Tech Community Live: Microsoft Intune
Oct 01 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Intune - App protection policy to protect company data

Iron Contributor

Hi all,

 

I plan to configure and deploy App Protection policy for Android and iPhone mobile phones. I'm doing some study these days and trying to understand one thing:

 

I will confiture it for "all apps" and want to prevent users to copy organization data from their business account to their personal account - lets say, to prevent user to copy from Outlook company M365 email to personal GMAIL email. 

 

I understand that I can prevent users from copying data from Outlook and  linked company M365 email to - for example - GMAIL app with personal account linked as GMAIL app is not "managed app".

 

My question however is:

How do I prevent users to add their GMAIL account to Outlook? So that I can prevent the situation that a user will add his GMAIL mailbox to Outlook and then copy/paste data over from M365 email to GMAIL email - as both are in the managed app (outlook). Or what is the best practice for this situations?

 

 

10 Replies

@sumo83 

 

Have a look at this: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and...

 

Organization allowed accounts is Microsoft's best practice of performing this

@SebastiaanSmits cool... Thank you. Will test it soon but looks it is what I was looking for.

May I ask you one more thing - with App protection policy, do I understand it properly that it will Enrol mobile phones to intune automatically when a user will trigger the policy? Or the policy will not have any effect on phone enrolment?

I am asking as I have been watching several trainings where it was mentioned that there are 3 ways of onboarding phones - and App protection policy was mentioned as kind of way to enroll phones. However, it has not been explained if it will really enrol phones to Intune or not
You can do a sort of enrollment from the App Protection Policy (APP). This is used for a pure Bring Your Own Device scenario. When the device is owned by the end user and not a Company Owned device. You can login from a Microsoft App and the APP policy is applied to the device without a MDM enrollment. If you like more info about this let me know..

------
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.

and what is that "sort of enrolment" please? This is exactly what I am not sure - will the mobile phone be visible in Intune?

I understand there are two other ways to enrol mobile phone - fully (company) managed and BYD with work profile. And these two are visible in Intune.

Btw, our organization didn't really care much about mobile phones so far... so it is a bit messy... and I am trying to change that. As we have mix of personal phones and company phones, it looks that app protection policy could be a perfect fit to mitigate data leak risk for now.

@sumo83 

 

I see you have Android and iOS so there are a lot of options to pick from. To explain them all is too much here. But according to what you are explaining you have Company Owned iOS and Android devices (right?). No Bring Your Own devices, I guess?

 

The possibilities can be separated, roughly, into two parts, the Native Solutions, so offered by Google (Android) and Apple (iOS) and solutions created by Microsoft (MDM Vendor)

 

1. Android Native

 

For Android Native you have your standard profiles with a separation of Work and Private Profiles. This indeed can give you some nice benefits for protecting your Company data. See an excellent writeup about the Android Enterprise Profiles here: https://bayton.org/android/what-is-android-enterprise-and-why-is-it-used/

 

For iOS you have Native Open-in, this is a very barebones method of protecting Enterprise Data in Managed apps, there is not a lot of flexibility. It is configured simply with a Restricition Configuration (there are two settings) See here the Documentation https://www.apple.com/business/docs/resources/Managing_Devices_and_Corporate_Data.pdf  -- go to the section “Tools for separating corporate data”. And this are the two settings: “Allow documents from unmanaged sources in managed destinations.” And “Allow documents from managed sources in unmanaged destinations.”.

 

Both Android and iOS also have native solution for BYOD (Work Profile and User Enrollment respectively) I will not discuss further here.

 

2. Microsoft Solution

 

The Microsoft Solution is App Protect Policies (APP). This give extra controls for apps that have the SDK built-in or have the controls applied with a Wrapper (so unlike the Native solution this is not for all apps). APP can be used in conjunctions with the Native solutions and that is mostly the preferred way.

 

 

So when trying to create strategy I would suggest researching the options using the above mini guide. It is impossible for me to give you the solution, it really depends on a lot of factors at play at you company. Hope this helps a little bit.

 

------

Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

 

that make sense. We also have a personal devices used here so want to make sure that company data/resources are protected if someone tries to access from personal device.

I played with BYD and fully managed few months back to see how it works (work profile on BYOD, etc) so I have some basic understanding. Was however not sure how App protection fits in to it and whether it actually replace -as you called NAITVE - solution.

Thanks for explaining NATIVE and MS solution - haven't realized this at all until now. As I was always working with MS Intune, haven't thought about google etc... So it make sense.

As we are heavily on MS products, the APP protection seems to be a good starting point for now.

Thank you again for all the info. Really appreciate it.
Very informative.

Hi @SebastiaanSmits 

 

I have configured and deployed the App protection policy to a test group and seems to be working fine. The next I would like to achieve is to make sure that only managed apps are allowed to access company data (e.g. Outlook for emails).

 

I've read through the links and not sure if I am on the right track. I've been looking at CA:

  • target "all cloud apps"
  • Conditions: Device Platform - android and iphone
  • Grant: 
    • Require app protection policy
    • Require approved client app

Now, I have few questions:

  1. Does the CA looks OK at first place?
  2. I've read that to use CA, there needs to be an App broker on phones (Company portal for Android or MS Auth app for iphones). And if its not there, user will be redirected to install it.
  3. Require approved client app under Grant gives me a message "You should no longer use "Require approved client app", as we will soon stop updating it.". What should be used instead to make sure only approved apps can access our data?

 

Thank you again for all your help... I'm almost there 🙂

Hi,
1. At first glance, looks fine, besides point 3 🙂

2. this is correct, this is necessary for the device object to be created in Entra.

3. You can just use Require app protection policy it will serve the same purpose in your case. All the apps that need to connect to the MS Cloud, Outlook etc. are part of the APP, are part of the list of approved client apps so works the same and there is nothing added when you use Require approved client app.

@SebastiaanSmits 

 

so I have been testing it last few days.... App protection works fine... no issues there... However, the CA was causing lots of issues...

 

  • outlook was quite OK
  • TEAMS was not working properly with CA. Almost every time I've tried to run TEAMS (also other users that were testing it), I got message "Checking app status" -> "Protecting this app" -> then was trying to open MS Auth app without getting to the code at all...and was cycling like this. Sometimes, after 3-4 times... it ended up with window that "the account is already signed in" but TEAMS will not load the profile. Have not seen any sign-in attempt for the user in MS Entra - sign-in logs. Phone can be found under Devices for the user. I had to switch the CA to read-only again.

not sure yet what could be causing this....