Intune Application Protection Policies
  • 25 Sep 2023
  • 10 Minutes to read
  • PDF

Intune Application Protection Policies

  • PDF

Article summary

Microsoft Intune® App Protection Policies or Data Loss prevention policies help you secure corporate data across Microsoft Office 365® apps and applications that support Intune SDK on Android & iOS devices.

Scalefusion integration with Microsoft Graph API lets IT Admins manage these policies directly from Scalefusion Dashboard, thereby removing the need to manage two consoles when using Scalefusion.

This document helps you understand how to give Scalefusion the required permissions to manage Intune protection policies and describes the various policies supported by Scalefusion.

Before you Begin

  1. To use Microsoft Intune® Endpoint Protection Policies, you would require one of the following licenses,
    • Microsoft 365 E5
    • Microsoft 365 E3
    • Enterprise Mobility + Security E5
    • Enterprise Mobility + Security E3
    • Microsoft 365 Business Premium
    • Microsoft 365 F1
    • Microsoft 365 F3
    • Microsoft 365 Government G5
    • Microsoft 365 Government G3
  2. You would need access to an Admin account that can grant Scalefusion the required permissions to create, update, & sync the policies.
  3. Data Loss Policies created from Scalefusion currently target only the following applications,
    • Microsoft Outlook
    • Microsoft OneNote
    • Microsoft Excel
    • Microsoft Powerpoint
    • Microsoft Word

Step 1: Authorize Scalefusion to Configure Data Loss Protection Policies

The first step is to authorize Scalefusion to manage the policies on behalf of your organization. Follow the steps below to complete this part,

  1. To do so, you would need to Sign In to Scalefusion with an Office 365 account that has Admin privileges. If you are using a Scalefusion account, then please migrate to using Office 365 based access.
  2. Click on Device Profile & Policies and click on Office 365 Policies.
  3. Click AUTHORIZE in this screen and grant Scalefusion the required permissions when prompted,
  4. Once authorized, this section becomes the single pane of control to view & manage your Data Loss prevention policies. This screen displays all the policies currently created and other related information.
    1. Profile Listing View
      1. Profile Name: The display name of the profile/policy for your reference.
      2. OS: The OS that this policy is applicable to between Android & iOS.
      3. GROUPS: The security groups this policy is currently active on. Note that there can be multiple policies applied to the same group.
      4. Last Modified By: The email ID of the admin that modified this policy last.
      5. Created At: The date and time when this policy was first created.
      6. Last Modified: The date and time when this policy was last modified.
      7. Actions: Provides you options to Publish, Unpublish, Edit or Delete this profile.
    2. SYNC NOW: Allows you to sync the current policies and update the state from Microsoft Endpoint Manager.
    3. CREATE PROFILE: Use this option to create a profile from Scalefusion Dashboard.

Step 2: Prepare for end-user experience on Android & iOS devices.

  1. On Android devices, the end users need to Sign In to Intune Company Portal app before using Microsoft Office 365 applications. So make sure that you publish the Intune Company Portal application using Scalefusion's Play for Work integration
  2. On iOS devices, when the user authenticates to Microsoft Office 365 applications, the system displays a popup stating that your organization manages the application. There are no additional steps in the configuration.

Step 3: Create Data Loss Prevention Profiles

Using the Scalefusion Dashboard, IT Admins can create Data Loss Prevention Policies for Android & iOS devices. For both the platforms, the application where this policy will be applied are,

  • Microsoft Outlook
  • Microsoft OneNote
  • Microsoft Excel
  • Microsoft Powerpoint
  • Microsoft Word

To create a new Data Loss Prevention policy, follow the steps below,

  1. Navigate to Device Management > Office 365 Profiles and click CREATE PROFILE
  2. Provide a Name and choose the OS/Platform that this policy should target. Click SUBMIT to open the profile creation wizard.
  3. Data Storage & Share Settings: Use this section to define how data is stored and shared between applications. In the table below, managed applications refer to applications managed by this policy unless otherwise specified.
    Data Storage & Share SettingsDescription
    Prevent Corporate Data Backup to OS-specific servicesEnable this to prevent users from backing up data from their managed applications to OS-specific services like iCloud or Android backup services.
    Data Transfer to Other Apps

