Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Controlling the Uncontrollable, Component 1:  Application Policy
Published Sep 08 2018 08:14 AM 453 Views
Iron Contributor
First published on CloudBlogs on Feb 18, 2016
The topics and technical deep dives included in this series are the result of your feedback about your most persistent challenges, so this first post covers a topic that is perennially important: Application policy and how it relates to providing secure e-mail .  See below for this post’s video. At first, you may be wondering how those two elements fit together.  I see it like this:  E-mail is likely one of the busiest workloads in your organization, and you’re probably using Outlook to do it.  With that in mind, also consider that most mobile devices have access to the Outlook app, and this app will probably be the one your workforce uses since it’s currently the #1 mail app for both Android and iOS.  For those mobile users who are using the Outlook app, they’ll also probably want to access/edit documents – and this is where the Microsoft Office mobile apps come in. You simply must have a solution that takes all of this into account. It is, simply, all about the apps .  You need a solution that takes into account the way users access the corporate data via apps, that supports the best apps possible, and is protecting corporate data every step of the way.

At a high level, here’s how application policy works; I think you’ll agree this is incredibly powerful:

  • Intune offers management of apps on both enrolled and un-enrolled devices.
  • Mobile Application Management (MAM) policy encrypts the data that is stored within a managed app on the device.
  • As noted, access to the corporate managed apps can require a PIN, fingerprint, or corporate credentials to grant access.
  • Personal data in the managed apps is kept separate from corporate so that one app is the best experience for personal and corporate use.
  • Upon selective wipe of a device (or wipe of the apps), the corporate data is removed and the personal user data is left intact – along with the app to access it.
  • Policy also gives IT the ability to prevent relocation of the data through cut-copy-paste, save-as dialogues, and cloud-based backups.
  • For managed devices, it also allows control over which apps can be used to open files, g. you can say that any links in managed Microsoft Word will be opened in the Managed Browser, or any Word documents attached to a corporate e-mail in managed Outlook will open in managed Word.
  • Best of all, the Office apps have thousands of real-world, high-praise customer reviews – and none of that amazing experience is eroded by management with Microsoft Intune.
This is really impressive stuff. What makes application policy so important is the scenarios it enables for secure e-mail on iOS and Android.

With the MAM policy features, there are two huge scenarios immediately available:

First , on a corporate-issued device, your user opens Outlook and opens an attachment she’s just received.  Without really thinking about the implications, she tries to share the info in this attachment with a friend who happens to work at a competitor.  This has traditionally been a problem for several reasons.  Now, with Intune, you can create a MAM policy that applies to this user which prevents cut-copy-paste and data relocation (save as), enables encryption, and defines the apps that can be opened by any given corporate identity.  With this in place, when that user attempts to move protected data out of the app she soon learns that doing this is impossible. Second , on a personally owned device, a user tries to access corporate e-mail.  In the past, he has lost all the personal data on his phone when IT remote wiped the device, but the only obvious way to avoid this is to have two separate phones (one for work and one for personal use) – and that feels really Y2K.  Now, with Intune, you can create a MAM policy applied to this user (just like with corporate-owned devices) which prevents cut-copy-paste, enables encryption, and defines the apps that can be opened by any given corporate identity.  In this scenario, he downloads the Outlook app from the app store and, as soon as he enters his corporate credentials, IT can start managing his corporate apps.  Thus, the (previously) uncontrolled is controlled.  Now he gets a great experience without worrying about losing his personal photos! Let’s dive in on this in even greater detail in today’s video:

Additional Resources


Version history
Last update:
‎Sep 08 2018 08:14 AM
Updated by: