SOLVED

App Protection Policy is not working when i have Company Portal app is installed and signed in.

%3CLINGO-SUB%20id%3D%22lingo-sub-2282269%22%20slang%3D%22en-US%22%3EApp%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282269%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%26nbsp%3B%3CBR%20%2F%3EIn%20android%2C%20I%20am%20facing%20an%20issue%20where%20on%20my%20app%2C%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%26nbsp%3B%3CSPAN%3EIntune%3C%2FSPAN%3E%20company%20portal%20app%20is%20installed%20and%20signed%20in.%20In%20the%20app%20i%20get%20the%20success%20callback%20as%20%22ENROLLMENT_SUCCEEDED%22%20but%20still%20it%20does%20apply%20the%20policy.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWhere%20as%20if%20i%20have%20only%20installed%26nbsp%3B%3CSPAN%3EIntune%20company%20portal%20app%20not%20signed%20in%2C%20policy%20gets%20applied.%26nbsp%3B%3CBR%20%2F%3ECould%20please%20anyone%20helps%20me%20to%20understand%20this%20scenario%2C%20Any%20idea%20is%20appreciated.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3ESwati%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2282269%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282511%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282511%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20thought%20the%20same%20thing...%20But%20if%20you%20take%20a%20look%20at%20the%20blog%20I%20mentioned%20...%20Requiring%20approved%20apps%20OR%20app%20protection%20is%20also%20working%20with%20Teams%20.%20So%20you%20can%20require%20approved%20apps%20and%20for%20the%20app%20that%20do%20support%20it...%20app%20protection(even%20when%20Microsoft%20docs%20tells%20us%20something%20else)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282508%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282508%22%20slang%3D%22en-US%22%3EJust%20note%20that%20not%20all%20apps%20support%20%22Require%20App%20Protection%20Policy%22%20conditional%20access.%20Please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282507%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282507%22%20slang%3D%22en-US%22%3EIf%20you%20aren't%20enrolling%20devices%2C%20you%20should%20not%20be%20signing%20in%20to%20the%20Company%20Portal.%20It%20just%20needs%20to%20be%20there%20as%20a%20broker%20for%20the%20App%20Protection%20policies.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282499%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282499%22%20slang%3D%22en-US%22%3EThank%20you%20so%20much%2C%20I%20will%20check%20on%20this.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282496%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282496%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EApp%20protection%20could%20really%20take%20some%20time%20to%20apply%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fapp-protection-policy-delivery%23%3A~%3Atext%3DApplication%2520protection%2520policy%2520delivery%2520depends%2Cservice%2520registration%2520for%2520your%2520users.%26amp%3Btext%3D12%2520hours%2520%252D%2520However%252C%2520on%2520Android%2Cthe%2520interval%2520is%252024%2520hours%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fapps%2Fapp-protection-policy-delivery%23%3A~%3Atext%3DApplication%2520protection%2520policy%2520delivery%2520depends%2Cservice%2520registration%2520for%2520your%2520users.%26amp%3Btext%3D12%2520hours%2520%252D%2520However%252C%2520on%2520Android%2Cthe%2520interval%2520is%252024%2520hours%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20did%20some%20deep%20dive%20into%20app%20protection%20policies%20some%20weeks%20ago...sometimes%20it%20really%20took%20some%20time%20before%20changes%20in%20an%20existing%20app%20protection%20policy%20applied.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20also%20could%20create%20a%20conditional%20access%20policy%20to%20require%20app%20protection%3CBR%20%2F%3E%3CBR%20%2F%3EHere%20is%20the%20link%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fcall4cloud.nl%2F2021%2F03%2Fapp-protection-resurgence%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcall4cloud.nl%2F2021%2F03%2Fapp-protection-resurgence%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282487%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282487%22%20slang%3D%22en-US%22%3EBut%20that%20is%20not%20resolving%20the%20issue.%20I%20have%20set%20it%20to%20same%20but%20still%20it%20does%20not%20apply%20to%20my%20app.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282467%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282467%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20simple%20configure%20target%20to%20apps%20on%20all%20devices%20types%20to%20yes.%20If%20it's%20set%20to%20yes...%20it%20applies%20on%20all%20device%20types...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282411%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282411%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F620702%22%20target%3D%22_blank%22%3E%40Rudy_Ooms%3C%2FA%3E%26nbsp%3BSo%20what%20is%20the%20right%20option%20i%20shall%20choose%20%3F%20so%20that%20it%20applies%20on%20both%20(managed%20and%20unmanaged%20devices).%20I%20checked%20the%20policy%20it%20was%20%22targeted%20the%20all%20devices%22%20and%20now%20i%20tried%20to%20target%20only%20%22Android%20device%20administrator%22%20but%20still%20facing%20same%20issue.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-04-23%20at%204.05.55%20PM.png%22%20style%3D%22width%3A%20992px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274948iFE0F547DD9D32FE4%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-04-23%20at%204.05.55%20PM.png%22%20alt%3D%22Screenshot%202021-04-23%20at%204.05.55%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20appreciate%20you%20help%20here.%20Thanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282320%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282320%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1034639%22%20target%3D%22_blank%22%3E%40swatijain%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20it%20looks%20like%20your%20app%20protection%20policy.%20How%20did%20you%20target%20the%20devices%3F%20All%20devices%20or%20did%20you%20specify%20specific%20types%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBecause%20when%20you%20signing%20in%20in%20the%20company%20portal%2C%20you%20are%20enrolling%20your%20devices%20so%20its%20managed%20by%20intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20don't%20sign%20in%20your%20device%20is%20unmanaged%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_0-1619168351895.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274925i4FF15DFC4A90D2B6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_0-1619168351895.png%22%20alt%3D%22Rudy_Ooms_0-1619168351895.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20always%20create%20multiple%20app%20protection%20policy%20to%20make%20sure%20all%20devices%20types%20are%20protected%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Rudy_Ooms_1-1619168504993.png%22%20style%3D%22width%3A%20644px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274926iACE47D540723E0A6%2Fimage-dimensions%2F644x66%3Fv%3Dv2%22%20width%3D%22644%22%20height%3D%2266%22%20role%3D%22button%22%20title%3D%22Rudy_Ooms_1-1619168504993.png%22%20alt%3D%22Rudy_Ooms_1-1619168504993.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2294856%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2294856%22%20slang%3D%22en-US%22%3EExactly.%20I%20have%20a%20feeling%20that%20it's%20only%20listed%20as%20%22not%20supported%22%20because%20of%20the%20service%20dependencies.%20It%20makes%20sense%20that%20it'd%20work%20if%20the%20CA%20policies%20account%20for%20these%20accordingly%20though.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2295596%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2295596%22%20slang%3D%22en-US%22%3EJust%20remember%20that%20%22not%20supported%22%20doesn't%20mean%20that%20it%20doesn't%20work%20at%20all.%20It%20means%20there%20is%20no%20design%20for%20it%20to%20work%20consistently.%20So%2C%20don't%20set%20yourself%20up%20for%20depending%20on%20something%20that%20isn't%20documented%20as%20supported%20at%20this%20time.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2305834%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Protection%20Policy%20is%20not%20working%20when%20i%20have%20Company%20Portal%20app%20is%20installed%20and%20signed%20in.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2305834%22%20slang%3D%22en-US%22%3EThank%20you%2C%20issue%20is%20resolved%20now.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Team, 
In android, I am facing an issue where on my app, App Protection Policy is not working when i have Intune company portal app is installed and signed in. In the app i get the success callback as "ENROLLMENT_SUCCEEDED" but still it does apply the policy. 


