Securing your M365 Mobile Applications : Using Microsoft Intune for Effective Protection Policies

I – What is App protection Policy :

An App Protection Policy in Microsoft Intune is a set of security rules you configure to protect corporate data when used on personal mobile devices. These policies create a secure working environment by separating personal data from business data and enforcing strict restrictions on application use.

II – Main features of App Protection Policies :

• Corporate data protection : APPs protect corporate data by defining how applications handle business data. For example, they can prevent business data from being copied into unprotected personal applications.
• Management of specific actions : They allow you to control certain actions within applications, such as preventing screen capture, limiting copy/paste operations, or restricting file sharing between applications.
• Data separation : It creates secure containers on mobile devices, preventing corporate data from being copied, pasted or stored in personal applications.
• Access conditions : Policies can require users to authenticate their identity (e.g. via PIN code or biometrics) before accessing application data, thus reinforcing access security.
• Protection without full device management : Unlike traditional mobile device management (MDM), APPs offer a means of securing data without requiring full device management, which is particularly useful for BYOD scenarios.
• Selective data erasure : in the event of loss or theft of the device, or when the user leaves the company, administrators can remotely erase only the business data protected by the APPs, leaving the user’s personal data intact.
• Cross-platform flexibility : App Protection Policies can be applied to apps on iOS/iPadOS and Android devices, offering uniform data protection across different device types.
• Integration with other Microsoft solutions : APPs integrate well with other Microsoft services, such as Azure Active Directory (Azure AD) for authentication, and Microsoft 365 for data protection in applications such as Outlook, Word, Excel, etc.

III – App protection Policies types :

There are four types of App protection Policies :

1. Android Policy
2. iOS/iPadOS Policy
3. Windows Policy
4. Windows information Protection Policy

IV – Prerequisites :

• Microsoft Intune Portal
• Microsoft Intune Access rights to create App Protection Policies (Intune Administrator or Global Admin role in my case)

V – Create Android App protection Policy :

1. Connect to Microsoft Intune Admin Center : https://intune.microsoft.com/
2. Go to Apps
3. Select “App protection Policies“
4. Select “+ Create Policy“
5. Select “Android“

• Give a name to your Policy then clic “Next“

• Select “Core Microsoft Apps” from Traget Policy menu (You can select “All Microsoft Apps” as your Company needs)
• You can clic on “View targeted Apps” to view M365 targeted apps list.

In “Data protection Section” , you can follow this :

• Backup org data to Android backup services : Select Block to prevent backup of org data to Android backup services. Select Allow to permit backup of org data to Android backup services. Personal or unmanaged data is not affected.
• Send org data to other apps : Select one of the following options to specify the apps that this app can send data to :

Policy managed apps: Only allow sending org data to other policy managed apps

All Apps: Allow sending org data to any app

None: Do not allow sending org data to any app

• Allow user to save copies to selected services : Select the storage services users can save copies of org data to. All other services are blocked. Selecting no services will prevent users from saving a copy of org data.
• Transfer telecommunication data to : Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it’s initiated from a policy-managed app.
• Transfer messaging data to : Typically, when a user selects a hyperlinked messaging link in an app, a messaging app will open with the phone number prepopulated and ready to send. For this setting, choose how to handle this type of content transfer when it’s initiated from a policy-managed app.

• Receive data from other apps : Policy managed Apps
• Open data into Org documents : Select Block to disable the use of the Open option or other options to share data between accounts in this app. Select Allow if you want to allow the use of Open and other options to share data between accounts in this app.

When set to Block, you can configure the following setting, Allow user to open data from selected services, to specify which services are allowed for Org data locations.

• Restrict cut, copy, and paste between other apps : Cut, copy, and paste data between your app and other approved apps installed on the device. Choose to block these actions completely between apps, allow these actions for use with any app, or restrict use to apps that your organization manages.

• Screen capture and Google Assistant : If blocked, both screen capture and Google Assistant app scanning capabilities will be disabled when using the policy-managed app. This feature supports the usual Google Assistant app. Third party assistants using Google’s Assist API are not supported. Choosing Block will also blur the App-Switcher preview image when using the app with a work or school account.
• Encryption : required
• Sync policy managed app data with native apps or add-ins : Choose Block to prevent policy managed apps from saving data to the device’s native apps (like Contacts, Calendar and widgets), or to prevent the use of add-ins within the policy managed apps. If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.

• Restrict web content transfer with other apps : Select one of the following options to specify the apps that this app can open web content in :

Microsoft Edge: Allow web content to open only in Microsoft Edge. Learn how Microsoft Edge protects your data.

