cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Intune App Protection Policies with policy assurance

%3CLINGO-SUB%20id%3D%22lingo-sub-1688886%22%20slang%3D%22en-US%22%3EIntune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1688886%22%20slang%3D%22en-US%22%3EIn%20this%20session%20we%20will%20discuss%20how%20admins%20can%20be%20assured%20that%20work%20or%20school%20account%20data%20on%20mobile%20devices%20are%20protected%20using%20Azure%20Active%20Directory%20Conditional%20Access%20and%20Intune%20App%20Protection%20Policies.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1688886%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEndpoint%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Intune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2281784%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2281784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BAs%20Q1%20passes%2C%20any%20updates%20on%20this%20feature%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163700%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163700%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20information.%20I%20also%20set%20it%20up%20as%20you%20suggested%20and%20used%20the%20device%20condition%20%22exclude%20compliant%20devices%22%20because%20I%20want%20app%20protection%20turned%20off%20for%20managed%20devices.%20Now%20it%20seems%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Why%20I%20didn't%20do%20that%20before%20is%20this%20Microsoft's%20statement%3A%20%22%3CSPAN%3EMicrosoft%20Teams%2C%20Microsoft%20Kaizala%2C%20Microsoft%20Skype%20for%20Business%20and%20Microsoft%20Visio%20do%20not%20support%20the%26nbsp%3B%3C%2FSPAN%3ERequire%20app%20protection%20policy%3CSPAN%3E%26nbsp%3Bgrant.%20If%20you%20require%20these%20apps%20to%20work%2C%20please%20use%20the%26nbsp%3B%3C%2FSPAN%3ERequire%20approved%20apps%3CSPAN%3E%26nbsp%3Bgrant%20exclusively.%20%3CSTRONG%3EThe%20use%20of%20the%20or%20clause%20between%20the%20two%20grants%20will%20not%20work%20for%20these%20three%20applications.%22%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-grant%23require-app-protection-policy%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E...which%20I%20thought%20would%20mean%20that%20the%20APP%20or%20managed%20app%20should%20not%20work%20for%20Teams.%20But%20it%20works.%20Maybe%20I%20misunderstood%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160856%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160856%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F575230%22%20target%3D%22_blank%22%3E%40rupie100%3C%2FA%3E%26nbsp%3BTeams%20is%20targeting%20the%20end%20of%20Q1CY21%20to%20support%20the%20Require%20app%20protection%20policy%20grant%20access%20control.%20In%20the%20meantime%2C%20you%20can%20leverage%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23scenario-1-microsoft-365-apps-require-approved-apps-with-app-protection-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-protection-based-conditional-access%23scenario-1-microsoft-365-apps-require-approved-apps-with-app-protection-policies%3C%2FA%3E%26nbsp%3Bto%20utilize%20a%20single%20policy%20that%20supports%20apps%20that%20do%20and%20do%20not%20support%20the%20new%20grant%20access%20control.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2160017%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2160017%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20that%20today%2C%2023%20Feb%202021%2C%20APP%20CA%20support%20for%20Teams%20is%20still%20not%20implemented.%20What%20is%20the%20best%20practice%20to%20deal%20with%20this%3F%20Is%20it%20having%202%20CA's%2C%20one%20for%20Teams%20only%20with%20%22require%20approved%20client%20apps%22%2C%20and%20one%20for%20Office%20365%20excluding%20Teams%20with%20%22require%20app%20protection%20policy%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%3CBR%20%2F%3EI%20tested%2C%20excluding%20Teams%20doesn't%20work%20-%20the%20CA%20is%20still%20activated%20when%20accessing%20Teams.%20A%20dependency%20issue%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%20having%20just%20%22require%20approved%20client%20apps%22%20for%20all%20Office%20365%20is%20enough%20for%20some%20of%20our%20devices%20to%20get%20APP%20activated%2C%20but%20for%20some%2C%20not.%20It%20needs%20to%20be%20enforced.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2053857%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2053857%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F853529%22%20target%3D%22_blank%22%3E%40Nikolkhaev%3C%2FA%3E%26nbsp%3BYes%2C%20when%20we%20did%20the%20recording%20there%20was%20the%20expectation%20APP%20CA%20would%20be%20supported%20with%20Teams%20in%20Q4%20of%202020.%20Unfortunately%2C%20issues%20prevented%20that%20from%20happening.%20We're%20getting%20close%20to%20releasing%20support.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2051966%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2051966%22%20slang%3D%22en-US%22%3E%3CP%3ETeams%20not%20supported%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780611%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780611%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F385268%22%20target%3D%22_blank%22%3E%40Jeff_Bley%3C%2FA%3E%26nbsp%3BThanks%20for%20letting%20me%20know.%20I'll%20have%20the%20production%20team%20look%20into%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780505%22%20slang%3D%22en-US%22%3ERe%3A%20Intune%20App%20Protection%20Policies%20with%20policy%20assurance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3BFYI%20the%20demo%20starting%20at%20the%2029%20min%20mark%20has%20a%20lot%20of%20stuff%20that%20was%20cropped%20out%20so%20you%20can't%20see%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Subject Matter Experts:
Ross Smith IV
Microsoft

