Hello everyone, my name is Saurabh Koshta and I’m a Support Escalation Engineer with the Intune support team. Today I want to talk about a scenario that can be confusing for a lot of people and hopefully make it a little bit easier to understand.
Most organizations utilize Intune app protection policies to protect organization data, and one of the more common scenarios encountered that can cause confusion is when users want to open a link received in an email when using the managed Outlook app, or a link in a SharePoint site with an unmanaged app, and the link fails to open. For example, let’s say the user wants to open Webex links in the Webex app. With certain app protection policies in place and no data transfer exemption is created, this operation will fail. Another good example is voice mails. Links received for voice mails may contain .wav files, and depending on the platform being used you may need to add a data transfer exemption in order for these links to open. We will discuss both of these scenarios as the second involves using a second app that an admin would need to deploy to their users, or they could use Azure Information Protection app for the supported file types.
NOTE In this example we are creating a data transfer exemption, notan exception for the app. The common misconception with this is that it creates an “app exception” which it does not. That would only allow data transfers that do not require user interaction. For example, a user receives a street address in an email and a touch action opens the “Maps” app on the phone (i.e. it directly transfers data to the app instead of requiring user to copy and paste address to the Maps app).
Let’s assume you use GoToMeeting to organize your meetings. When a user receives a meeting invite in the managed Outlook app on Android, clicking on the link will generate the following error:
Action Blocked - This action is not allowed by your organization.
This article gives information about data transfer exceptions, so using that as a reference we first need to find the package ID so we can use that in our data transfer exemptions. Per the article:
You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word.
So for GoToMeeting it will be com.gotomeeting:
We add this to our application protection policy in Intune in the Exempt Apps list:
Once we add this exemption, meetings should open in the GoToMeeting app assuming it is installed.
Scenario 2: Using the Azure Information Protection app
While the Azure Information Protection app is primarily used to open rights protected messages and files, it can also be added to app protection policy and utilized to open files from managed apps like Outlook that would require 3rd party apps. The following two articles give you all the file types supported by Azure Information Protection app.
A user wants to open a .tif file received in an email in the managed Outlook app.
When trying to open the app, the user receives the error “You don’t have an app that can open this type of file”:
In order for the user to open the app in a managed configuration, we can utilize the Azure Information Protection app. This app can be included in the same policy that protects the Outlook app, or you can create a new policy. In this example I have included it in the same policy that is applied to Outlook.
Users can then download the app from the app store or it can be made available in the Company Portal app depending on the scenario. Once downloaded, when the user tries to open the file, this is the prompt they will see when the file is opened for the first time. Clicking on OK will then open the file.
Hopefully this will help clear up some of the confusion around data transfer exemptions and make it easier for you to protect your data while also ensuring that your users maintain all the functionality they’re accustomed to.