Unmanaged browser: Allow web content to open only in the unmanaged browser defined by “Unmanaged browser ID” setting

Any app: Allow web links in any app

• Click “Next“

In Access requirement section, select following settings as your company needs.

• PIN for access : If required, a PIN must be used to access the policy-managed app. Users must create an access PIN the first time that they open the app from a work or school account.

• Biometrics instead of PIN for access : Allows use of Android biometric authentication methods, if any, in place of an app PIN.
• Override biometrics with PIN after timeout : If required, depending on the timeout (minutes of inactivity), a PIN prompt will override biometric prompts. If this timeout value is not met, the biometric prompt will continue to show. This timeout value should be greater than the value specified under ‘Recheck the access requirements after (minutes of inactivity)’.

• PIN reset after number of days : Specify the number of days that must pass before the user must reset the PIN.

• App PIN when device PIN is set : If not required, an app PIN does not need to be used to access the app if the device PIN is set on an MDM enrolled device. Note: Intune cannot detect device enrollment with a third-party EMM solution on Android.

• Work or school account credentials for access : If required, work or school credentials must be used to access the policy-managed app. If PIN or biometric methods also required for access to the app, the work or school account credentials will be required on top of those prompts.

• Recheck the access requirements after (minutes of inactivity) : If the policy-managed app is inactive for longer than the number of minutes of inactivity specified, the app will prompt the access requirements (i.e PIN, conditional launch settings) to be rechecked after the app is launched.

In conditional launch section, you can see default App condition and device condition (I think you dont need to make changes here depending on your company needs).

For App conditions :

• After 5 access Attempt -> Reset password
• If device is offline for 1440 minutes -> Block access
• If device is offline for 90 days -> wipe data

For Device conditions :

• if Device is Jailbroken/rooted -> Block access

• In Assignment section you can add All users or just specify a group.
• click “Next“

Click “Create” to create Policy

• as you can see here is our Android Policy

Now we have created Android Policy, w’ll now pass to the iOS Policy creation.

VI – Create iOS App Protection Policy :

1. Connect to Microsoft Intune Admin Center : https://intune.microsoft.com/
2. Go to Apps
3. Select “App protection Policies“
4. Select “+ Create Policy“
5. Select “iOS/iPadOS“

• Give a name to your Policy

• You can select “All Microsoft Apps” or “Core Microsoft Apps” as your organisation needs.

In Data protection Section :

• Backup org data to iTunes and iCloud backups : Select Block to prevent backup of org data to iTunes or iCloud.   Select Allow to permit backup of org data to iTunes or iCloud.   Personal or unmanaged data is not affected.

• Send org data to other apps : Select one of the following options to specify the apps that this app can send org data to:

None : Do not allow sending org data to any app

Policy managed apps : Only allow sending org data to other policy managed apps

Policy managed apps with OS sharing : Only allow sending org data to other policy managed apps and sending org documents to other MDM managed apps on enrolled devices

Policy managed apps with Open-In/Share filtering : Only allow sending org data to other policy managed apps and filter OS Open-in/Share dialogs to only display policy managed apps

All apps : Allow sending org data to any app

• Save copies of org data : Select Block to prevent saving a copy of org data to a new location, other than the selected storage services, using “Save As”. Select Allow to permit saving a copy of org data to a new location using “Save As”.
• Allow user to save copies to selected services : Select the storage services users can save copies of org data to. All other services are blocked. Selecting no services will prevent users from saving a copy of org data.
• Transfer messaging data to : Typically, when a user selects a hyperlinked messaging link in an app, a messaging app will open with the phone number prepopulated and ready to send. For this setting, choose how to handle this type of content transfer when it’s initiated from a policy-managed app. Additional steps may be necessary in order for this setting to take effect. First, verify that sms has been removed from the Select apps to exempt list. Then, ensure the application is using a newer version of Intune SDK (Version > 19.0.0).
• Receive data from other apps : Select one of the following options to specify the apps that this app can receive data from:

None : Do not allow receiving data in org documents or accounts from any app

Policy managed apps : Only allow receiving data in org documents or accounts from other policy managed apps

Any app with incoming org data : Allow receiving data in org documents or accounts from from any app and treat all incoming data without an user account as org data

All apps : Allow receiving data in org documents or accounts from any appIn Data protection Section :

• Backup org data to iTunes and iCloud backups : Select Block to prevent backup of org data to iTunes or iCloud.   Select Allow to permit backup of org data to iTunes or iCloud.   Personal or unmanaged data is not affected.