Where as if i have only installed Intune company portal app not signed in, policy gets applied. 
Could please anyone helps me to understand this scenario, Any idea is appreciated.

Thanks,
Swati

14 Replies

@swatijain 

 

Hi, it looks like your app protection policy. How did you target the devices? All devices or did you specify specific types?

 

Because when you signing in in the company portal, you are enrolling your devices so its managed by intune.

 

If you don't sign in your device is unmanaged

 

Rudy_Ooms_0-1619168351895.png

 

I always create multiple app protection policy to make sure all devices types are protected

 

Rudy_Ooms_1-1619168504993.png

 

 

@Rudy_Ooms So what is the right option i shall choose ? so that it applies on both (managed and unmanaged devices). I checked the policy it was "targeted the all devices" and now i tried to target only "Android device administrator" but still facing same issue. Screenshot 2021-04-23 at 4.05.55 PM.png

 

Would appreciate you help here. Thanks.

 

Hi

You could simple configure target to apps on all devices types to yes. If it's set to yes... it applies on all device types...
But that is not resolving the issue. I have set it to same but still it does not apply to my app.
best response confirmed by swatijain (Occasional Contributor)
Solution
Hi,

App protection could really take some time to apply

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-delivery#:~:text=Application%....

I did some deep dive into app protection policies some weeks ago...sometimes it really took some time before changes in an existing app protection policy applied.

You also could create a conditional access policy to require app protection

Here is the link:
https://call4cloud.nl/2021/03/app-protection-resurgence/
If you aren't enrolling devices, you should not be signing in to the Company Portal. It just needs to be there as a broker for the App Protection policies.

Hi,

I thought the same thing... But if you take a look at the blog I mentioned ... Requiring approved apps OR app protection is also working with Teams . So you can require approved apps and for the app that do support it... app protection(even when Microsoft docs tells us something else)

Exactly. I have a feeling that it's only listed as "not supported" because of the service dependencies. It makes sense that it'd work if the CA policies account for these accordingly though.
Just remember that "not supported" doesn't mean that it doesn't work at all. It means there is no design for it to work consistently. So, don't set yourself up for depending on something that isn't documented as supported at this time.
For any conditional access related to App Protection, bookmark this link: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces.... This contains the list of supported apps and is updated as more Microsoft apps support the Require Approved Apps or Require App Protection policies. This is also where we document that Teams does not currently support Require App Protection, as well as the "or" clause.

It may be working, but it is not supported. There are 3 Apps that do not support the OR Grant:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

 Note

Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications.

 

This is a road block for us. I have the "OR" policy set up and ready to move users to it. It requires stacking policies. I have one that does MFA and TOU with the "AND" grant, and then a policy with the approved app and app protection grants appled with an OR grant. But until Teams offically supports this, I am stuck with my current policies. I do not care about Skype, Visio, or Kaizala. However Teams is a much used app for us. And until it is supported we will not go down that route. This is also great if you only need one or the other, But stacking on MFA and TOU adds complexity. It can be done, by stacking policies, however it is more complex.