Blog Post

Intune Customer Success
3 MIN READ

Deploy Intune App Protection Policies based on device management state

MattShadbolt's avatar
MattShadbolt
Icon for Microsoft rankMicrosoft
Oct 30, 2018

First published on TechNet on Mar 30, 2018
In many organizations it’s very common to allow end users to use both Intune MDM managed devices (Corporate owned devices for example) and unmanaged devices protected with only Intune App Protection Policies (BYO scenarios for example).

As Intune App Protection Policies are targeted to a user’s identity, the protection settings for a user traditionally apply to both enrolled (MDM managed) and non-enrolled devices (no MDM).

In the latest round of Intune updates, we’ve added the ability to target an Intune App Protection Policy to either Intune enrolled or un-enrolled iOS and Android devices.

This means you can have one protection policy for unmanaged devices in which strict Data Loss Prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices where the DLP controls may be a little more relaxed. This provides the best possible end-user experience based on the device enrollment state, while giving the IT Pro more control based on their business requirements.

To create these policies, browse to Mobile apps > App protection Policies in the Intune console, and click Add a policy . (or you can edit an existing policy)

If you want the policy to apply to both managed and unmanaged devices, leave the Target to all app types to it’s default value, Yes .

If you want to granularly assign based on management state, select No in the Target to all app types toggle-box.



You’ll be presented with options to which device management state this policy should apply to.

For iOS, there’s two options:

    • Apps on unmanaged devices are devices where no Intune MDM enrollment has occurred. This may include devices that are managed by another MDM vendor.

 

    • Apps on Intune managed devices are devices that are managed by Intune MDM



For Android, there’s three options:

    • Apps on unmanaged devices are devices where no Intune MDM enrollment has occurred. This may include devices that are managed by another MDM vendor.

 

    • Apps on Intune managed devices are devices that are Intune MDM managed via the traditional Android/KNOX management platform

 

    • Apps in Android Work Profile are devices that are being managed via the Android for Work management platform via Intune





In my example, for my BYO devices I’d block Outlook contact sync, restrict web content to the Managed Browser and set a Minimum OS version. For my Corporate owned and fully managed devices, I’d allow contact sync, allow Safari use and set a lower Minimum OS version requirement.

You want to ensure you create two policies – one for managed and one for unmanaged – to ensure you’ve got protection coverage across both scenarios.

Post policy creation, in the console you’ll see a new column called Management Type . This will show you which App Protection Policies are available for managed vs unmanaged devices.



For iOS apps to be considered "Managed", the IntuneMAMUPN configuration policy setting needs to be deployed for each app. For more information, see https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm

Please note , due to iOS app update requirements this feature will be rolling out across iOS apps during April.

We think this feature will enable a really great user experience across both managed and unmanaged devices, while giving your organization the control over your security requirements.

Updated Dec 19, 2023
Version 9.0
No CommentsBe the first to comment