Configuring Application Protection (APP) Policies in Microsoft Intune

Configuring Application Protection (APP) Policies in Microsoft Intune

06/14/2024

This technical and educational article is intended to guide security analysts, IT administrators, and systems engineers in configuring and implementing Application Protection Policies (APP), also known as sign-in-free Mobile Application Management (MAM), in Microsoft Intune. APPs are crucial for protecting corporate data on mobile devices, whether managed by Intune (MDM) or unmanaged (BYOD - Bring Your Own Device), ensuring that the organization's data remains secure and isolated from personal data [1].

Introduction

In a scenario where mobility is essential and the use of personal devices for work purposes (BYOD) is increasingly common, protecting corporate data becomes a significant challenge. Microsoft Intune App Protection Policies (APP) offers a robust solution to this problem, enabling organizations to control how corporate data is accessed, used, and shared within specific mobile applications without the need to manage the entire device. This means you can protect data in apps like Outlook, Word, Excel, SharePoint, and other apps managed by Intune, even on devices that aren't enrolled in MDM [2].

This practical guide will cover creating and configuring APP policies for iOS/iPadOS and Android, including defining access controls, data protection, and compliance requirements. Step-by-step instructions, configuration examples, and validation methods will be provided so that the reader can implement an effective data protection strategy, protecting sensitive information and ensuring regulatory compliance on mobile devices.

Why are Application Protection Policies (APP) crucial?

  • Enterprise Data Protection: Prevents data loss (DLP) by controlling actions such as copy, paste, save as and print screen in managed applications.
  • BYOD Support: Allows users to use their personal devices for work while protecting corporate data without invading personal privacy.
  • Flexible Access Controls: Requires PIN, biometrics or corporate credentials to access managed applications, ensuring that only authorized users can access corporate data.
  • Data Isolation: Ensures that corporate data cannot be moved to unmanaged personal applications or storage.
  • Compliance: Helps meet regulatory requirements that require data protection on mobile devices.
  • Enhanced User Experience: Provides a consistent and secure user experience across enterprise applications.

Prerequisites

To implement Application Protection Policies (APP) in Microsoft Intune, you will need the following items:

  1. Licensing: A license that includes Microsoft Intune (e.g. Microsoft 365 E3, E5, F3, Business Premium, Enterprise Mobility + Security E3, E5) [3].
  2. Administrative Access: An account with Intune Administrator, Intune Application Administrator, or Global Administrator permissions in the Microsoft Intune admin center (https://endpoint.microsoft.com).
  3. Intune-Managed Apps: The apps you want to protect must be "MAM-aware" (MAM-compliant), such as Microsoft 365 apps (Outlook, Word, Excel, PowerPoint, OneDrive, SharePoint, Teams) and other line-of-business apps that have been integrated with the Intune App Protection SDK [4].
  4. Test Devices: iOS/iPadOS and Android devices to test policies.

Step by Step: Configuring Application Protection Policies (APP)

Let's create an APP policy for iOS/iPadOS and Android to protect corporate data in Microsoft 365 apps.

1. Accessing the Microsoft Intune Admin Center

  1. Open your browser and navigate to https://endpoint.microsoft.com.
  2. Log in with an account that has the necessary permissions.

2. Creating a New Application Protection Policy

  1. In the left navigation pane, select Applications > Application protection policies.
  2. Click Create policy and select the desired platform (ex: iOS/iPadOS). We will repeat the processfor Android.

Step 1: Basic Information

  1. Name: APP - iOS - Corporate Data Protection (or APP - Android - Corporate Data Protection).
  2. Description: Policy to protect corporate data in Microsoft 365 apps on iOS/iPadOS devices.
  3. Click Next.

Step 2: Applications

Here you select the applications that will be targeted by this policy.

  1. Target apps: Select All Microsoft apps (to protect all Microsoft 365 apps and other Microsoft apps that support APP) or Select custom apps (to choose specific apps).
  2. For this example, select All Microsoft Apps.
  3. Click Next.

Step 3: Data Protection

This section defines how corporate data will be protected within applications.

Data transfers:

  1. Send organization data to other apps: Select All apps or No apps.
    • Tip: For maximum security, No Apps prevents corporate data from being moved to personal apps. If you need interoperability with unmanaged line-of-business applications, consider All Applications with additional restrictions.
  2. Receive data from other apps: Select All apps or No apps.
  3. Allow users to save copies of organization data: Select No Applications.
  4. Allow users to save copies of organization data to selected cloud services: If you need to allow saving to specific cloud services (e.g. OneDrive for Business, SharePoint), configure it here.

Encryption:

  1. Encrypt organization data: Select Yes.

Features:

  1. Restrict cut, copy and paste functions: Select For policy apps only (to allow copy/paste between managed apps, but not for personal apps) or Block (to prevent entirely).
  2. Prevent screenshots and screen recording: Select Yes.
  3. Sync contacts with native apps: Select Block.

  4. Printing Organization Data: Select Block.

  5. Click Next.

Step 4: Access Requirements

This section defines the conditions that a user must meet to access managed applications.

  1. PIN for access: Select Require PIN.
    • PIN type: Numeric or Complex numeric.
    • Minimum PIN length: 4 (or more, depending on security policy).
    • Allow fingerprint instead of PIN: Yes (for convenience).
  2. Company credentials for access: Select Require company credentials (for periodic reauthentication).

  3. Device/Application Health Check: Select Yes.

    • Maximum threat level allowed: Low or Medium (integrates with Microsoft Defender for Endpoint for iOS/Android).

