{"id":1535,"date":"2019-05-30T01:00:00","date_gmt":"2019-05-30T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/what-are-app-protection-policies\/"},"modified":"2019-05-30T01:00:00","modified_gmt":"2019-05-30T01:00:00","slug":"what-are-app-protection-policies","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/what-are-app-protection-policies\/","title":{"rendered":"What Are App Protection Policies?"},"content":{"rendered":"<p style=\"text-align: justify;\"><em>This article was originally posted on<span>\u00a0<\/span><\/em><a rel=\"noopener noreferrer nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/intune\/app-protection-policy\" target=\"_blank\"><em>Microsoft<\/em><\/a><em><span>\u00a0<\/span>company website.<\/em><\/p>\n<p style=\"text-align: justify;\">Microsoft Intune app protection policies help protect your company data and prevent data loss.<\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>HOW YOU CAN PROTECT APP DATA<\/span><\/h3>\n<p style=\"text-align: justify;\">Your employees use mobile devices for both personal and work tasks. While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. You\u2019ll also want to protect company data that is accessed from devices that are not managed by you.<\/p>\n<p style=\"text-align: justify;\">You can use Intune app protection policies\u00a0<strong>independent of any mobile-device management (MDM) solution<\/strong>. This independence helps you protect your company\u2019s data with or without enrolling devices in a device management solution. By implementing\u00a0<strong>app-level policies<\/strong>, you can restrict access to company resources and keep data within the purview of your IT department.<\/p>\n<p style=\"text-align: justify;\">App protection policies can be configured for apps that run on devices that are:<\/p>\n<ul>\n<li><strong>Enrolled in Microsoft Intune:<\/strong>These devices are typically corporate owned.<\/li>\n<li><strong>Enrolled in a third-party Mobile device management (MDM) solution:<\/strong>These devices are typically corporate owned.<\/li>\n<\/ul>\n<div style=\"background-color: #d4c8e9; border: 1px solid #d4c8e9; padding: 10px; margin: 30px 0px; border-radius: 5px;\">\n<h4 style=\"color: #f26122; font-size: 18px; padding: 0; margin: 0 0 10px;\"><strong>Note<\/strong><\/h4>\n<p style=\"text-align: justify;\">Mobile app management policies should not be used with third-party mobile app management or secure container solutions.<\/p>\n<\/p><\/div>\n<ul>\n<li><strong>Not enrolled in any mobile device management solution:<\/strong>The devices are typically employee owned devices that aren\u2019t managed or enrolled in Intune or other MDM solutions.<\/li>\n<\/ul>\n<div style=\"background-color: #d9edf7; border: 1px solid #bce8f1; padding: 10px; margin: 30px 0px; border-radius: 5px;\">\n<h4 style=\"color: #f26122; font-size: 18px; padding: 0; margin: 0 0 10px;\"><strong>Important<\/strong><\/h4>\n<p style=\"text-align: justify;\">You can create mobile app management policies for Office mobile apps that connect to Office 365 services. You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for iOS and Android enabled with hybrid Modern Authentication. Before using this feature, make sure you meet the\u00a0<a rel=\"noopener noreferrer nofollow\" href=\"https:\/\/technet.microsoft.com\/library\/mt846639(v=exchg.160).aspx\" target=\"_blank\"><strong>Outlook for iOS and Android requirements<\/strong><\/a>. App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services.<\/p>\n<\/p><\/div>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>The important benefits of using App protection policies are:<\/span><\/h3>\n<ul>\n<li>Protecting your company data at the app level. Because mobile app management doesn\u2019t require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management.<\/li>\n<li>End-user productivity isn\u2019t affected and policies don\u2019t apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">There are additional benefits to using MDM with App protection policies, and companies can use App protection policies with and without MDM at the same time. For example, consider an employee that uses both a phone issued by the company and their own personal tablet. The company phone is enrolled in MDM and protected by App protection policies while the personal device is protected by App protection policies only.