Forum Discussion

Deleted's avatar
Deleted
Mar 11, 2019
Solved

App Protection Policy is not applied

Hi everyone,   i have the following constellation:   1. One App Protection Policy named "iOS General" 2. One App Protection Policy named "iOS Outlook for managed devices" 3. One App Protection ...
Intune
mobile device management (mdm)
  • AndrewDawson's avatar
    AndrewDawson
    Mar 14, 2019

    Hi Patrik,

     

    You will need to create an App Config policy for each application.

    IntuneMAMUPN   String   {{UserPrincipalName}}

     

    Note:

    • The AppConfig Outlook GUI creates this setting when you select "Allow only work or school accounts".
    • Not every Microsoft APP application accepts IntuneMAMUPN in appconfig.

     

    As you said the App Protection Policy report will show pending/applied config on a device, you can also navigate to about:intunehelp on iOS managed browser and check the applied settings from the device directly.

    https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-access-to-managed-app-logs-using-the-managed-browser-on-ios

     

    I have also seen some recent issues with APP not applying correctly after changing profiles, I suspect I will just have to re-enrol the device.

     

    ,Andrew

eglockling's avatar
eglockling
Steel Contributor
Mar 11, 2019

How is Outlook being distributed? Is it set as required or advertised from Company Portal? When you check device management in iOS Settings, is the app listed as managed?

Deleted's avatar
Deleted
Mar 12, 2019

Hello eglockling,

 

in my understanding a "default" app protection policy should be applied to any app management state, isn't it?

(So even, when a user isn't using an intune managed device)

So my default profile is set to "target to all app types -> yes".

Microsoft explanation:

Use this option to target your policy to apps on devices of any management state.

During policy conflict resolution this setting will be superseded if a user has policy targeted for a specific management state.

 

Anyway, in my case i got the app via the "required" setting inside the app assignment.

When looking at "all devices -> my iphone -> managed Apps" i can see the Outlook app in there.

So it is a managed app in this case. (the same on a second test iphone)

 

Another question regarding the setting "target to all app types":

"this setting will be superseded if a user has policy targeted for a specific management state."

Would it be better to have the general policy holding all apps, including outlook?

And second: Have an App Policy for Outlook on managed devices with some other / divergent settings than the general policy?

 

So whenever there is a user with a device with one of these apps connecting with his corporate account, this app is going to apply the default / general policy PLUS when the device is managed in intune the policy "ios managed" is going to override the lax setting of the general policy.