    Configure data transfer policy for managed applications. The options are,

    Allow All: Transfer data to Any App

    Restricted: Transfer data to Managed Apps only

    • Block All: Blocks All Data Transfer
    Disallow Save As or Block storing copies of Corporate dataPrevent users from saving copies of corporate data. This option can be controlled only if the data transfer to another app is selected as Restricted: Transfer data to Managed Apps only
    Configure Storage Locations

    If you have prevented saving copies of data, you can select an override to configure allowed locations, and the options are,

    • OneDrive for Business
    • SharePoint
    • Local Storage
    Receive Data From Other Apps

    Configure if managed applications can receive data from other apps using the share menu options in other apps. The options are,

    • Allow All: Receive data from Any App
    • Restricted: Receive data from Managed Apps only
    • Block All: Blocks All Data Transfer
    Restrict Cut Copy Paste with Other Apps

    Configure the clipboard settings for the managed applications.

    • Any App: Allow to cut, copy, and paste data between their managed applications and any application.
    • Apps Managed by Policy: Allow cut, copy, and paste data between managed Microsoft Intune App Protection Policies applications.
    • Policy Managed Apps with Paste in: Allow cut and copy data from another app. However, it blocks users from sharing content outwardly unless sharing with a managed app.
    • Blocked - Prevents users from cutting, copying, and pasting data between managed applications and all applications.
    Force Links in Managed Apps to open in Managed BrowserForces link in managed applications to open in a managed browser like Microsoft Edge.
    Encrypt Managed App DataEncrypts data pertaining to managed applications when this option is selected. The system encrypts data stored anywhere, including external storage drives and SIM cards.
    Disable Printing From Managed AppsPrevents printing documents and data from managed applications.
    Disable Contact Syncing to the Native Contact bookPrevents managed applications from saving contacts to the native address book by hiding the Sync Contacts option.
  4. Access Settings: Use this section to define the access rules for your managed applications.
    Access SettingsDescription
    Require PIN for AccessRequires users to enter a PIN to access managed applications. Users create the PIN during the initial setup of the application. Once enabled, you can configure the following sub-settings,
    Select PIN TypeChoose between Numeric or Alphanumeric & Symbols
    Select Minimum PIN LengthConfigure a minimum length for the PIN that the user needs to set.
    Force Reser PIN DurationEnable this to reset the PIN after the selected number of days.
    Maximum Invalid PIN AttemptsConfigure the maximum invalid PIN attempts before the managed app access is restricted, and the user is forced to create a new PIN.
    Disable App PIN even if Device PIN existsEnable this if the PIN shouldn't be used if there is a device-level PIN set.
    Block Fingerprint/Touch ID access to appsChoose if users are allowed to use Fingerprint instead of PIN on Android 6.0+ devices.
    Block Simple PINPrevent users from setting simple patterns for their PINs.
    Enforce Corporate Credentials For AccessSets the system to validate the access PIN, fingerprint, or credential information when the access session reaches one of the time intervals.
    • Timeout - The number of minutes the access sessions for managed applications are idle.
    • Offline Grace Period - The number of minutes devices with managed applications are offline.
    Enforce Access RequirementsConfigure how often the access requirements should be enforced. The options are,
    • Idle Timeout Minutes: The user will be asked for a PIN after the device is idle for the selected time.
    • Offline Grace Period Minutes: Users will be given a grace period if they are offline before enforcing access requirements.
    Wipe Managed App data if Idle for (days)Sets the system to remove managed application data from devices when devices are offline for a set number of days.
  5. Android Settings: Define additional settings for your Android devices. These options are visible only if you are creating/editing an Android profile.
    Android SettingsDescription
    Block Screen Capture and Android AssistantEnable this to block screenshots of the managed applications and prevent Android Assistant App scanning.
    Minimum Android OS version RequiredEnter the required minimum Android OS version number that a user device must have to access the managed app. Enter the required minimum Android OS version number that a user device must have to access the managed app.
    Minimum Android Patch version RequiredEnter the minimum Android security patch level that a user device must have to access the managed app.
    Minimum App version requiredEnter the required minimum App version number that a user must have to get access to the app.
  6. iOS Settings: Use this section to define settings specific to iOS devices. These options are visible only if you are creating/editing an iOS profile.
    iOS SettingsDescription
    Block Face ID access to apps (iOS 11+)Enable this to prevent Face ID access to managed applications or disable this to enforce the PIN requirement.
    Minimum iOS version requiredEnter the required minimum iOS version number that a user device will have to access the application.
    Minimum App version requiredEnter the required minimum app version number that a user device must be having to access the application.
    Minimum App protection policy SDK version requiredEnter the minimum Intune Application Protection Policy SDK version that the managed applications should have to get access to the application.
  7. Once you have configured the profile, click on the SAVE button to save the profile.

