First published on TechNet on Mar 30, 2018
In many organizations it’s very common to allow end users to use both Intune MDM managed devices (Corporate owned devices for example) and unmanaged devices protected with only Intune App Protection Policies (BYO scenarios for example).
As Intune App Protection Policies are targeted to a user’s identity, the protection settings for a user traditionally apply to both enrolled (MDM managed) and non-enrolled devices (no MDM).
In the latest round of Intune updates, we’ve added the ability to target an Intune App Protection Policy to either Intune enrolled or un-enrolled iOS and Android devices.
This means you can have one protection policy for unmanaged devices in which strict Data Loss Prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices where the DLP controls may be a little more relaxed. This provides the best possible end-user experience based on the device enrollment state, while giving the IT Pro more control based on their business requirements.
To create these policies, browse to Mobile apps > App protection Policies in the Intune console, and click Add a policy . (or you can edit an existing policy)
If you want the policy to apply to both managed and unmanaged devices, leave the Target to all app types to it’s default value, Yes .
If you want to granularly assign based on management state, select No in the Target to all app types toggle-box.
You’ll be presented with options to which device management state this policy should apply to.
For iOS, there’s two options:
For Android, there’s three options:
In my example, for my BYO devices I’d block Outlook contact sync, restrict web content to the Managed Browser and set a Minimum OS version. For my Corporate owned and fully managed devices, I’d allow contact sync, allow Safari use and set a lower Minimum OS version requirement.
You want to ensure you create two policies – one for managed and one for unmanaged – to ensure you’ve got protection coverage across both scenarios.
Post policy creation, in the console you’ll see a new column called Management Type . This will show you which App Protection Policies are available for managed vs unmanaged devices.
For iOS apps to be considered "Managed", the IntuneMAMUPN configuration policy setting needs to be deployed for each app. For more information, see https://docs.microsoft.com/en-us/intune/data-transfer-between-apps-manage-ios#configure-user-upn-se...
Please note , due to iOS app update requirements this feature will be rolling out across iOS apps during April.
We think this feature will enable a really great user experience across both managed and unmanaged devices, while giving your organization the control over your security requirements.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.