• Send org data to other apps : Select one of the following options to specify the apps that this app can send org data to:

None : Do not allow sending org data to any app

Policy managed apps : Only allow sending org data to other policy managed apps

Policy managed apps with OS sharing : Only allow sending org data to other policy managed apps and sending org documents to other MDM managed apps on enrolled devices

Policy managed apps with Open-In/Share filtering : Only allow sending org data to other policy managed apps and filter OS Open-in/Share dialogs to only display policy managed apps

All apps : Allow sending org data to any app

• Save copies of org data : Select Block to prevent saving a copy of org data to a new location, other than the selected storage services, using “Save As”. Select Allow to permit saving a copy of org data to a new location using “Save As”.
• Allow user to save copies to selected services : Select the storage services users can save copies of org data to. All other services are blocked. Selecting no services will prevent users from saving a copy of org data.
• Transfer messaging data to : Typically, when a user selects a hyperlinked messaging link in an app, a messaging app will open with the phone number prepopulated and ready to send. For this setting, choose how to handle this type of content transfer when it’s initiated from a policy-managed app. Additional steps may be necessary in order for this setting to take effect. First, verify that sms has been removed from the Select apps to exempt list. Then, ensure the application is using a newer version of Intune SDK (Version > 19.0.0).
• Receive data from other apps : Select one of the following options to specify the apps that this app can receive data from:

None : Do not allow receiving data in org documents or accounts from any app

Policy managed apps : Only allow receiving data in org documents or accounts from other policy managed apps

Any app with incoming org data : Allow receiving data in org documents or accounts from from any app and treat all incoming data without an user account as org data

All apps : Allow receiving data in org documents or accounts from any app

• Open data into Org documents : Select Block to disable the use of the Open option or other options to share data between accounts in this app. Select Allow if you want to allow the use of Open and other options to share data between accounts in this app.
• Allow users to open data from selected services : Select the application storage services users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.
• Restrict cut, copy, and paste between other apps : Cut, copy, and paste data between your app and other approved apps installed on the device. Choose to block these actions completely between apps, allow these actions for use with any app, or restrict use to apps that your organization manages.
• Encrypt org data : Required

• Sync policy managed app data with native apps or add-ins : Choose Block to prevent policy managed apps from saving data to the device’s native apps (like Contacts, Calendar and widgets), or to prevent the use of add-ins within the policy managed apps. If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.
• Printing org data : If blocked, the app cannot print protected data

• Org data notifications : Select one of the following options to specify how notifications for org accounts are shown for this app and any connected devices such as wearables:

Block: Do not share notifications.

Block org Data: Do not share org data in notifications. If not supported by the application, notifications are blocked.

Allow: Share all notifications.

In Access requirements section :

• PIN for access : If required, a PIN must be used to access the policy-managed app. Users must create an access PIN the first time that they open the app from a work or school account.

• Biometrics instead of PIN for access : Allows use of Android biometric authentication methods, if any, in place of an app PIN.
• Override biometrics with PIN after timeout : If required, depending on the timeout (minutes of inactivity), a PIN prompt will override biometric prompts. If this timeout value is not met, the biometric prompt will continue to show. This timeout value should be greater than the value specified under ‘Recheck the access requirements after (minutes of inactivity)’.

• PIN reset after number of days : Specify the number of days that must pass before the user must reset the PIN.

• App PIN when device PIN is set : If not required, an app PIN does not need to be used to access the app if the device PIN is set on an MDM enrolled device. Note: Intune cannot detect device enrollment with a third-party EMM solution on Android.

• Work or school account credentials for access : If required, work or school credentials must be used to access the policy-managed app. If PIN or biometric methods also required for access to the app, the work or school account credentials will be required on top of those prompts.

• Recheck the access requirements after (minutes of inactivity) : If the policy-managed app is inactive for longer than the number of minutes of inactivity specified, the app will prompt the access requirements (i.e PIN, conditional launch settings) to be rechecked after the app is launched.

In conditional launch section, you can see default App condition and device condition (I think you dont need to make changes here depending on your company needs).

For App conditions :

• After 5 access Attempt -> Reset password
• If device is offline for 1440 minutes -> Block access
• If device is offline for 90 days -> wipe data

For Device conditions :

• if Device is Jailbroken/rooted -> Block access

• In Assignment section you can add All users or just specify a group.
• click “Next“

• Click “Create” to create Policy

• as you can see here is our iOS/iPadOS Policy

Now that we’ve set up the Apps Protections Policies, I’ll explain in the following technical guide how to use this configuration with Conditional Acces settings to enhance security and preserve corporate data.

Stay tuned 😉

VII – Conclusion :

Intune Application Protection Policies are an essential tool for companies wishing to secure their corporate data on mobile devices. They provide an additional layer of security and help maintain regulatory compliance.