‎Sep 20 2020 01:08 PM - last edited on ‎Sep 23 2020 08:11 AM by

‎Sep 20 2020 01:08 PM - last edited on ‎Sep 23 2020 08:11 AM by

Intune App Protection Policies with policy assurance

In this session we will discuss how admins can be assured that work or school account data on mobile devices are protected using Azure Active Directory Conditional Access and Intune App Protection Policies.
3,425 Views
0 Likes
8 Replies
Reply
8 Replies
Jeff_Bley

‎Oct 14 2020 09:56 AM

‎Oct 14 2020 09:56 AM

Re: Intune App Protection Policies with policy assurance

@Ross Smith IV FYI the demo starting at the 29 min mark has a lot of stuff that was cropped out so you can't see it.

0 Likes
Reply
Ross Smith IV

‎Oct 14 2020 10:26 AM

‎Oct 14 2020 10:26 AM

Re: Intune App Protection Policies with policy assurance

@Jeff_Bley Thanks for letting me know. I'll have the production team look into it.

0 Likes
Reply
Nikolkhaev

‎Jan 12 2021 12:05 AM

‎Jan 12 2021 12:05 AM

Re: Intune App Protection Policies with policy assurance

Teams not supported  @Ross Smith IV 

0 Likes
Reply
Ross Smith IV

‎Jan 12 2021 10:34 AM

‎Jan 12 2021 10:34 AM

Re: Intune App Protection Policies with policy assurance

@Nikolkhaev Yes, when we did the recording there was the expectation APP CA would be supported with Teams in Q4 of 2020. Unfortunately, issues prevented that from happening. We're getting close to releasing support.

0 Likes
Reply
rupie100

‎Feb 23 2021 10:47 AM - edited ‎Feb 23 2021 11:20 AM

‎Feb 23 2021 10:47 AM - edited ‎Feb 23 2021 11:20 AM

Re: Intune App Protection Policies with policy assurance

Hello,

It seems that today, 23 Feb 2021, APP CA support for Teams is still not implemented. What is the best practice to deal with this? Is it having 2 CA's, one for Teams only with "require approved client apps", and one for Office 365 excluding Teams with "require app protection policy"?

 

Edit:
I tested, excluding Teams doesn't work - the CA is still activated when accessing Teams. A dependency issue?

The problem is that having just "require approved client apps" for all Office 365 is enough for some of our devices to get APP activated, but for some, not. It needs to be enforced.

0 Likes
Reply
Ross Smith IV

‎Feb 23 2021 03:34 PM

‎Feb 23 2021 03:34 PM

Re: Intune App Protection Policies with policy assurance

@rupie100 Teams is targeting the end of Q1CY21 to support the Require app protection policy grant access control. In the meantime, you can leverage https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-cond... to utilize a single policy that supports apps that do and do not support the new grant access control.

0 Likes
Reply
rupie100

‎Feb 24 2021 01:03 PM

‎Feb 24 2021 01:03 PM

Re: Intune App Protection Policies with policy assurance

@Ross Smith IV Thank you for the information. I also set it up as you suggested and used the device condition "exclude compliant devices" because I want app protection turned off for managed devices. Now it seems to work.

 

"Why I didn't do that before is this Microsoft's statement: "Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications."

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

 

...which I thought would mean that the APP or managed app should not work for Teams. But it works. Maybe I misunderstood something.

0 Likes
Reply
EchoCharlie20

‎Apr 22 2021 11:15 AM

‎Apr 22 2021 11:15 AM

Re: Intune App Protection Policies with policy assurance

@Ross Smith IV As Q1 passes, any updates on this feature? 

0 Likes
Reply

Session Resources