Intune App Protection Policies with policy assurance

%3CLINGO-SUB%20id%3D%22lingo-sub-1688886%22%20slang%3D%22en-US%22%3EIntune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1688886%22%20slang%3D%22en-US%22%3EIn%20this%20session%20we%20will%20discuss%20how%20admins%20can%20be%20assured%20that%20work%20or%20school%20account%20data%20on%20mobile%20devices%20are%20protected%20using%20Azure%20Active%20Directory%20Conditional%20Access%20and%20Intune%20App%20Protection%20Policies.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1688886%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEndpoint%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Intune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281784%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BAs%20Q1%20passes%2C%20any%20updates%20on%20this%20feature%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163700%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163700%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20information.%20I%20also%20set%20it%20up%20as%20you%20suggested%20and%20used%20the%20device%20condition%20%22exclude%20compliant%20devices%22%20because%20I%20want%20app%20protection%20turned%20off%20for%20managed%20devices.%20Now%20it%20seems%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Why%20I%20didn't%20do%20that%20before%20is%20this%20Microsoft's%20statement%3A%20%22%3CSPAN%3EMicrosoft%20Teams%2C%20Microsoft%20Kaizala%2C%20Microsoft%20Skype%20for%20Business%20and%20Microsoft%20Visio%20do%20not%20support%20the%26nbsp%3B%3C%2FSPAN%3ERequire%20app%20protection%20policy%3CSPAN%3E%26nbsp%3Bgrant.%20If%20you%20require%20these%20apps%20to%20work%2C%20please%20use%20the%26nbsp%3B%3C%2FSPAN%3ERequire%20approved%20apps%3CSPAN%3E%26nbsp%3Bgrant%20exclusively.%20%3CSTRONG%3EThe%20use%20of%20the%20or%20clause%20between%20the%20two%20grants%20will%20not%20work%20for%20these%20three%20applications.%22%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E...which%20I%20thought%20would%20mean%20that%20the%20APP%20or%20managed%20app%20should%20not%20work%20for%20Teams.%20But%20it%20works.%20Maybe%20I%20misunderstood%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160856%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160856%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F575230%22%20target%3D%22_blank%22%3E%40rupie100%3C%2FA%3E%26nbsp%3BTeams%20is%20targeting%20the%20end%20of%20Q1CY21%20to%20support%20the%20Require%20app%20protection%20policy%20grant%20access%20control.%20In%20the%20meantime%2C%20you%20can%20leverage%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23scenario-1-microsoft-365-apps-require-approved-apps-with-app-protection-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23scenario-1-microsoft-365-apps-require-approved-apps-with-app-protection-policies%3C%2FA%3E%26nbsp%3Bto%20utilize%20a%20single%20policy%20that%20supports%20apps%20that%20do%20and%20do%20not%20support%20the%20new%20grant%20access%20control.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160017%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160017%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20that%20today%2C%2023%20Feb%202021%2C%20APP%20CA%20support%20for%20Teams%20is%20still%20not%20implemented.%20What%20is%20the%20best%20practice%20to%20deal%20with%20this%3F%20Is%20it%20having%202%20CA's%2C%20one%20for%20Teams%20only%20with%20%22require%20approved%20client%20apps%22%2C%20and%20one%20for%20Office%20365%20excluding%20Teams%20with%20%22require%20app%20protection%20policy%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%3CBR%20%2F%3EI%20tested%2C%20excluding%20Teams%20doesn't%20work%20-%20the%20CA%20is%20still%20activated%20when%20accessing%20Teams.%20A%20dependency%20issue%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%20having%20just%20%22require%20approved%20client%20apps%22%20for%20all%20Office%20365%20is%20enough%20for%20some%20of%20our%20devices%20to%20get%20APP%20activated%2C%20but%20for%20some%2C%20not.%20It%20needs%20to%20be%20enforced.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2053857%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2053857%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F853529%22%20target%3D%22_blank%22%3E%40Nikolkhaev%3C%2FA%3E%26nbsp%3BYes%2C%20when%20we%20did%20the%20recording%20there%20was%20the%20expectation%20APP%20CA%20would%20be%20supported%20with%20Teams%20in%20Q4%20of%202020.%20Unfortunately%2C%20issues%20prevented%20that%20from%20happening.%20We're%20getting%20close%20to%20releasing%20support.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2051966%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2051966%22%20slang%3D%22en-US%22%3E%3CP%3ETeams%20not%20supported%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780611%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780611%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F385268%22%20target%3D%22_blank%22%3E%40Jeff_Bley%3C%2FA%3E%26nbsp%3BThanks%20for%20letting%20me%20know.%20I'll%20have%20the%20production%20team%20look%20into%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780505%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BFYI%20the%20demo%20starting%20at%20the%2029%20min%20mark%20has%20a%20lot%20of%20stuff%20that%20was%20cropped%20out%20so%20you%20can't%20see%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Subject Matter Experts:
Microsoft
In this session we will discuss how admins can be assured that work or school account data on mobile devices are protected using Azure Active Directory Conditional Access and Intune App Protection Policies.
8 Replies

@Ross Smith IV FYI the demo starting at the 29 min mark has a lot of stuff that was cropped out so you can't see it.

@Jeff_Bley Thanks for letting me know. I'll have the production team look into it.

Teams not supported  @Ross Smith IV 

@Nikolkhaev Yes, when we did the recording there was the expectation APP CA would be supported with Teams in Q4 of 2020. Unfortunately, issues prevented that from happening. We're getting close to releasing support.

Hello,

It seems that today, 23 Feb 2021, APP CA support for Teams is still not implemented. What is the best practice to deal with this? Is it having 2 CA's, one for Teams only with "require approved client apps", and one for Office 365 excluding Teams with "require app protection policy"?

 

Edit:
I tested, excluding Teams doesn't work - the CA is still activated when accessing Teams. A dependency issue?

The problem is that having just "require approved client apps" for all Office 365 is enough for some of our devices to get APP activated, but for some, not. It needs to be enforced.

@rupie100 Teams is targeting the end of Q1CY21 to support the Require app protection policy grant access control. In the meantime, you can leverage https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-cond... to utilize a single policy that supports apps that do and do not support the new grant access control.

@Ross Smith IV Thank you for the information. I also set it up as you suggested and used the device condition "exclude compliant devices" because I want app protection turned off for managed devices. Now it seems to work.

 

"Why I didn't do that before is this Microsoft's statement: "Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications."

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

 

...which I thought would mean that the APP or managed app should not work for Teams. But it works. Maybe I misunderstood something.

@Ross Smith IV As Q1 passes, any updates on this feature? 

Session Resources