top of page

App Protection Policy (Intune)

This blog's purpose is to explain about App protection policy in Intune

So what is App Protection Policy?

it's a set of rules that ensures an organization's data is protected within a managed app, this can be a set of rules enforced when a user attempts to access or move "corporate" data or a set of actions that are prohibited or monitored when a user use an App.

Mobile Device Management is a traditional method for securing a device and the data associated with the device. Historically, the need to secure the device and data outgrew the need to use additional security measures, such as device pins and encryption. However, progress has been made to include the capability to configure and control individual device settings, as well as create profiles, such as VPN and certificate profiles, to protect the entire device and applications it contains. Additionally, there is a new method for managing those apps, known as Mobile Application Management (MAM), which enables us to control and protect specific apps instead of the entire mobile device, allowing users to access work and organization data from their devices.

The diagram represents the fundamental difference between MDM and MAM

From both a personal and work perspective, mobile devices play a significant role in our day-to-day lives. From the user's perspective, they would like to access work data from any location and any device, while from the IT perspective, we need to ensure that the data access method is secure. With the help of Intune MAM and App Protection policy, we can protect our company's data. This is regardless of whether devices are enrolled in a device management solution or another MDM platform.

Different use cases can be served by app protection

1. Devices that are enrolled in Intune, typically corporate-owned devices
2. Devices enrolled with other MDM solution 
3. Devices not enrolled in MDM solution, are BYOD devices typically owned 
   by employees 

What are the benefits of using App Protection Policies?

  1. Company data is protected at the app level and no need to enroll the device in an MDM

  2. Policies don't apply when using the app in a personal context and the ability to protect corporate data without touching personal data

  3. App protection policy makes the app layer secure and protection in place by requiring PIN on the managed app to access work data, control the sharing of data between the apps, and save the corporate data in unauthorized locations.

  4. Together, MAM and MDM ensure the device is better protected by applying a less stringent MAM policy to Intune-managed devices and a more stringent MAM policy to devices not enrolled in MDM.

Below are the factors and framework that guide the App Protection Policy

App protection policy data protection frameworks identify the appropriate settings for protecting work or school account data, allowing organizations to tailor protection to their specific requirements. Three levels of configuration are available within the framework

App Protection Policy Frame Work
Level 1 is the minimum data protection configuration for devices which replaces the need to exchange online device access policies by requiring a pin to access work data and decrypting the work account data, in addition to this we can selectively wipe specific apps to remove the work datafrom that application which helps to manage the work data better using Data [protection, Access Requirements, and Conditional Launch Level 2 is an advanced data protection configuration recommended as a standard for devices where users access more sensitive data these are mostly targeted levels in enterprises today, this configuration adds a layer of protection to level 1 by restricting data transfer scenarios and by requiring a minimum operating system version to access the work data using Data protection and conditional Launch Level 3 is a much more advanced level targeted to users who are accessing highly sensitive data, this configuration adds advanced protection to level 2 by restricting additional data transfer scenarios, increasing the complexity of pins, and block simple pins, and adding mobile threat detection

Here are some ways that App Protection Policies protect information about apps

I used Microsoft Docs diagrams to illustrate

Apps without an app protection

In the absence of app protection policies, work data may be saved to the local device location or personal storage or transferred to other apps, resulting in data loss.

As you can see in the above diagram, data can move freely between different apps and storage locations for corporate and personal data.

Apps with an app protection policy

In this case, apps are protected by the Intune app protection policy, which prevents work data from being saved to the device's local storage and restricts data momentary access to apps that aren't protected.

1. Data relocation policy restricts work data from saving, cutting, 
   copying, pasting, and transferring to other apps
2. Access policy settings will enforce PIN for accessing the managed app 
   and block running on jailbroken or rooted devices 

Devices having both App Protection and Enrolled to Intune

These devices are enrolled to MDM solution Intune along with an app protection policy

The device is enrolled in Intune, which will help deploy apps to the device, enforce device compliance, and manage device settings. By adding App protection to enrolled devices, potential data leaks can be prevented, and the copying of data from unmanaged apps can be controlled.

App protection Policy on Unmanaged Device

Typical BYOD scenarios involve employees wanting to access work data using their personal devices, but don't want IT to manage their devices; in this case, app protection policies can help by protecting work data at the app level.

Some of the limitations of these kinds of enrollment are

1. You can't deploy apps from intune user need to download the application 
   from Play Store or App Store 
2. You can't provision certificate profiles on these devices
3. You can't provision Wi-Fi and VPN profiles on these devices 

Apps that support App Protection Polices

Any app that has been integrated with Intune SDK or wrapped with Intune App Wrapping Tool can be managed using Intune App protection Policies you can find application details from Microsoft Docs Link

App Protection Policy Delivery Timing

let's see the delivery time for the app protection policy


This article provided an overview of the App Protection Policy, framework, and different use cases. In my next post, I will cover how to use conditional access with app protection policy.


bottom of page