In today's digital landscape, securing corporate data on mobile devices is paramount. Microsoft Intune offers robust solutions, and in this guide, we will delve into creating Intune App Protection Policies specifically for iOS and iPadOS. These policies, forming part of Mobile Application Management (MAM) in Intune, play a crucial role in safeguarding organizational data on both managed and non-managed devices.
App Protection Policies Overview
App Protection Policies (APP) are a set of guidelines within Intune that ensure the protection of corporate data on managed applications. Given the prevalence of mobile device usage for both personal and professional tasks, the risk of data leakage and loss is significant. APP in Intune addresses this concern by controlling access to corporate data and preventing data leakage within managed applications on mobile devices.
Supported Applications
To apply APP, it is essential that applications support it. Most Microsoft 365 (M365) applications, including Outlook, Word, OneDrive, and more, are compatible. Additionally, numerous productivity apps on the Google Play Store and Apple App Store also support APP.
Implementation of App Protection Policies
APP can be applied to both enrolled and non-enrolled devices, including those using third-party Mobile Device Management (MDM) solutions. By implementing APP, organizations can ensure that data within managed apps is protected and controllable by the IT team.
Key Features of App Protection Policies
-
Data Protection:
- Restriction of copy and paste between work and personal profiles.
- Limiting document/file saving to OneDrive or SharePoint.
- Enforcing application-level PIN.
- Application-level data wipe.
- Limiting app access based on OS versions.
-
Data Transfer Policies:
See AlsoMastering Microsoft Intune App Protection Policies for Enhanced SecurityMastering Endpoint Security Policies with Microsoft IntuneUnlocking Advanced Security with Microsoft Intune Endpoint Security PoliciesComprehensive Guide to Windows Information Protection (WIP) with Microsoft Intune- Managing data transfer between managed and unmanaged applications.
- Policies for backing up organizational data to iTunes and iCloud.
- Controlling the transfer of organizational data between apps.
-
Encryption:
- Enforcing device-level iOS/iPadOS encryption for managed apps.
-
Functionality Controls:
- Syncing policy-managed app data with native apps or add-ins.
- Printing restrictions for organizational data.
- Controlling web content transfer with other apps.
How to Create App Protection Policies for iOS/iPadOS
- Sign in to Microsoft Intune Admin Center.
- Navigate to App > App Protection Policies.
- Click on Create Policy > Select iOS/iPadOS.
- Provide the policy name and description, then proceed to target devices and applications as per requirements.
Data Protection Restrictions Configuration
-
Data Transfer:
- Configure backup of organizational data to iTunes and iCloud.
- Define policies for sending organizational data to other apps.
- Specify apps exempted from data transfer policies.
-
Receive Data from Other Apps:
- Configure policies for receiving data from other/unmanaged apps.
-
Open Data into Org Documents:
- Define settings for opening data from other apps into organizational documents.
-
Restrict Cut, Copy, and Paste Between Apps:
- Set restrictions on copying, cutting, and pasting data between apps.
-
Third-Party Keyboards:
- Choose to block or allow third-party keyboards.
Access Requirements Configuration
-
PIN Requirements:
- Define PIN policies for app access, including type, length, and use of biometrics.
-
Functionality Controls:
- Set controls for syncing policy-managed app data with native apps.
- Specify printing restrictions and web content transfer policies.
Conditional Launch Configuration
-
App Conditions:
- Configure conditions such as max PIN attempts and offline grace period.
-
App Version and SDK Restrictions:
- Define minimum app version and Intune app protection policy SDK version requirements.
Device Conditions for Intune App Protection Policies
-
Jailbroken/Rooted Devices:
- Define actions for accessing managed apps on jailbroken/rooted devices.
-
Device OS Version:
- Set minimum and maximum OS version requirements.
-
Device Model:
- Allow or block specified device models from accessing managed apps.
-
Max Allowed Device Threat Level:
- Control access based on the threat level defined by Mobile Threat Defense (MTD).
Conclusion
In this comprehensive guide, we've explored the intricacies of creating Intune App Protection Policies for iOS and iPadOS. These policies serve as a robust defense against data leakage and loss, providing organizations with granular controls over app functionality, data protection, and access requirements. By following these detailed steps, organizations can implement effective App Protection Policies and fortify the security of their corporate data on mobile devices.
For more insights and decision-making strategies regarding Intune App Protection Policies, refer to resources from the HTMD team, such as the provided video, and stay informed about the latest advancements in mobile device management.