Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Aug 20, 2024

Intune - App protection policy to protect company data

Hi all,   I plan to configure and deploy App Protection policy for Android and iPhone mobile phones. I'm doing some study these days and trying to understand one thing:   I will confiture it for ...
Intune
SebastiaanSmits's avatar
SebastiaanSmits
Steel Contributor
Sep 02, 2024

sumo83 

 

I see you have Android and iOS so there are a lot of options to pick from. To explain them all is too much here. But according to what you are explaining you have Company Owned iOS and Android devices (right?). No Bring Your Own devices, I guess?

 

The possibilities can be separated, roughly, into two parts, the Native Solutions, so offered by Google (Android) and Apple (iOS) and solutions created by Microsoft (MDM Vendor)

 

1. Android Native

 

For Android Native you have your standard profiles with a separation of Work and Private Profiles. This indeed can give you some nice benefits for protecting your Company data. See an excellent writeup about the Android Enterprise Profiles here: https://bayton.org/android/what-is-android-enterprise-and-why-is-it-used/

 

For iOS you have Native Open-in, this is a very barebones method of protecting Enterprise Data in Managed apps, there is not a lot of flexibility. It is configured simply with a Restricition Configuration (there are two settings) See here the Documentation https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf  -- go to the section “Tools for separating corporate data”. And this are the two settings: “Allow documents from unmanaged sources in managed destinations.” And “Allow documents from managed sources in unmanaged destinations.”.

 

Both Android and iOS also have native solution for BYOD (Work Profile and User Enrollment respectively) I will not discuss further here.

 

2. Microsoft Solution

 

The Microsoft Solution is App Protect Policies (APP). This give extra controls for apps that have the SDK built-in or have the controls applied with a Wrapper (so unlike the Native solution this is not for all apps). APP can be used in conjunctions with the Native solutions and that is mostly the preferred way.

 

 

So when trying to create strategy I would suggest researching the options using the above mini guide. It is impossible for me to give you the solution, it really depends on a lot of factors at play at you company. Hope this helps a little bit.

 

------

Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

 

sumo83's avatar
sumo83
Iron Contributor
Sep 09, 2024

Hi SebastiaanSmits 

 

I have configured and deployed the App protection policy to a test group and seems to be working fine. The next I would like to achieve is to make sure that only managed apps are allowed to access company data (e.g. Outlook for emails).

 

I've read through the links and not sure if I am on the right track. I've been looking at CA:

  • target "all cloud apps"
  • Conditions: Device Platform - android and iphone
  • Grant: 
    • Require app protection policy
    • Require approved client app

Now, I have few questions:

  1. Does the CA looks OK at first place?
  2. I've read that to use CA, there needs to be an App broker on phones (Company portal for Android or MS Auth app for iphones). And if its not there, user will be redirected to install it.
  3. Require approved client app under Grant gives me a message "You should no longer use "Require approved client app", as we will soon stop updating it.". What should be used instead to make sure only approved apps can access our data?

 

Thank you again for all your help... I'm almost there 🙂

  • SebastiaanSmits's avatar
    SebastiaanSmits
    Steel Contributor
    Sep 11, 2024
    Hi,
    1. At first glance, looks fine, besides point 3 🙂

    2. this is correct, this is necessary for the device object to be created in Entra.

    3. You can just use Require app protection policy it will serve the same purpose in your case. All the apps that need to connect to the MS Cloud, Outlook etc. are part of the APP, are part of the list of approved client apps so works the same and there is nothing added when you use Require approved client app.
    • sumo83's avatar
      sumo83
      Iron Contributor
      Sep 11, 2024

      SebastiaanSmits 

       

      so I have been testing it last few days.... App protection works fine... no issues there... However, the CA was causing lots of issues...

       

      • outlook was quite OK
      • TEAMS was not working properly with CA. Almost every time I've tried to run TEAMS (also other users that were testing it), I got message "Checking app status" -> "Protecting this app" -> then was trying to open MS Auth app without getting to the code at all...and was cycling like this. Sometimes, after 3-4 times... it ended up with window that "the account is already signed in" but TEAMS will not load the profile. Have not seen any sign-in attempt for the user in MS Entra - sign-in logs. Phone can be found under Devices for the user. I had to switch the CA to read-only again.

      not sure yet what could be causing this....