Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Aug 20, 2024

Intune - App protection policy to protect company data

Hi all,   I plan to configure and deploy App Protection policy for Android and iPhone mobile phones. I'm doing some study these days and trying to understand one thing:   I will confiture it for ...
Intune
sumo83's avatar
sumo83
Iron Contributor
Aug 26, 2024
May I ask you one more thing - with App protection policy, do I understand it properly that it will Enrol mobile phones to intune automatically when a user will trigger the policy? Or the policy will not have any effect on phone enrolment?

I am asking as I have been watching several trainings where it was mentioned that there are 3 ways of onboarding phones - and App protection policy was mentioned as kind of way to enroll phones. However, it has not been explained if it will really enrol phones to Intune or not
SebastiaanSmits's avatar
SebastiaanSmits
Iron Contributor
Aug 30, 2024
You can do a sort of enrollment from the App Protection Policy (APP). This is used for a pure Bring Your Own Device scenario. When the device is owned by the end user and not a Company Owned device. You can login from a Microsoft App and the APP policy is applied to the device without a MDM enrollment. If you like more info about this let me know..

------
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
  • sumo83's avatar
    sumo83
    Iron Contributor
    Aug 31, 2024

    and what is that "sort of enrolment" please? This is exactly what I am not sure - will the mobile phone be visible in Intune?

    I understand there are two other ways to enrol mobile phone - fully (company) managed and BYD with work profile. And these two are visible in Intune.

    Btw, our organization didn't really care much about mobile phones so far... so it is a bit messy... and I am trying to change that. As we have mix of personal phones and company phones, it looks that app protection policy could be a perfect fit to mitigate data leak risk for now.

    • SebastiaanSmits's avatar
      SebastiaanSmits
      Iron Contributor
      Sep 02, 2024

      sumo83 

       

      I see you have Android and iOS so there are a lot of options to pick from. To explain them all is too much here. But according to what you are explaining you have Company Owned iOS and Android devices (right?). No Bring Your Own devices, I guess?

       

      The possibilities can be separated, roughly, into two parts, the Native Solutions, so offered by Google (Android) and Apple (iOS) and solutions created by Microsoft (MDM Vendor)

       

      1. Android Native

       

      For Android Native you have your standard profiles with a separation of Work and Private Profiles. This indeed can give you some nice benefits for protecting your Company data. See an excellent writeup about the Android Enterprise Profiles here: https://bayton.org/android/what-is-android-enterprise-and-why-is-it-used/

       

      For iOS you have Native Open-in, this is a very barebones method of protecting Enterprise Data in Managed apps, there is not a lot of flexibility. It is configured simply with a Restricition Configuration (there are two settings) See here the Documentation https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf  -- go to the section “Tools for separating corporate data”. And this are the two settings: “Allow documents from unmanaged sources in managed destinations.” And “Allow documents from managed sources in unmanaged destinations.”.

       

      Both Android and iOS also have native solution for BYOD (Work Profile and User Enrollment respectively) I will not discuss further here.

       

      2. Microsoft Solution

       

      The Microsoft Solution is App Protect Policies (APP). This give extra controls for apps that have the SDK built-in or have the controls applied with a Wrapper (so unlike the Native solution this is not for all apps). APP can be used in conjunctions with the Native solutions and that is mostly the preferred way.

       

       

      So when trying to create strategy I would suggest researching the options using the above mini guide. It is impossible for me to give you the solution, it really depends on a lot of factors at play at you company. Hope this helps a little bit.

       

      ------

      Please click Mark as Best Response & Like if my post helped you to solve your issue.

      This will help others to find the correct solution easily. It also closes the item.

      If the post was useful in other ways, please consider giving it Like.

       

      • sumo83's avatar
        sumo83
        Iron Contributor
        Sep 09, 2024

        Hi SebastiaanSmits 

         

        I have configured and deployed the App protection policy to a test group and seems to be working fine. The next I would like to achieve is to make sure that only managed apps are allowed to access company data (e.g. Outlook for emails).

         

        I've read through the links and not sure if I am on the right track. I've been looking at CA:

        • target "all cloud apps"
        • Conditions: Device Platform - android and iphone
        • Grant: 
          • Require app protection policy
          • Require approved client app

        Now, I have few questions:

        1. Does the CA looks OK at first place?
        2. I've read that to use CA, there needs to be an App broker on phones (Company portal for Android or MS Auth app for iphones). And if its not there, user will be redirected to install it.
        3. Require approved client app under Grant gives me a message "You should no longer use "Require approved client app", as we will soon stop updating it.". What should be used instead to make sure only approved apps can access our data?

         

        Thank you again for all your help... I'm almost there 🙂

Resources