Support Tip: How to enable Intune app protection policies (APP) with Microsoft Lists
Published Jan 26 2021 05:29 PM 13.7K Views

Updated 4/28: The Microsoft Lists app is now available as a public app in Intune app protection policy (APP) and on or around May 14, 2021 also supports the Conditional Access (CA) grant access control: “Require app protection policy”.

 

Several of our customers want to manage the new Microsoft Lists mobile app for iOS. This mobile app helps you track information and organize your work; for more information, see the Tech Community announcement: Get the Microsoft Lists app for iOS (Microsoft 365 Blog).

 

The Microsoft Lists app for iOS and iPadOS support is now available in the Apple App Store. The Lists mobile app supports Intune app protection policies today. For more details on how to target apps with your app protection policy, see: How to create and assign app protection policies.

 

As communicated in: MC252690, we wanted to share that on or around May 14, 2021, Microsoft Lists now supports the Conditional Access (CA) grant access control, “Require approved client app”, like other Microsoft 365 apps, such as SharePoint.

 

If you are using a CA policy that only leverages the “Require approved client app” grant access control, Microsoft Lists will be considered one of the approved apps after this date. You must enable Intune APP with Microsoft Lists to ensure it meets the full data protection needs of your organization. However, we strongly recommend that you update your CA policy to take advantage of the “Require app protection policy” grant access control. For more information on the recommended policy configuration, see Scenario 1 in How to: Require app protection policy and an approved client app for cloud app access with Condition....

 

If you are not utilizing APP, CA, or either grant access control, then no action is needed.

 

Note: If you previously used the bundle ID (com.microsoft.splists) to add Lists manually, the bundle ID is hidden and the app is now listed as a selected app within the public apps section of the policy. If you attempt to create a new policy and try to add the bundle ID manually, the MEM admin center will notify you to use the public app instead.

 

Example screenshot when adding "com.microsoft.splists" to an Intune App protection policyExample screenshot when adding "com.microsoft.splists" to an Intune App protection policy

Let us know if you have any additional questions on this by commenting to this post below, or tagging @IntuneSuppTeam out on Twitter.

 

Blog post updates

  • 2/10: The Lists app will be available to target as a first party app coming in the 2103 service release.
  • 3/26: Lists is now available as a public app in Intune APP.
  • 4/28: Lists app now supports the “Require app protection policy” grant access control.
  • 6/10: Lists app now supports “Required approved client app” grant access control.
31 Comments
Steel Contributor

I added the com.microsoft.splists bundle ID to my App Protection Policy (for iOS) last night, right after reading this. As of this morning, ~12 hours later, it's still not working. 

For me, the Lists app just prompts for username. I provide my UPN, and immediately it switches over to the Microsoft Authenticator app... this is the one that tells me this isn't allowed here. 

lists-authenticator-fail.jpg

 

Is it possible that the Authenticator app Bundle ID needs to be added too? Or some other reason why this is happening? 

 

I also checked App \ Monitor at endpoint.microsoft.com and see that the bundle ID is in there, but hasn't checked in.  While not shown in the screenshot, I do have 4-5 other trusted Microsoft apps that have all checked in/synced since this, within the last 30 minutes even, but still the Lists app not so much. Is there a way to force this APP Sync process or these apps? I reinstalled Lists and that didn't help. 

 

I'm game for anything, please let me know where else I should look or what I should try. 

 

lists-notcheckedin-APP-monitor.jpg

 
 
 

After this I checked in at Azure AD and reviewed my sign-in logs, specific to Conditional Access - we have a policy that applies to all O365 apps (AAD "enterprise apps") such as sharepoint online, exchange online, and all related services including Lists and Planner etc.  This policy, for mobile OSes, requires Microsoft trusted apps. 

 

The grant controls are configured for this CA policy to require approved client apps https://aka.ms/supportedmamapps  -OR- require app protection policies https://aka.ms/supportedmampolicyapps 

 

Steel Contributor

Here's that screenshot for the Grant Controls, fyi

Let me know if I should open a case on this, or feel free to respond with ideas here as well. Thanks!

 

lists-CA-policy-grant-controls.jpg

Hi @Chris Smith, thanks for the feedback. The Microsoft Lists app needs to support the Conditional Access grant "Require app protection policies" to leverage that specific grant control. We've reached out to the Conditional Access team, but no dates to share yet. Stay tuned to this post for future updates regarding APP and Conditional Access support.

Brass Contributor

I am having the same experience. It does not seem that the List app was added as a required app.

The issue seems to be related to Conditional Access and most likely the Lists app is not added to the Microsoft "whitelist" of approved apps. So as long as you have a CA rule to require approved client apps, you can not use Lists. App protection will most likely work if you do not have this Conditional Access requirement. I hope Intune adds Lists application to the approved list soon as I am not going to open up Sharepoint to any 3rd party apps anytime soon. 

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

 

 

Copper Contributor

Greetings,  I would like to know information about approved apps for Conditional access like  @Jan Ketil Skanke post. 

Our company is evaluating MS lists and would like to provide it to our users to access on Mobile devices.  We currently have a condition set to only grant access to approved client apps in our Conditional Access policies.  Microsoft lists is currently not in that list of approved apps.  Is there an timeline on when it might become available as an approved app for Conditional Access, and is there a process to get into a preview ring for this? 

 

Thank you in Advanced.

Clint

Microsoft

Hello Team,

I am receiving multiple requests for MS lists to be added to approved client list of apps so the conditional access policy with approved app filter can be used for the app... kindly update if there is any ETA on the same.

