Forum Discussion
App Protection Policy is not applied
Hi Patrik,
You will need to create an App Config policy for each application.
IntuneMAMUPN String {{UserPrincipalName}}
Note:
- The AppConfig Outlook GUI creates this setting when you select "Allow only work or school accounts".
- Not every Microsoft APP application accepts IntuneMAMUPN in appconfig.
As you said the App Protection Policy report will show pending/applied config on a device, you can also navigate to about:intunehelp on iOS managed browser and check the applied settings from the device directly.
https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-access-to-managed-app-logs-using-the-managed-browser-on-ios
I have also seen some recent issues with APP not applying correctly after changing profiles, I suspect I will just have to re-enrol the device.
,Andrew
Hi Patrick,
I just saw your post. I have a similar issue with iOS app protection policy. I have one set of policies for iOS devices and one for Android devices. Policies work fine with Android when enrolling and unenrolling. With iOS, the settings don't change once the device is managed. I think the Outlook app is still registered as unmanaged thus it applied the unmanaged policy. I have had a premier support ticket for about 3 weeks now. I have been out of the country with limited access. Sorry for the delay on this. Anyway, the last status I got said that this is a bug. There hasn't been a fixed issued as of last week. Usually, I would say, submit a ticket since it could be something different for your environment, but you may need to wait it out a little longer. Support hasn't given me any documentation or article on the issue. In any case, as soon as I hear something, I will reply back.
Have a good one.
Marcelo
Hello Marcelo,
With iOS, the settings don't change once the device is managed. I think the Outlook app is still registered as unmanaged thus it applied the unmanaged policy.
So you think the app managemend state is meant in the setting "target to all app types -> no -> Apps on Intune managed devices?
When i'm reading the this in intune i think the device management state is meant, not the app management state.Thank you very much. (Thanks to eglockling, too.) :-)
Hi Deleted Marcelo Carvalho
I had the same issue when I was initially setting up APP, iOS has an additional requirement in order to mark the application on the device as managed.
Link: https://docs.microsoft.com/en-us/intune/app-protection-policies#target-app-protection-policies-based-on-device-management-state
You can validate the App Protection Status for each user/application under Client apps - App protection status
,Andrew
Hello AndrewDawson,
thank you for participating.
I know already the App protection status page. What i like to use is the Troubleshooting Tool, where i can select a user and see exactly what Policy would be applied.
What I still don't understand:
"iOS has an additional requirement in order to mark the application on the device as managed."
I thought the App Protection Policy is based on the DEVICE Management state, not if an app is in managed (installed through intune) or unmanaged (installed through regular appstore) mode.
Quote from you link:
Because Intune app protection policies target a user’s identity, the protection settings for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no MDM).You can have one protection policy for un-managed devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed.
That's what i want to achive. I already have these different policies set up. (but not working for ios correctly , as you already know
More interesting is this quote:
For iOS, additional app configuration settings are required to target APP settings to apps on Intune enrolled devices:
- IntuneMAMUPN must be configured for all MDM managed applications. For more information, see https://docs.microsoft.com/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm.
- IntuneMAMDeviceID must be configured for all Third-party and LOB MDM managed applications. The IntuneMAMDeviceID should be configured to the device ID token. For example, key=IntuneMAMDeviceID, value={{deviceID}}. For more information, see https://docs.microsoft.com/intune/app-configuration-policies-use-ios.
- If only the IntuneMAMDeviceID is configured, the Intune APP will consider the device as unmanaged.
This (additional app configuration settings are required to target APP settings to apps on Intune enrolled devices) seems to be our problem. iOS needs additional settings, so that the APP recognizes the devices management state correctly.
An advise from the https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm link is:
In Intune, the App Configuration policy has to be for enrollment type "Managed Devices". Addicionally, the App needs to be either installed from the Intune Company Portal if set as available or pushed as required to the device.
So thats what i don't think is logical:
iOS: The App itself must be managed to apply the correc policy (which should be used on DEVICE Management state. (not app management state))
Android: Everything is working as expected. A managed device is using the "APP for managed devices" both for a user driven app installation and for a intune driven installation of an app.
Now i'm going to read the docs and try to understand and implement the configuration correctly. (Wish me luck :D )
I will write down it here soon if anything happened. (expected or unexpected)
Patrick.