cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Support Tip: Allowing data transfers from managed apps to unmanaged apps
By
J.C. Hornbeck
Published Jan 15 2019 07:37 AM 12.2K Views
J.C. Hornbeck
Microsoft
‎Jan 15 2019 07:37 AM

Support Tip: Allowing data transfers from managed apps to unmanaged apps

‎Jan 15 2019 07:37 AM

Hello everyone, my name is Saurabh Koshta and I’m a Support Escalation Engineer with the Intune support team. Today I want to talk about a scenario that can be confusing for a lot of people and hopefully make it a little bit easier to understand.

 

Most organizations utilize Intune app protection policies to protect organization data, and one of the more common scenarios encountered that can cause confusion is when users want to open a link received in an email when using the managed Outlook app, or a link in a SharePoint site with an unmanaged app, and the link fails to open. For example, let’s say the user wants to open Webex links in the Webex app. With certain app protection policies in place and no data transfer exemption is created, this operation will fail. Another good example is voice mails. Links received for voice mails may contain .wav files, and depending on the platform being used you may need to add a data transfer exemption in order for these links to open. We will discuss both of these scenarios as the second involves using a second app that an admin would need to deploy to their users, or they could use Azure Information Protection app for the supported file types.

 

NOTE In this example we are creating a data transfer exemption, not an exception for the app. The common misconception with this is that it creates an “app exception” which it does not. That would only allow data transfers that do not require user interaction. For example, a user receives a street address in an email and a touch action opens the “Maps” app on the phone (i.e. it directly transfers data to the app instead of requiring user to copy and paste address to the Maps app).

 

Scenario 1

Let’s assume you use GoToMeeting to organize your meetings. When a user receives a meeting invite in the managed Outlook app on Android, clicking on the link will generate the following error:

 

Action Blocked - This action is not allowed by your organization.

 

ska.png

 

sk2.png

This article gives information about data transfer exceptions, so using that as a reference we first need to find the package ID so we can use that in our data transfer exemptions.  Per the article:

 

You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word.

 

So for GoToMeeting it will be com.gotomeeting:

 

skb.png

We add this to our application protection policy in Intune in the Exempt Apps list:

 

skc.png

ske.png

Once we add this exemption, meetings should open in the GoToMeeting app assuming it is installed.

 

Scenario 2: Using the Azure Information Protection app

While the Azure Information Protection app is primarily used to open rights protected messages and files, it can also be added to app protection policy and utilized to open files from managed apps like Outlook that would require 3rd party apps. The following two articles give you all the file types supported by Azure Information Protection app.

For example:

  1. A user wants to open a .tif file received in an email in the managed Outlook app.
  2. When trying to open the app, the user receives the error “You don’t have an app that can open this type of file”:

 skf.png

In order for the user to open the app in a managed configuration, we can utilize the Azure Information Protection app. This app can be included in the same policy that protects the Outlook app, or you can create a new policy. In this example I have included it in the same policy that is applied to Outlook.


saurabh1.png

 

Users can then download the app from the app store or it can be made available in the Company Portal app depending on the scenario. Once downloaded, when the user tries to open the file, this is the prompt they will see when the file is opened for the first time. Clicking on OK will then open the file.

 

skh.png

ski.png

 

Hopefully this will help clear up some of the confusion around data transfer exemptions and make it easier for you to protect your data while also ensuring that your users maintain all the functionality they’re accustomed to.

 

Saurabh Koshta

Intune Support Escalation Engineer

Microsoft

6 Comments
Chris Chen
Copper Contributor
‎Jan 24 2019 01:33 PM
‎Jan 24 2019 01:33 PM

How about showing us a workflow for iOS?

LukeFrailley
Copper Contributor
‎Aug 19 2019 11:35 AM
‎Aug 19 2019 11:35 AM

How do we accomplish the same thing in iOS?  Using the app ID?

0 Likes
Like
dlinds565
Copper Contributor
‎Jan 29 2020 02:14 PM
‎Jan 29 2020 02:14 PM

Hi @J.C. Hornbeck 

 

Does the AIP app support .wav yet? I know the linked article does say it supports wav, but it appears that it does not.

 

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/12403098-support-playing-wav-f...

 

 

0 Likes
Like
Matt9292
Copper Contributor
‎Nov 08 2021 07:38 AM
‎Nov 08 2021 07:38 AM

Hi

 

Below is concerning ipads/iphones.

 

Our Intune enrolled users have a ‘company portal’ app. The users who have the company portal app download the apps that the company have added to Intune’s app section. That is fine & I refer to these as ‘business apps’

 

Separately, users have access to their own normal app store just like everyone else and can download apps as normal. That is fine & I refer to these as ‘personal apps’

 

The problem is that we do not want business apps to share data with personal apps. For example, we have ‘Microsoft outlook’ as a business app that we do not want it to be able to share with a personal app such as copying and pasting data or using the ‘open with button’. Microsoft outlook is just an example, we have lots of ‘business’ apps that we don’t want there to be any interaction with ‘personal apps’. Is this possible on Intune & if not is there an alternative MDM?

 

Thanks

Matt

0 Likes
Like
Chris19andr
Copper Contributor
‎Jun 20 2022 07:48 AM
‎Jun 20 2022 07:48 AM

Dear Support Team,

 

The second scenario doesn’t work on android devices. Is there any solution about how to open .tif files?

0 Likes
Like
Simpuhl
Copper Contributor
‎Feb 29 2024 01:23 PM
‎Feb 29 2024 01:23 PM

I've added these two and users are not able to click Meeting invites:

 

Webex - com.cisco.wx2.android

Webex Meetings - com.cisco.webex.meetings

https://play.google.com/store/apps/details?id=com.cisco.wx2.android&hl=en_US&gl=US
https://play.google.com/store/apps/details?id=com.cisco.webex.meetings&hl=en_US&gl=US

 

Why wouldn't this work?

I've even gone as far as adding the "Webex Intune" app and it still doesn't work.

 

Webex is weird, some links require Webex and others Require Webex meetings which Is why I added both.

0 Likes
Like
Co-Authors
Version history
Last update:
‎Dec 19 2023 01:30 PM
Updated by: