Forum Discussion

Deleted's avatar
Deleted
Mar 11, 2019

App Protection Policy is not applied

Hi everyone,

 

i have the following constellation:

 

1. One App Protection Policy named "iOS General"

2. One App Protection Policy named "iOS Outlook for managed devices"

3. One App Protection Policy named "iOS Outlook for unmanaged devices"

 

Configuration:

1. The following options are set for "iOS General:

Target to all app types -> yes

Targeted Apps -> all Apps in List except Outlook

 

2. The following options are set for "iOS Outlook for managed devices"

Target to all app types -> no -> Apps on Intune managed devices

Targeted Apps -> Outlook

 

3. The following options are set for "iOS Outlook for unmanaged devices"

Target to all app types -> no -> Apps on unmanaged devices

Targeted Apps -> Outlook

 

My expectations:

unmanaged Devices

  1. Policy "iOS General" is applied for all Apps, except from the Outlook App.
  2. The Outlook App applies the Policy "iOS Outlook for unmanaged devices"

managed Devices

  1. Policy "iOS General" is applied for all Apps, except from the Outlook App.
  2. The Outlook App applies the Policy "iOS Outlook for managed devices"

 

My problems:

1. unmanaged and managed devices are applying the "general" Policy. Very good.

2. When it comes to the distinction between managed device -> Outlook & unmanaged device -> outlook the App Protection Policies are not properly applied.

The policy "iOS Outlook for unmanaged devices" is applied every time. (Not as expected only on unmanaged devices!)

 

additional information:

I'm using a group with static user assignment. All my test-users are member of this group.

Every App Protection Policy is using this static group. (Policy -> Assignments -> Inlcude)

 

 

Thank you very much in advance.

Patrick :)

  • Hi Patrik,

     

    You will need to create an App Config policy for each application.

    IntuneMAMUPN   String   {{UserPrincipalName}}

     

    Note:

    • The AppConfig Outlook GUI creates this setting when you select "Allow only work or school accounts".
    • Not every Microsoft APP application accepts IntuneMAMUPN in appconfig.

     

    As you said the App Protection Policy report will show pending/applied config on a device, you can also navigate to about:intunehelp on iOS managed browser and check the applied settings from the device directly.

    https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-access-to-managed-app-logs-using-the-managed-browser-on-ios

     

    I have also seen some recent issues with APP not applying correctly after changing profiles, I suspect I will just have to re-enrol the device.

     

    ,Andrew

  • eglockling's avatar
    eglockling
    Steel Contributor

    How is Outlook being distributed? Is it set as required or advertised from Company Portal? When you check device management in iOS Settings, is the app listed as managed?

    • Deleted's avatar
      Deleted

      Hello eglockling,

       

      in my understanding a "default" app protection policy should be applied to any app management state, isn't it?

      (So even, when a user isn't using an intune managed device)

      So my default profile is set to "target to all app types -> yes".

      Microsoft explanation:

      Use this option to target your policy to apps on devices of any management state.

      During policy conflict resolution this setting will be superseded if a user has policy targeted for a specific management state.

       

      Anyway, in my case i got the app via the "required" setting inside the app assignment.

      When looking at "all devices -> my iphone -> managed Apps" i can see the Outlook app in there.

      So it is a managed app in this case. (the same on a second test iphone)

       

      Another question regarding the setting "target to all app types":

      "this setting will be superseded if a user has policy targeted for a specific management state."

      Would it be better to have the general policy holding all apps, including outlook?

      And second: Have an App Policy for Outlook on managed devices with some other / divergent settings than the general policy?

       

      So whenever there is a user with a device with one of these apps connecting with his corporate account, this app is going to apply the default / general policy PLUS when the device is managed in intune the policy "ios managed" is going to override the lax setting of the general policy.

       

       

  • Hi Patrick,

     

    I just saw your post.  I have a similar issue with iOS app protection policy.  I have one set of policies for iOS devices and one for Android devices.  Policies work fine with Android when enrolling and unenrolling.  With iOS, the settings don't change once the device is managed.  I think the Outlook app is still registered as unmanaged thus it applied the unmanaged policy.  I have had a premier support ticket for about 3 weeks now.  I have been out of the country with limited access.  Sorry for the delay on this.  Anyway, the last status I got said that this is a bug.  There hasn't been a fixed issued as of last week.  Usually, I would say, submit a ticket since it could be something different for your environment, but you may need to wait it out a little longer.  Support hasn't given me any documentation or article on the issue.  In any case, as soon as I hear something, I will reply back.

    Have a good one.

     

    Marcelo

     

    • Deleted's avatar
      Deleted

      Hello Marcelo,

       

      With iOS, the settings don't change once the device is managed.  I think the Outlook app is still registered as unmanaged thus it applied the unmanaged policy.

      So you think the app managemend state is meant in the setting "target to all app types -> no -> Apps on Intune managed devices?
      When i'm reading the this in intune i think the device management state is meant, not the app management state.

       

      Thank you very much. (Thanks to eglockling, too.) :-)

       

  • PatrickF11's avatar
    PatrickF11
    Steel Contributor
    Because of a new techcommunity account, this is just a short response to follow up the thread. :)

Resources