Forum Discussion
App Protection Policy is not applied
Hi Patrik,
You will need to create an App Config policy for each application.
IntuneMAMUPN String {{UserPrincipalName}}
Note:
- The AppConfig Outlook GUI creates this setting when you select "Allow only work or school accounts".
- Not every Microsoft APP application accepts IntuneMAMUPN in appconfig.
As you said the App Protection Policy report will show pending/applied config on a device, you can also navigate to about:intunehelp on iOS managed browser and check the applied settings from the device directly.
https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-access-to-managed-app-logs-using-the-managed-browser-on-ios
I have also seen some recent issues with APP not applying correctly after changing profiles, I suspect I will just have to re-enrol the device.
,Andrew
Hello AndrewDawson,
thank you for participating.
I know already the App protection status page. What i like to use is the Troubleshooting Tool, where i can select a user and see exactly what Policy would be applied.
What I still don't understand:
"iOS has an additional requirement in order to mark the application on the device as managed."
I thought the App Protection Policy is based on the DEVICE Management state, not if an app is in managed (installed through intune) or unmanaged (installed through regular appstore) mode.
Quote from you link:
Because Intune app protection policies target a user’s identity, the protection settings for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no MDM).
You can have one protection policy for un-managed devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed.
That's what i want to achive. I already have these different policies set up. (but not working for ios correctly , as you already know
More interesting is this quote:
For iOS, additional app configuration settings are required to target APP settings to apps on Intune enrolled devices:
- IntuneMAMUPN must be configured for all MDM managed applications. For more information, see https://docs.microsoft.com/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm.
- IntuneMAMDeviceID must be configured for all Third-party and LOB MDM managed applications. The IntuneMAMDeviceID should be configured to the device ID token. For example, key=IntuneMAMDeviceID, value={{deviceID}}. For more information, see https://docs.microsoft.com/intune/app-configuration-policies-use-ios.
- If only the IntuneMAMDeviceID is configured, the Intune APP will consider the device as unmanaged.
This (additional app configuration settings are required to target APP settings to apps on Intune enrolled devices) seems to be our problem. iOS needs additional settings, so that the APP recognizes the devices management state correctly.
An advise from the https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-setting-for-microsoft-intune-or-third-party-emm link is:
In Intune, the App Configuration policy has to be for enrollment type "Managed Devices". Addicionally, the App needs to be either installed from the Intune Company Portal if set as available or pushed as required to the device.
So thats what i don't think is logical:
iOS: The App itself must be managed to apply the correc policy (which should be used on DEVICE Management state. (not app management state))
Android: Everything is working as expected. A managed device is using the "APP for managed devices" both for a user driven app installation and for a intune driven installation of an app.
Now i'm going to read the docs and try to understand and implement the configuration correctly. (Wish me luck :D )
I will write down it here soon if anything happened. (expected or unexpected)
Patrick.
Hi Patrik,
You will need to create an App Config policy for each application.
IntuneMAMUPN String {{UserPrincipalName}}
Note:
- The AppConfig Outlook GUI creates this setting when you select "Allow only work or school accounts".
- Not every Microsoft APP application accepts IntuneMAMUPN in appconfig.
As you said the App Protection Policy report will show pending/applied config on a device, you can also navigate to about:intunehelp on iOS managed browser and check the applied settings from the device directly.
https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-access-to-managed-app-logs-using-the-managed-browser-on-ios
I have also seen some recent issues with APP not applying correctly after changing profiles, I suspect I will just have to re-enrol the device.
,Andrew
AndrewDawsonThank you for this!! Microsoft Docs wasn't that clear to me so your pic example was exactly what I needed. Thanks
I experience a new problem.
In my test scenario i had the setting "only work and school accounts" activated.
The recognition if Outlook has to apply the managed or the unmanaged profile worked well.
When rolling out to a pilotgroup the users reported, that they lost their personal accounts inside Outlook. Okay, i can understand that. So what i've done is to disable "only work and school accounts", so that the user are again enabled to use their personal accounts.
The Problem: Now every device is is applying the unmanaged policy and nothing is working.
Thats really annoying.
Any ideas?
Both of the options are not satisfying me.
1. I need the ability for the users to be able to use their private accounts.
2. I need to be able to distinguish wether the device is managed or unmanaged, so i can allow Contactsync in managed state.
hallelujah!
I'm **bleep** confused right now. :-D
1. I added an app configuration policy (as required).
Device Enrollment Type: Managed devices
Platform: iOS
Required App: Microsoft OutlookUse configuration designer
Configuration Key: IntuneMAMUPN
Value Type: String
Configuration Value: {{UserPrincipalName}}Result: When clicking on save, the ConfigKey disappears after reopen the config.
Solution: After entering the ConfigKey & Value i have to click in an empty row and then click on save.
I'm getting crazy....
Now my iOS device is correctly using the desired App Protection Policy. (iOS Policy for managed device, which allow the user to export contacts in the native contacts app.)
I didn't try out any app configuration policy before.
Now i'm using an policy as mentioned above: ("Outlook - iOS")
I set the required value IntuneMAMUPN, so that the APP is correctly beeing applied when device is managed.
Addiotionally i started using the "configure email account settings" just like you did in the provided screenshot.
I have a question about that: Why is it important to allow only work or school accounts inside the outlook App? (For this case)
I want my users to have the opportunity to use the outlook app also for their private accounts.
(To increase the acceptance of the app)
Deleted I've encountered the same issue with regard to trying to save the IntuneMAMUPN value. I raised a service ticket related to that issue but, interestingly after a short while the Intune App Protections started to apply correctly (I saw the apps in question perform their 'restart' after prompting the user that they were being protected). Without having to do anything else, the App Protections are behaving properly now - applying to unmanaged devices correctly and a different less restrictive policy applying to managed devices. Two separate policies, one for unmanaged (applied only to unmanaged devices) and one for managed (applied only to managed devices). Due to a timings issue I ask Microsoft to close the ticket though before it had been investigated as I was spending too long with their engineers taking screen shots and trying to explain the issue - even directing them to the articles I'd used to perform the setup.
For me, at least, things seem to be working OK. I just needed to be patient. About 18 hours patient, before the settings took hold!
Reeeaaally strange.
Okay, adding the UPN is working now as I've described.
At this moment I'm testing with an iOS device.
- Which Policy is applied when unmanaged?
- Which Policy is applied when this is unmanaged device is going into management?
- Is the non-managed policiy re-applied, when leaving the management?
I'll write back in a few minutes (okay azure... perhabs in a few hours.) when testing is done.