<\/p>\n<ul>\n<li><strong>MDM makes sure that the device is protected<\/strong>. For example, you can require a PIN to access the device, or you can deploy managed apps to the device. You can also deploy apps to devices through your MDM solution, to give you more control over app management.<\/li>\n<li><strong>App protection policies makes sure that the app-layer protections are in place<\/strong>. For example, you can:\n<ul>\n<li>Require a PIN to open an app in a work context<\/li>\n<li>Control the sharing of data between apps<\/li>\n<li>Prevent the saving of company app data to a personal storage location<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>Supported platforms for app protection policies<\/span><\/h3>\n<p style=\"text-align: justify;\">Intune app protection policies platform support aligns with Office mobile application platform support for Android and iOS devices. For details, see the\u00a0<strong>Mobile apps<\/strong>\u00a0section of\u00a0<a rel=\"noopener noreferrer nofollow\" href=\"https:\/\/products.office.com\/office-system-requirements#coreui-contentrichblock-9r05pwg\" target=\"_blank\">Office System Requirements<\/a>.<\/p>\n<div style=\"background-color: #d9edf7; border: 1px solid #bce8f1; padding: 10px; margin: 30px 0px; border-radius: 5px;\">\n<h4 style=\"color: #f26122; font-size: 18px; padding: 0; margin: 0 0 10px;\"><strong>Important<\/strong><\/h4>\n<p style=\"text-align: justify;\">The Intune Company Portal is required on the device to recieve App Protection Policies on Android. For more information, see the\u00a0<a rel=\"noopener noreferrer nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/intune\/end-user-mam-apps-android#access-apps\" target=\"_blank\"><strong>Intune Company Portal access apps requirements<\/strong><\/a>.<\/p>\n<\/p><\/div>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>HOW APP PROTECTION POLICIES PROTECT APP DATA<\/span><\/h3>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\">Apps without app protection policies<\/h3>\n<p><img decoding=\"async\" style=\"width: 500px; height: 437.8238341968912px;\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/18\/2021\/02\/blog_img_may29_1.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/0dbdafa64e7449db941f6030e94f428a\" \/><\/p>\n<p style=\"text-align: justify;\">When apps are used without restrictions, the company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. The arrows in the preceding diagram show unrestricted data movement between both corporate and personal apps, and to storage locations.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>DATA PROTECTION WITH APP PROTECTION POLICIES<\/span><\/h3>\n<p><img decoding=\"async\" style=\"width: 500px; height: 437.8238341968912px;\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/18\/2021\/02\/blog_img_may29_1.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/0dbdafa64e7449db941f6030e94f428a\" \/><\/p>\n<p style=\"text-align: justify;\">You can use App protection policies to prevent company data from saving to the local storage of the device. You can also restrict data movement to other apps that aren\u2019t protected by App protection policies. App protection policy settings include:<\/p>\n<ul>\n<li>Data relocation policies like\u00a0<strong>Prevent Save As<\/strong>, and\u00a0<strong>Restrict cut, copy, and paste<\/strong>.<\/li>\n<li>Access policy settings like\u00a0<strong>Require simple PIN for access<\/strong>\u00a0and\u00a0<strong>Block managed apps from running on jailbroken or rooted devices<\/strong>.<\/li>\n<\/ul>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>DATA PROTECTION WITH APP PROTECTION POLICIES ON DEVICES MANAGED BY A MOBILE DEVICE MANAGEMENT SOLUTION<\/span><\/h3>\n<p style=\"text-align: justify;\">The preceding diagram illustrates how the data protection policies work at the app level without MDM.<\/p>\n<p style=\"text-align: justify;\">For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level. However, there are some limitations to be aware of, like:<\/p>\n<ul>\n<li>You can\u2019t deploy apps to the device. The end user has to get the apps from the store.<\/li>\n<li>You can\u2019t provision certificate profiles on these devices.<\/li>\n<li>You can\u2019t provision company Wi-Fi and VPN settings on these devices.