuring for iOS, but there are similar settings for Android. There are a lot of settings you can do, and we will make some deviations from the default configuration. If we start with the Data Transfer settings, we want to ensure that users cannot backup any corporate data to their iCloud or iTunes backups.

Figure 6: Create an APP policy and blocking data transfer
Figure 6: Create an APP policy and blocking data transfer

We also want to limit the possibility to send organizational data to other applications than applications we manage. You can add applications, links and managed links which should be exempt, we will leave these to defaults.

Figure 7: Create an APP policy and limit sending organizational data
Figure 7: Create an APP policy and limit sending organizational data

We will only allow that you can save organizational data to two defined sources, SharePoint and OneDrive for Business since these are the two cloud services we will use in this example.

Figure 8: Create an APP policy and allowing SharePoint and OneDrive for business
Figure 8: Create an APP policy and allowing SharePoint and OneDrive for business

We will also make sure that we restrict cut, copy, and paste between other apps, we will only allow this to happen between policy managed apps.

Figure 9: Create an APP policy and restricting copying between apps
Figure 9: Create an APP policy and restricting copying between apps

Under the Encryption and Functionality we will configure links to open in our managed browser, Microsoft Edge. All other values will be left to default values. Press Next to continue to the next tab.

Figure 10: Create an APP policy - encryption and functionality
Figure 10: Create an APP policy - encryption and functionality

The next tab is Access requirements which controls how the application can be accessed. We will leave most values to their defaults, but we will change the PIN length to 6 digits. We will also change the “App PIN when device PIN is set” to Not required. This change will make the user experience a bit better when the device is managed by Intune since we can then ensure that PIN is present. For an unmanaged device we do not know if there is a PIN present or not, therefor we will require a PIN. When you have set the desired configuration, press Next.

Figure 11: Create an APP policy - access requirements
Figure 11: Create an APP policy - access requirements

On the next tab we will set some conditions for how the application can be accessed on the device. We will leave all these to default values for this example and press Next.
In this tab, we can set add additional conditions if needed such as what happens if an account is disabled or if we require a certain level of OS version for the app to work.

Figure 12: Create an APP policy - conditional launch
Figure 12: Create an APP policy - conditional launch

On the next tab we will select what group we will target this to. Since this is a user settings, we will target a group with users. If there are a subset of users which should be excluded, we can add a group for that as well.

Figure 13: Create an APP policy - assignments
Figure 13: Create an APP policy - assignments

When you have added your user group, you will have the possibility to review your settings before you create the policy. When you have reviewed your settings, press Create.

Figure 14: Create an APP policy - review and create
Figure 14: Create an APP policy - review and create

Summary and next steps

You have now learned what a APP policy is, why we should use them and how to create them. Simon will later show you how to use this policy with an Conditional Access Policy, and how the user experience is.


Tags

intunemobile
Previous Article
A learn more link for sensitivity labels

Ola Ström

CTA & MVP

Everyone should be as productive as possible with the tools they prefer

Expertise

Microsoft Endpoint Manager
Windows 365
Device Management

Social Media

githubtwitterwebsite

Related Posts

Microsoft Defender for Endpoint in Intune - enable and onboard
Microsoft Defender for Endpoint in Intune - enable and onboard
November 06, 2022
3 min

Quick Links

About

Social Media