  4. Click Next.

Step 5: Conditional Launch

This section defines what happens if the device or app doesn't meet the policy requirements.

  1. Access PIN: Configure Maximum number of PIN attempts (ex: 5). Action: Reset PIN or Clear data.
  2. Offline credentials: Configure Offline grace period (e.g. 720 minutes). Action: Block access or Clear data.

  3. Device Threat Level: Configure Maximum Threat Level Allowed (e.g. Medium). Action: Block access or Clear data.

  4. Click Next.

Step 6: Assignments

Assign the policy to the users or groups who will use the managed applications.

  1. Include: Select Select groups and add the user groups that should receive this policy (e.g. All users or a specific group of corporate users).

  2. Delete: (Optional) Delete specific groups if necessary.

  3. Click Next.

Step 7: Review and Create

  1. Review all policy settings.
  2. Click Create.

3. Repeating for the Other Platform (Android)

Repeat the steps in Section 2 to create a policy for the Android platform, adjusting the policy name and description if necessary. Data protection settings, access requirements, and conditional release are similar but may have smallThere are platform-specific variations.

Validation and Testing

Validating APP policies is critical to ensuring they work as expected and protect corporate data.

1. Testing on Managed and Unmanaged Devices

  1. Unmanaged Device (BYOD): On a personal device that is not enrolled in Intune (MDM), install a managed app (ex: Outlook). Log in with a corporate account that is in scope of the APP policy.
    • Check if the application requests the access PIN or biometrics.
    • Try copying corporate data to a personal application (e.g. Notepad). The action must be blocked.
    • Try taking a screenshot within the managed application. The action must be blocked or the screenshot must appear blank.
  2. Managed Device (MDM): On an Intune enrolled device (MDM), test the same actions to ensure that the APP policy is correctly applied in conjunction with the MDM policies.

2. Checking Intune Diagnostic Logs

Intune diagnostic logs can provide information about APP policy enforcement.

  1. In the Microsoft Intune admin center, go to Troubleshooting + Support.
  2. Search for test user.
  3. In the Applications section, you can see the status of the application protection policy applied to the user and applications.

3. Checking the App Protection Policy Status Report

  1. In the Microsoft Intune admin center, go to Apps > Monitor > App Protection Status.
  2. This report provides an overview of the status of APP policies, including users and applications that have received them and any errors.

Security Tips and Best Practices

  • Start with Audit: For new implementations, start with less restrictive policies or in audit mode (if available) to understand the impact before applying full blocks.
  • Clear Communication: Clearly communicate to users about APP policies, their benefits, and how they affect the use of their devices. This helps reduce resistance and increase compliance.
  • Cross-Platform Consistency: Keep APP policies consistent across iOS/iPadOS and Android for a unified user experience and cohesive security posture.
  • Integration with Conditional Access: Combine APP policies with Azure AD Conditional Access to require applications to be APP-secured before granting access to corporate resources [5].
  • Periodic Review: Review and adjust your APP policies regularly to adapt to changing business needs, the threat landscape, and application updates.
  • Prioritize Sensitive Applications: Start by applying APP policies to the applications that contain the most sensitive data or are most used for corporate purposes.
  • PIN and Biometrics: Require PIN or biometrics for access to managed apps for an extra layer of security, especially on shared devices.

Common Troubleshooting

  • APP policy not applied: Check if the user is in the policy inclusion group. Make sure the app is an Intune-managed app and is in the target apps list. Check the Intune diagnostic logs.
  • Users blocked unexpectedly: Check the policy's Conditional Launch settings. It could be that the device or app is violating a condition (e.g., incorrect PIN, rooted/jailbroken device).
  • Corporate data leaking: Review the Data Protection settings, especially the Send organization data to other applications and Allow users to save copies of organization data restrictions.
  • App does not appear as managed: Make sure the app is deployed as an Intune-managed app or that the user is signed in with their work account in the app.
  • Application performance issues: In some cases, very restrictive APP policies can affect application performance. Monitor user feedback and adjust policies if necessary.
  • Conflicts with other policies: If there are MDM and APP policies applied to the same device, make sure there are no conflicts. APP gen policiesThese policies only apply to data within the app, while MDM policies apply to the device as a whole.

Conclusion

Application Protection Policies (APP) in Microsoft Intune are an essential tool for protecting corporate data on mobile devices, providing flexibility and security for BYOD environments. By implementing granular controls over how data is accessed, used and shared within managed applications, organizations can significantly mitigate the risk of data loss and ensure regulatory compliance. Careful configuration of APPs, combined with rigorous testing and user education, empowers IT and security teams to extend data protection beyond the traditional perimeter, ensuring that the company's most valuable information remains secure, regardless of the device used. With this guide, security professionals will be able to strengthen mobile security and protect information assets in an increasingly connected world.

References:

[1] Microsoft Learn. Overview of application protection policies. Available at: https://learn.microsoft.com/pt-br/intune/intune-service/apps/app-protection-policy [2] Microsoft Learn. Create and deploy application protection policies. Available at: https://learn.microsoft.com/pt-br/intune/intune-service/apps/app-protection-policies [3] Microsoft Learn. Microsoft Intune licensing requirements. Available at: https://learn.microsoft.com/pt-br/mem/intune/fundamentals/licenses [4] Microsoft Learn. Applications protected by Microsoft Intune. Available at: https://learn.microsoft.com/pt-br/mem/intune/apps/apps-supported-intune-apps [5] Microsoft Learn. Conditional Access with Intune App Protection. Available at: https://learn.microsoft.com/pt-br/mem/intune/apps/app-protection-conditional-access