Feb 04 2021 08:50 AM
I've created my first App Protection Policy, in an effort to gain some control over what users can do with company apps & data on personal devices. I set the policy to target apps on unmanaged devices, and assigned the policy to my own user account for testing.
My intent was to install apps and sign in on an unmanaged device to confirm the policy applied as expected, but I soon discovered that the targeted apps on my main iphone (which is already managed) were affected by the policy. I got the notification that my company was managing my data for the app and was required to set up a PIN and enter that when launching the app.
My expectation was that the policy would not be applied to or have any effect on managed devices. Did I misunderstand something about how these settings should work, or is there something I may have done wrong in the configuration which would cause the policy to apply on a managed device?
Feb 04 2021 04:40 PM
@Steve Whitcher in the app protection policy > "Target to all device types" set to "No" and "Device Type" selected to "Unmanaged" ?
Feb 05 2021 05:18 AM
Feb 05 2021 12:51 PM
Can try this and see if both your managed & unmanaged device shows up.
Apps > App Selective wipe > choose your user name and see if both devices shows up.
Feb 05 2021 01:44 PM
@Pa_D Good question. I show 3 devices in that screen, one of which is an old PC and can be ruled out. The other 2 are unfortunately just named iPhone at the moment, so I can't say for sure. I'll rename the devices and check again after it updates.
Feb 08 2021 06:18 AM
@Pa_D After changing the name on both devices, one of the two 'iPhone' entries on that screen updated, while the other still says 'iPhone'. I'm assuming the one that didn't update must be an old phone, not my current one.
Feb 09 2021 09:34 AM
@Steve Whitcher is it showing the iOS device that is "Managed"?
Feb 09 2021 09:41 AM
Feb 09 2021 10:01 AM
Feb 09 2021 10:09 AM - edited Feb 09 2021 10:10 AM
@Steve Whitcher I would suggest try and reproduce it on another "Managed" iOS device to see if app protection policy is applying again.
Feb 10 2021 12:37 AM - edited Feb 10 2021 12:39 AM
You have to configure the IntuneMamUPN setting for all the IOS apps. Otherwise, the apps won't know the difference if they are managed or unmanaged.
If you don't specify this setting, unmanaged is the default. So even when your device is enrolled/compliant it will get the unmanaged app protection policies.
Create and deploy app protection policies - Microsoft Intune | Microsoft Docs
Feb 10 2021 12:16 PM
Feb 25 2021 06:59 PM
Jan 28 2022 06:32 PM
Jan 30 2022 12:41 AM
Jan 30 2022 12:46 AM - edited Jan 30 2022 12:50 AM
Hi,
Sorry for my late response, couldn't log in some how :)
https://twitter.com/ooms_rudy/status/1487387393716068352
But that would be nice indeed, should save you some time, in my github there is a part in it where I automated that deployment..
https://github.com/Call4cloud/Enrollment/blob/main/DU/
I am explaining that part also in the blog I mentioned above!
Jan 30 2022 12:51 AM