LOB apps and "Require approved client app"

%3CLINGO-SUB%20id%3D%22lingo-sub-1246970%22%20slang%3D%22en-US%22%3ELOB%20apps%20and%20%22Require%20approved%20client%20app%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1246970%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20true%20that%20LOB%20Apps%20can%20not%20be%20added%20to%20the%20%22Approved%20Client%20App%22%20list%20for%20cloud%20app%20access%20with%20Conditional%20Access%20%22Require%20approved%20client%20app%22%3F%26nbsp%3B%20So%20basically%2C%20is%20the%20following%20true%3F%3C%2FP%3E%3CP%3E%22As%20for%20the%20conflict%20you%20were%20assuming%20with%20the%20Conditional%20Access%20policy%20settings%2C%20you%20are%20correct.%26nbsp%3B%20If%20you%20do%20set%20the%20%22Require%20approved%20client%20app%22%20control%20under%20Access%20Controls%20%26gt%3B%20Grant%2C%20this%20requires%20devices%20to%20use%20an%20approved%20client%20app%20to%20access%20the%20services.%26nbsp%3B%20At%20this%20moment%2C%20LOB%20apps%20are%20no%20considered%20so.%26nbsp%3B%26nbsp%3BYou%20can%20see%20the%20current%20list%20of%20approved%20apps%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-conditional-access%3C%2FA%3E%3C%2FP%3E%3CP%3EAs%20you%20can%20see%20in%20the%20document%2C%20it%20states%20%22This%20setting%20applies%20to%20the%20following%20iOS%20and%20Android%20apps%22%20and%20will%20only%20work%20on%20the%20apps%20on%20this%20list.%3C%2FP%3E%3CP%3EThe%20Intune%20SDK%20package%20will%20allow%20the%20app%20to%20be%20recognized%20and%20protected%20with%20Intune's%20App%20protection%20policies%2C%20but%20does%20not%20consider%20it%20an%20approved%20app.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1246970%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247178%22%20slang%3D%22en-US%22%3ERe%3A%20LOB%20apps%20and%20%22Require%20approved%20client%20app%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247178%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20correct.%20You%20have%20two%20options%3A%3CBR%20%2F%3E-%20Exclude%20the%20app%20from%20the%20CA%20policy%20(if%20possible)%3CBR%20%2F%3E-%20Use%20require%20app%20protection%20policy%20(if%20the%20app%20supports%20an%20APP%20policy)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1247708%22%20slang%3D%22en-US%22%3ERe%3A%20LOB%20apps%20and%20%22Require%20approved%20client%20app%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1247708%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20response.%20I%20don't%20have%20any%20of%20those%20options%20in%20my%20tenant.%20Thanks%20again.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1249335%22%20slang%3D%22en-US%22%3ERe%3A%20LOB%20apps%20and%20%22Require%20approved%20client%20app%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1249335%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BWhat%20about%20this%20article%3F%26nbsp%3B%20See%20the%20last%202%20features%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fdeveloper%2Fapps-prepare-mobile-application-management%23feature-comparison%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fdeveloper%2Fapps-prepare-mobile-application-management%23feature-comparison%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1249766%22%20slang%3D%22en-US%22%3ERe%3A%20LOB%20apps%20and%20%22Require%20approved%20client%20app%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1249766%22%20slang%3D%22en-US%22%3EThat%20goes%20together%20with%20the%20option%20'-%20Use%20require%20app%20protection%20policy%20(if%20the%20app%20supports%20an%20APP%20policy)'%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20if%20the%20app%20is%20app%20protection%20policy%20ready%20(through%20SDK%20or%20wrapping%20tool)%2C%20you%20could%20use%20the%20conditional%20access%20control%20'use%20require%20app%20protection%20policy'%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Is it true that LOB Apps can not be added to the "Approved Client App" list for cloud app access with Conditional Access "Require approved client app"?  So basically, is the following true?

"As for the conflict you were assuming with the Conditional Access policy settings, you are correct.  If you do set the "Require approved client app" control under Access Controls > Grant, this requires devices to use an approved client app to access the services.  At this moment, LOB apps are no considered so.  You can see the current list of approved apps here: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-conditional-acc...

As you can see in the document, it states "This setting applies to the following iOS and Android apps" and will only work on the apps on this list.

The Intune SDK package will allow the app to be recognized and protected with Intune's App protection policies, but does not consider it an approved app."

4 Replies
Highlighted
Hi

This is correct. You have two options:
- Exclude the app from the CA policy (if possible)
- Use require app protection policy (if the app supports an APP policy)
Highlighted
Thanks for the response. I don't have any of those options in my tenant. Thanks again.
Highlighted
Highlighted
That goes together with the option '- Use require app protection policy (if the app supports an APP policy)'

So if the app is app protection policy ready (through SDK or wrapping tool), you could use the conditional access control 'use require app protection policy'