Aug 20 2024 03:39 PM
Hi all,
I plan to configure and deploy App Protection policy for Android and iPhone mobile phones. I'm doing some study these days and trying to understand one thing:
I will confiture it for "all apps" and want to prevent users to copy organization data from their business account to their personal account - lets say, to prevent user to copy from Outlook company M365 email to personal GMAIL email.
I understand that I can prevent users from copying data from Outlook and linked company M365 email to - for example - GMAIL app with personal account linked as GMAIL app is not "managed app".
My question however is:
How do I prevent users to add their GMAIL account to Outlook? So that I can prevent the situation that a user will add his GMAIL mailbox to Outlook and then copy/paste data over from M365 email to GMAIL email - as both are in the managed app (outlook). Or what is the best practice for this situations?
Aug 23 2024 02:30 AM
Have a look at this: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and...
Organization allowed accounts is Microsoft's best practice of performing this
Aug 23 2024 03:42 AM
@SebastiaanSmits cool... Thank you. Will test it soon but looks it is what I was looking for.
Aug 26 2024 03:26 PM
Aug 30 2024 01:23 AM
Aug 31 2024 02:52 PM - edited Aug 31 2024 02:53 PM
and what is that "sort of enrolment" please? This is exactly what I am not sure - will the mobile phone be visible in Intune?
I understand there are two other ways to enrol mobile phone - fully (company) managed and BYD with work profile. And these two are visible in Intune.
Btw, our organization didn't really care much about mobile phones so far... so it is a bit messy... and I am trying to change that. As we have mix of personal phones and company phones, it looks that app protection policy could be a perfect fit to mitigate data leak risk for now.
Sep 02 2024 01:13 AM - edited Sep 02 2024 01:15 AM
I see you have Android and iOS so there are a lot of options to pick from. To explain them all is too much here. But according to what you are explaining you have Company Owned iOS and Android devices (right?). No Bring Your Own devices, I guess?
The possibilities can be separated, roughly, into two parts, the Native Solutions, so offered by Google (Android) and Apple (iOS) and solutions created by Microsoft (MDM Vendor)
1. Android Native
For Android Native you have your standard profiles with a separation of Work and Private Profiles. This indeed can give you some nice benefits for protecting your Company data. See an excellent writeup about the Android Enterprise Profiles here: https://bayton.org/android/what-is-android-enterprise-and-why-is-it-used/
For iOS you have Native Open-in, this is a very barebones method of protecting Enterprise Data in Managed apps, there is not a lot of flexibility. It is configured simply with a Restricition Configuration (there are two settings) See here the Documentation https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf -- go to the section “Tools for separating corporate data”. And this are the two settings: “Allow documents from unmanaged sources in managed destinations.” And “Allow documents from managed sources in unmanaged destinations.”.
Both Android and iOS also have native solution for BYOD (Work Profile and User Enrollment respectively) I will not discuss further here.
2. Microsoft Solution
The Microsoft Solution is App Protect Policies (APP). This give extra controls for apps that have the SDK built-in or have the controls applied with a Wrapper (so unlike the Native solution this is not for all apps). APP can be used in conjunctions with the Native solutions and that is mostly the preferred way.
So when trying to create strategy I would suggest researching the options using the above mini guide. It is impossible for me to give you the solution, it really depends on a lot of factors at play at you company. Hope this helps a little bit.
------
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Sep 02 2024 01:27 AM
Sep 09 2024 03:27 AM
I have configured and deployed the App protection policy to a test group and seems to be working fine. The next I would like to achieve is to make sure that only managed apps are allowed to access company data (e.g. Outlook for emails).
I've read through the links and not sure if I am on the right track. I've been looking at CA:
Now, I have few questions:
Thank you again for all your help... I'm almost there 🙂
Sep 11 2024 04:16 AM
Sep 11 2024 02:10 PM
so I have been testing it last few days.... App protection works fine... no issues there... However, the CA was causing lots of issues...
not sure yet what could be causing this....