Intune App Protection policy protect corporate data on end users device without enforcing heavy-duty device controls. The protection settings are applied to Apps without affecting device-level settings.
For example, define security PIN for Apps when user opens the Microsoft Outlook mobile App. This is separate from the user’s device PIN and only applies to the corporate data in the Apps.
App protection polices offer an easy , low-friction way to enable BYOD. This is because device do not actually need to be enrolled in MDM to receive polices and there is no special enrolment procedure for users to go through. Only user device apps and configuration meet the Conditional Access Policy.
Popular Microsoft Apps like Outlook, Teams, Word ,Excel, PowerPoint, OneDrive, etc.. Support App protection policy.
Mobile Application Management (MAM)
When it first released, App Protection Policies (APP) were named Mobile Application Management (MAM) polices. Later Microsoft rebranded to APP.
How do APP Protection Policy Works ?
Microsoft builds and maintains an Intune App software development kit (SDK) which is integrated into all Microsoft’s mobile apps. The SDK does all the jobs when it comes to retrieving polices from Intune and applying them in the app.
- Configure right set of security settings from the Intune app protection policy for the Organization and define the apps and Groups of users.
- Users get the app they need directly from app stores
- Users open the app and sign in. The app protection settings are automatically delivered and applied.
For App Protection Policies to work, you must install a broker app on the device like one of the following:
- iOS – Microsoft Authenticator
- Android – Microsoft Authenticator or Microsoft Company portal
App Protection Policy Targeting Options
App protection policies need to be assigned to users or users groups, Not device groups. Azure AD group of Users or apply to All Users. In real-work production deployments you may likely to create multiple groups of users who need different App’s targeted to them.
Create App Protection Policy
The below policy for iOS device. The same steps can follow to Android devices
- In the Intune Admin center – Apps – App Protection Policies – Create new Policy for iOS
Conditional Access Policy
Need to Create conditional access for the App protection policy with “Require App Protection Policy”
User Experience
If the user already configured mails in the mobile default mail apps or other mail apps, then app protection policy will not allow to configure email and redirect to Outlook App to configure.
Once Outlook App configured, App policy enforce to configure the PIN number for the application.
App protection Policy provide more control over organization data and the behavior of mobile Apps.
It gives more flexibility to configure and deploy and reduce the risk of accidental data wipes. If your using MDM consider moving to Intune App Protection Policy.