Intune App Protection Policies with policy assurance
Published Sep 20 2020 01:08 PM 7,056 Views
Subject Matter Experts:
Microsoft
In this session we will discuss how admins can be assured that work or school account data on mobile devices are protected using Azure Active Directory Conditional Access and Intune App Protection Policies.
12 Comments
Microsoft

@Ross Smith IV FYI the demo starting at the 29 min mark has a lot of stuff that was cropped out so you can't see it.

Microsoft

@Jeff_Bley Thanks for letting me know. I'll have the production team look into it.

Copper Contributor

Teams not supported  @Ross Smith IV 

Microsoft

@Nikolkhaev Yes, when we did the recording there was the expectation APP CA would be supported with Teams in Q4 of 2020. Unfortunately, issues prevented that from happening. We're getting close to releasing support.

Copper Contributor

Hello,

It seems that today, 23 Feb 2021, APP CA support for Teams is still not implemented. What is the best practice to deal with this? Is it having 2 CA's, one for Teams only with "require approved client apps", and one for Office 365 excluding Teams with "require app protection policy"?

 

Edit:
I tested, excluding Teams doesn't work - the CA is still activated when accessing Teams. A dependency issue?

The problem is that having just "require approved client apps" for all Office 365 is enough for some of our devices to get APP activated, but for some, not. It needs to be enforced.

Microsoft

@rupie100 Teams is targeting the end of Q1CY21 to support the Require app protection policy grant access control. In the meantime, you can leverage https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-protection-based-cond... to utilize a single policy that supports apps that do and do not support the new grant access control.

Copper Contributor

@Ross Smith IV Thank you for the information. I also set it up as you suggested and used the device condition "exclude compliant devices" because I want app protection turned off for managed devices. Now it seems to work.

 

"Why I didn't do that before is this Microsoft's statement: "Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the Require app protection policy grant. If you require these apps to work, please use the Require approved apps grant exclusively. The use of the or clause between the two grants will not work for these three applications."

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-acces...

 

...which I thought would mean that the APP or managed app should not work for Teams. But it works. Maybe I misunderstood something.

Copper Contributor

@Ross Smith IV As Q1 passes, any updates on this feature? 

Copper Contributor

Is there a way to get the powerpoint presentation for this "Intune App Protection Policies with policy assurance"?

Copper Contributor

@Ross Smith IV Hi Ross, Im hoping you or anyone else reading this can help me with this query. I am curious on the Intune SDK with Policy Assurance; in-particular the 'Policy Assurance' bit. 

What makes the app "Policy assured"? Is there extra QA or registration steps that the vendor needs to go through for Policy Assurance or should it just happen if the app is wrapped in the Intune SDK? If that's the case how do we ensure that it happens? and if if doesn't happen is the app allowed to launch? 

For context we are trying to add 'Require App Protection Policy' to a Conditional access policy.

 

Thanks!

Microsoft

@theloops370 What policy assurance is is explained in the above video. For information on how to integrate policy assurance into your apps, see Microsoft Intune App SDK for iOS developer guide | Microsoft Docs and https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-android#app-protection-ca

Microsoft

@Ross Smith IV : What action should I be taking to list the apps under the conditional access blade to apply the "Require app protection policy" ? I understand that, app needs to be implementing the Intune SDK, but looking at the existing apps which support the app protection policy feature, it is only Microsoft apps. For a third-party LOB app which is integrated with Intune SDK, it is not clear how to make it appear in the list.