<\/li>\n<\/ul>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>APP PROTECTION GLOBAL POLICY<\/span><\/h3>\n<p style=\"text-align: justify;\">If a OneDrive administrator browses to\u00a0<strong>admin.office.com<\/strong>\u00a0and selects\u00a0<strong>Device<\/strong>\u00a0access, they can set\u00a0<strong>Mobile application management<span>\u00a0<\/span><\/strong>controls to the OneDrive and SharePoint client apps.<\/p>\n<p style=\"text-align: justify;\">The settings, made available to the OneDrive Admin console, configure a special Intune app protection policy called the\u00a0<strong>Global<span>\u00a0<\/span><\/strong>policy. This global policy applies to all users in your tenant and has no way to control the policy targeting.<\/p>\n<p style=\"text-align: justify;\">Once enabled, the OneDrive and SharePoint apps for iOS and Android are protected with the selected settings by default. An IT Pro can edit this policy in the Intune console to add more targeted apps and to modify any policy setting.<\/p>\n<p style=\"text-align: justify;\">By default, there can only be one\u00a0<strong>Global<\/strong>\u00a0policy per tenant. However, you can use\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/intune\/intune-graph-apis\" rel=\"nofollow noopener\" target=\"_blank\">Intune Graph APIs<\/a>\u00a0to create extra global policies per tenant, but doing so isn\u2019t recommended. Creating extra global policies isn\u2019t recommended because troubleshooting the implementation of such a policy can become complicated.<\/p>\n<p style=\"text-align: justify;\">While the\u00a0<strong>Global<\/strong>\u00a0policy applies to all users in your tenant, any standard Intune app protection policy will override these settings.<\/p>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>MULTI-IDENTITY<\/span><\/h3>\n<p style=\"text-align: justify;\">Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while app protection policies apply only when the apps are used in the work context.<\/p>\n<p style=\"text-align: justify;\">For an example of a personal context, consider a user who starts a new document in Word, this is considered a personal context so Intune App Protection policies are not applied. Once the document is saved on the corporate OneDrive account then it will be considered corporate context and Intune App Protection policies will be applied.<\/p>\n<p style=\"text-align: justify;\">For an example of the work context, consider a user who starts the OneDrive app by using their work account. In the work context, they can\u2019t move files to a personal storage location. Later, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.<\/p>\n<ul>\n<li>Learn more about the apps that support\u00a0<a href=\"https:\/\/www.microsoft.com\/cloud-platform\/microsoft-intune-apps\" rel=\"nofollow noopener\" target=\"_blank\">MAM and multi-<\/a>identity with\u00a0Intune.<\/li>\n<\/ul>\n<h3 style=\"padding-bottom: 15px; margin-bottom: 30px; margin-top: 40px; border-bottom: 1px solid #f16020;\"><span>NEXT STEPS<\/span><\/h3>\n<p style=\"text-align: justify;\"><a rel=\"noopener noreferrer nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/intune\/app-protection-policies\" target=\"_blank\">How to create and deploy app protection policies with Microsoft Intune<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article was originally posted on\u00a0Microsoft\u00a0company website. Microsoft Intune app protection policies help protect your company data and prevent data loss. HOW YOU CAN PROTECT APP DATA Your employees use mobile devices for both personal and work tasks. While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional.&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/nz\/insights\/geek-speak\/secure-workplace\/what-are-app-protection-policies\/\">Continue reading <span class=\"screen-reader-text\">What Are App Protection Policies?<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":1536,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[20],"tags":[],"class_list":["post-1535","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/comments?post=1535"}],"version-history":[{"count":0,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/posts\/1535\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media\/1536"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/media?parent=1535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/categories?post=1535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/nz\/wp-json\/wp\/v2\/tags?post=1535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}