Microsoft

Updating that the Microsoft Lists app now supports the Conditional Access grant "Require app protection policy" which offers higher level of protection. Please use that instead of "Require approved app" which is not supported.  

Brass Contributor

@AskSaurabh 

I appreciate that it supports App protection. And if all the MS apps supported App protection this would e Viable. However the as per the documentation, our most used Mobile App, Teams, does not yet support 'Require App Protection". And there are an additional 14 apps that do not yet support "Require App Protection". It unnecessarily complicates CA.  Many companies have added "Require App Protection" as a "AND" grant. Lists would not work under that circumstance. We have explored using an "OR" grant by stacking polices. However there is an issue with Teams again that does not support the use of the "OR". Neither does Visio or Kaizala. 

Can we look forward, in the future, to the List app supporting the "Required Application" grant?

Brass Contributor

All,

Looks like after or around May 14th the Lists apps will support the "Required App" grant.

Microsoft 365 admin center

Brass Contributor

@AskSaurabh 

According to this announcement, Lists should now support 'Require approved client app' as of May 14.  It is still not working in our tenant.  Lists is in our APP but the CA only requires approved client app.  Can you confirm if it should now be working?

 

brcallicott_0-1621427233977.png

 

Hi @brcallicott, thanks for the feedback!

 

If you are using a conditional access policy that only leverages the “Require approved client app” grant access control, Microsoft Lists will be considered one of the approved apps after May 14. You must enable Intune APP with Microsoft Lists to ensure it meets the full data protection needs of your organization. However, we strongly recommend that you update your conditional access policy to take advantage of the “Require app protection policy” grant access control. For more information on the recommended policy configuration, see: Scenario 1: Microsoft 365 apps require approved apps with app protection policies to learn more.

 

If you continue facing an issue with your conditional access policies not working as expected, please open a support case via the Microsoft Endpoint Manager admin center's Help and Support blade or any of the methods here, as this will help the team capture all the information needed to resolve the issue.

Steel Contributor

I was very pleasantly surprised this morning to try and it is working for me now!!  Thanks for the response @Intune_Support_Team  - and that worked for me, regarding the CA policies.  We have this implemented to support EITHER 'require approved client app' -or- 'require app protection policy' as our grant controls.  Until all Microsoft stock apps support APP, we have been using this method.  I'm not sure if there are any 1st party MS mobile apps still using the approved client app control method, but as of today this is working in our environment using the GA Lists app for iOS.  Previously I was using the TestFlight (beta) method to get it to work, but now can use the app and it just works right out of the store!

 

Chris

Microsoft

Hi @Intune_Support_Team,

I have heard that MS Lists has not yet been added to the "approved client apps".
In fact, when I test it in my environment, it does not work well.

This announcement states that it was supported on 5/14, which I think is outdated. Is it possible to update it with newer information?

Steel Contributor

@Shota_Miyazaki I'm also patiently awaiting this feature. I asked the same question you are asking, via the O365 Message Center and was told on 5/19/2021, "We are in process of making Lists an 'approved client app' but we have encountered delays. The change is going to roll out hopefully in 2-3 weeks from now and request your patience in this regard. Hope this is helpful."

Brass Contributor

I test weekly and Our Tenant does not seem to support the "Required App" Grant as of yet. I have set up a policy similar to @Chris Smith , However Teams does not Support the "OR" qualifier in CA. It seems to work but the Documentation specifically calls out that it is not supported. Therefore I only have a Small test group on that policy. 

Grant controls in Conditional Access policy - Azure Active Directory | Microsoft Docs

 

 Note

Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications.

 

Microsoft

We are facing some delays in rolling out "Required approved app" and request all to wait for few days before trying this out. We will post an update soon on this front and this is being tracked closely. Thanks for your co-operation.   

Microsoft

@AskSaurabh Would ​you mind providing us any update? We want to know when Microsoft Lists will be added to "Required approved app".

Brass Contributor

@AskSaurabh @Intune_Support_Team  Are there any Updates on Microsoft lists supporting the "required Application" grant? MC251657 no longer shows up in Message Center. Is Microsoft still moving forward with this?

Microsoft

Update: This is confirm that we are making progress to rolling out "Required approved app" and hope to deploy this fully soon.    

Steel Contributor

"Approved client apps" is now working for us this morning! I removed the app first on iOS, installed again and it's working.

Copper Contributor

Confirmed working.

Microsoft

Update: Confirming that "Required approved app" is now fully deployed. Thanks for your patience. 

Brass Contributor

I tested this morning and can verify it is working for use as well. Thank you @AskSaurabh 

Brass Contributor

Next question to @Intune_Support_Team  and @AskSaurabh  is there any plans for an Android Application. 

Microsoft

saura6h Thank you very mach!

Brass Contributor

Using Edge, I created a shortcut to Lists on my home Screen. This makes it display as a PWA. Closest thing right now for Android. 

Microsoft

@Coopem16 Lists Android app is in the works. Please tracks update regarding that using this link Microsoft 365 Roadmap | Microsoft 365 

Brass Contributor

@AskSaurabh Thanks, Currently I am directing users to make a home screen shortcut on Android using Edge. 

Copper Contributor

@Intune_Support_Team Does this app support app configuration policies to limit connected experienced and also the Required UPN value so it can properly segregate work/personal accounts?

Microsoft

Currently app supports core app protection policies. Please check Microsoft Intune protected apps for details. Also app supports work accounts only with Office 365 commercial subscription that includes SharePoint.  

Version history
Last update:
‎Dec 19 2023 01:29 PM
Updated by: