Configuring Intune App Protection

Configuring Intune App Protection


Rodney Buike: Hi. My name’s Rodney Buike and I’m an Identity and Information Specialist at Microsoft Canada. In this short video, I’m going to demonstrate an Intune app protection policy to enable DLP controls in the Office mobile apps for iOS and Android to protect corporate data from leaking. This policy will apply to all devices, whether they’re managed by Intune, a third or unmanaged. I’ve already created the app protection policy, but let’s review it before showing it in action. This is a policy for iOS devices that you can also create for Android as well as Windows 10 devices. Under general, we can see the name of the policy and what app types to target this at. This refers to devices managed by Intune, unmanaged or third party devices. We’re going to select all app types. Next under assignments, we can control which users and/or groups this will apply to. Under assignments, this is where we control which users and/or groups this applies to. Targeted apps is where we can select the apps to be managed by the policy. And finally, properties is where we set the actual DLP controls and this is split into three areas. Data relocation specifies the data relocation policies. In this case here, we can prevent any corporate data from being included in any iTunes or iCloud backups. We can control how applications transfer data to other applications. In this case here, we can only transfer data to other policy managed applications. And we can only receive data from other policy managed applications. We’ve locked down save as, only allowing users to save to OneDrive for Business or SharePoint. And we’ve also restricted cut, copy, and paste between policy managed applications as well. We’re enforcing application data encryption, printing, and we’ve also blocked third party keyboards. The access requirements section specifies any additional access requirements outside of authenticating to any of the services associated with the app. So, in this case here, we can add a pin for additional layer of access to the application and then to find whether that’s a numeric pin, a simple pin, the length, as well as if we allow fingerprint or facial recognition. Because this will also apply to a managed device that may already have a pin applied to it, we can disable application pins when that device pin is already in place. And then we can also recheck those access requirements every 30 minutes in this particular case. Finally, conditional launch allows you to specify settings that apply when the application is launched. With this policy, we can see the maximum number of pin attempts and the action if that’s exceeded, an offline grace period, as well as what to do with jail broken or rooted devices. So, let’s switch over to the iPad and take a look at what this user experience is for end users. So, in this case here, I’m going to launch the OneDrive application. I’m going to open up a document, which will open in the OneDrive previewer and it’ll allow me to open it up in Word. Now, once this document is open in Word, I’m going to attempt to save it to a personal location and we should get an error message saying that this is not allowed. Going to save a copy. Go to my OneDrive personal. Click on save and we can get the message saying that the administrator doesn’t allow saving to persona locations. I can go back to the OneDrive corporate version and save it there without any issues whatsoever. So, that’s a simple Intune app protection policy to lock down the corporate data on those managed and unmanaged devices. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *