Intune – Mobile Device Management – App Protection Policy in Intune App Protection
Scenario – We want to securely publish a corporate app (OneDrive) to users who will be using their own mobile ( iOS) devices. We want to protect the corporate data used in the app and establish authentication before accessing it. Users should not be able to copy and paste data directly from the app on to their own device.
We need to create an an App Protection Policy in Intune App Protection.
For more in-depth detail:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
Create an App Protection Policy
-
From the main Intune App Protection Home Screen: Select App protection policies -> Create policy -> iOS/iPadOS
-
Fill out the Name and Description screen and then click Next.
-
Select Unmanaged Apps in the Device Types drop down menu and select the Onedrive App in the Public apps section. Click Next
-
On the Data Protection Screen you can select from several controls on what users can and cannot do with the corporate data that the App access. Work with your IT Security and Data Protection team to understand what their requirements are. Click Next
-
The Access Requirements screen allows you to add a layer of authentication to opening the App on the users own device. You can choose between various PIN types and options – again work with your IT Security teams on what they require. Click Next
or
-
The Conditional launch screen allows you to be more granular on what conditions the Device and the App have to meet for the App to be launched (Min OS and Max PIN attempts for example). Click Next.
-
On the Assignments Page Select the Group who you want to apply this policy to and then click Next.
-
Review your setting on the Review + Create Screen and then click Create
When you download the OneDrive for Business app from the Apple store you will need to login with your corporate account. The App will need to restart so settings can be configured for the phone.
You can confirm that the protected App is being used by clicking on the Overview of the policy and you should see the number of Users who have checked in.