Ensure personal iOS, Android, and Windows devices are configured for security and productivity


Today, as part of our Enabling Remote Work for IT Pros web series, we're showing you the various options you can use to configure personal devices to ensure security of your corporate data. We walk through questions to consider when looking at different models for iOS, Android, and personal Windows devices such as Application Protection Policy without enrollment, iOS user enrollment and Android Enterprise work policy. Extensive resources have been provided below, which are discussed throughout the presentation.




Learn more

Here are links to the resources mentioned in this session:

Here are the links to the resources mentioned in the detailed resources portion of the session, by solution:

Application Protection Policy (APP)

iOS User Enrollment

Android Enterprise Work Profile

Conditional Access

Microsoft Cloud App Security

Information Protection

Windows Virtual Desktop

Windows 10 Virtual Desktop Integration (VDI)

Windows Information Protection (WIP)

While not mentioned specifically in this session, here are some additional resources you might find helpful:

Frequently asked questions

Q: For app protection on iOS, do you still need the intuneMAMUPN attribute in the application configurations per app for identified an application on a fully managed device?

A: Yes, that is the hint to the SDK that it is an MDM managed app. For more details, see How to manage data transfer between iOS apps in Microsoft Intune.


Q: For Android Enterprise Devices in COBO, we are trying to launch OneDrive for our mobile users. Inside of the App Configuration Policy for managed device, I only see the “configuration key” for allowed accounts. Is there additional documentation that has more json keys so that we can automatically configure the app for the user?


A: Managed Configuration (App Configuration) in Android Enterprise is pulled from Managed Google Play directly, so if the key is there, we’ll pull it directly. That being said, the key is IntuneMamAllowedAccountsOnly because it is the same key across all apps for the Intune SDK to find it. Here is the iOS documentation and here is the Android documentation. These docs also list the applications that support single account mode (require both the Intune SDK to be integrated and in-app logic by developers to support this mode).


Q: Does the application protection policy work based on source only? For example, I have a Word document saved in SharePoint, so the policy applies there. Now let’s say I have the file inside my external hard disk as well, does the policy apply there too? Does the policy apply to both external and non-cloud sources?


A: The policy is targeted based on the application and the identity signed into that app. This is about protecting the app. If you need the data wherever it resides, then that is a function of Microsoft Information Protection. Assigning MIP labels would protect the data itself, regardless of location.


We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!



0 Replies