Forum Discussion
App Protection Policy is not working when i have Company Portal app is installed and signed in.
- Hi,
App protection could really take some time to apply
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-delivery#:~:text=Application%20protection%20policy%20delivery%20depends,service%20registration%20for%20your%20users.&text=12%20hours%20%2D%20However%2C%20on%20Android,the%20interval%20is%2024%20hours.
I did some deep dive into app protection policies some weeks ago...sometimes it really took some time before changes in an existing app protection policy applied.
You also could create a conditional access policy to require app protection
Here is the link:
https://call4cloud.nl/2021/03/app-protection-resurgence/
App protection could really take some time to apply
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-delivery#:~:text=Application%20protection%20policy%20delivery%20depends,service%20registration%20for%20your%20users.&text=12%20hours%20%2D%20However%2C%20on%20Android,the%20interval%20is%2024%20hours.
I did some deep dive into app protection policies some weeks ago...sometimes it really took some time before changes in an existing app protection policy applied.
You also could create a conditional access policy to require app protection
Here is the link:
https://call4cloud.nl/2021/03/app-protection-resurgence/
MicrosoftHi,
I thought the same thing... But if you take a look at the blog I mentioned ... Requiring approved apps OR app protection is also working with Teams . So you can require approved apps and for the app that do support it... app protection(even when Microsoft docs tells us something else)It may be working, but it is not supported. There are 3 Apps that do not support the OR Grant:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy
Note
Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications.
This is a road block for us. I have the "OR" policy set up and ready to move users to it. It requires stacking policies. I have one that does MFA and TOU with the "AND" grant, and then a policy with the approved app and app protection grants appled with an OR grant. But until Teams offically supports this, I am stuck with my current policies. I do not care about Skype, Visio, or Kaizala. However Teams is a much used app for us. And until it is supported we will not go down that route. This is also great if you only need one or the other, But stacking on MFA and TOU adds complexity. It can be done, by stacking policies, however it is more complex.
- sbuccimsftJust remember that "not supported" doesn't mean that it doesn't work at all. It means there is no design for it to work consistently. So, don't set yourself up for depending on something that isn't documented as supported at this time.
- Exactly. I have a feeling that it's only listed as "not supported" because of the service dependencies. It makes sense that it'd work if the CA policies account for these accordingly though.