Step 4: Managing & Deploying Data Loss Preventions Profiles

Once you have created the DLP policies for Android and/or iOS, you can manage them by choosing to publish, unpublish, edit or delete them.

Scalefusion syncs the state of policies with Microsoft Endpoint Manager every time you open this page, but if you want to force a sync, then you can use the SYNC NOW button.

Please note that any change that you make in Scalefusion is reflected in Microsoft Endpoint Manager and vice-versa and has an effect on all the groups to which these policies have been applied.

Publish a Profile

Use this option to apply/publish a set of policies to one or multiple security groups in your organization.

  1. Click on 3 dots in the Actions column and select Publish
  2. Select the groups where you want to publish this policy and click PUBLISH.
The groups where this profile has already been published will appear greyed out, and you cannot select them again.

You can publish an Android & iOS profile to the same group to make sure that all types of devices in the group are covered.

UnPublish a Profile

Use this option to remove the applied policies from one or multiple security groups in your organization.

  1. Click on 3 dots in the Actions column and select UnPublish
  2. Select the groups from where you want to remove the policy and click UNPUBLISH.
    Only the groups where this policy has been published will be listed in the unpublish dialog.

Editing a Policy

Use this option to make changes to an existing policy. Note that any changes to the policy will automatically be applied to the groups where this policy has been applied.

Deleting a Policy

Use this option to delete a profile completely. Note that this action will remove the data loss prevention policies governed by this profile on the devices. To delete a profile, select the Delete option from the actions menu and confirm the action.

Frequently Asked Questions

Question: How much time does it take for the new policies or changes in policies to take effect?

Answer: As per the documentation, users who are already signed in to the apps won't see the changes in the policy for an eight-hour period. On Android, using the Intune Company Portal and syncing the policies makes the policies to be re-synced. On iOS, when the app is restarted or the device reboots, it looks like the policies seem to take effect.

Question: We have applied the policies, and they work on iOS devices but not on Android.

Answer: Make sure that you have published the Intune Company portal app to your Android devices and that the user is signed in to the IDP app using the corporate credentials.

Question: What do we do if a particular policy does not seem to work?

Answer: In the case of Office 365 policies, Scalefusion simply acts as a bridge, helping you easily manage DLP policies from a single Dashboard. Please note that the actual behavior is dependent on the target application, and you would have to reach out to Microsoft Intune/Endpoint Manager support.

Question: We see that Profiles created from Scalefusion are applied to only a select few application targets. However, we would like to add other Intune SDK-supported applications as targets.

Answer: If you have an application that integrates with Intune SDK and supports Data Loss Prevention policies, do get in touch with our support, and we can add support for the target application.

Was this article helpful?