Review client app protection logs

Learn about the settings you can review in the app protection logs. Access logs by enabling Intune Diagnostics on a mobile client.

The process to enable and collect logs varies by platform:

The following table lists the App protection policy setting name and supported values that are recorded in the log. In addition, each setting identifies the policy setting found within Microsoft Endpoint Manager portal. For detailed information on each setting, see iOS/iPadOS app protection policy settings.

App protection policy settings

Name Value details Setting in Microsoft Endpoint Manager App Protection Policy​
AccessRecheckOfflineTimeout​ x minutes Section: Conditional Launch
Setting: Offline grace period with action Block access (minutes)
AccessRecheckOnlineTimeout​ x minutes Section: Access requirements
Setting: Recheck the access requirements after (minutes of inactivity)
AllowedOutboundClipboardSharingExceptionLength x characters Section: Data protection
Setting: Cut and copy character limit for any app
AppPinDisabled​ 0 = Require
1 = Not required
Section: Access requirements
Setting: App PIN when device PIN is set
AppSharingFromLevel​ 0 = None​
1 = Policy Managed apps
2 = All apps
Section: Data Protection
Setting: Receive data from other apps​
AppSharingToLevel​ 0 = None
1 = Policy managed apps
2 = All app
Section: Data Protection
Setting: Send org data to other apps
ProtectManagedOpenInData 0 = False
1 = True
Section: Data Protection
Setting: Send org data to other apps is set to Policy Managed apps with Open-In/Share filtering when true
AuthenticationEnabled​ 0 = Not required​
1 = Require
Section: Access requirements
Setting: Work or school account credentials for access
ClipboardSharingLevel​ 0 = Blocked​
1 = Policy managed apps
2 = Policy managed apps with paste in
3 = Any app
Section: Data Protection
Setting: Restrict cut, copy, and paste between other apps​
ContactSyncDisabled​ 0 = Allow​
1 = Block
Section: Data Protection
Setting: Sync app with native contacts app
DataBackupDisabled​ 0 = Allow​
1 = Block​
Section: Data Protection
Setting: Prevent backups​
DeviceComplianceEnabled​ 0 = False​
1 = True​
Section: Conditional Launch
Setting: Jailbroken/rooted devices
DeviceComplianceFailureAction 0 = Block acess
1 = Wipe data
Section: Conditional Launch
Setting: Jailbroken/rooted devices​
DisableShareSense​ ​N/A N/A: Not actively used by Intune service.​
FileEncryptionLevel​ 0 = When device is locked​
1 = When device is locked and there are open files​
2 = After device restart​
3 = Use device settings​
Section: Data Protection
Setting: Encrypt org data
FileSharingSaveAsDisabled​ 0 = Allow​
1 = Block​
Section: Data Protection
Setting: Save copies of org data ​
IntuneIdentityUPN​ UPN of the Intune MAM user N/A​
ManagedBrowserRequired​ 0 = False​
1 = True​
Section: Data Protection
Setting: Restrict web content to display in the Intune Managed Browser app​.
ManagedLocations​ A value that represents the number of managed storage locations to which the app can save data.​
1 = OneDrive
2 = SharePoint
3 = OneDrive and SharePoint
32 = Local Storage
33 = Local Storage & OneDrive
34 = Local Storage & SharePoint
35 = Local Storage, OneDrive, and SharePoint
Section: Data Protection
Setting: Allow user to save copies to selected services
MinAppVersion​ "0.0" = no minimum app version​
anything else = minimum app version
Section: Conditional launch
Setting: Min app version with action Block access
MinAppVersionWarning​ "0.0" = no minimum app version.
anything else = minimum app version​
Section: Conditional launch
Setting: Min app version with action Warn
MinAppVersionWipe "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min app version with action Wipe data
MinOsVersion​ "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Block access
MinOsVersionWarning​ "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Warn
MinOsVersionWipe "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Wipe data
MinSDKVersion​ "0.0" = no minimum SDK version​
anything else = minimum OS version
Section: Conditional launch
Setting: Min SDK version with action Block access​
MinSDKVersion​Wipe "0.0" = no minimum SDK version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min SDK version with action Block access​​
NotificationRestriction 0 = Allow​
1 = Block Org Data
2 = Block
Section: Data Protection
Setting: Org data notifications
PINCharacterType​ 0 = Passcode
1 = Numeric
Section: Access requirements
Setting: Pin type
PINEnabled​ 0 = Not required​
1 = Require​
Section: Access requirements
Setting: PIN for access​
PINMinLength​ x characters Section: Access requirements
Setting: Select minimum PIN length​
PINNumRetry​ x attempts Section: Conditional launch
Setting: Max PIN attempts​
MaxPinRetryExceededAction 0 = Reset PIN
1 = Wipe data
Section: Conditional launch
Setting: Max PIN attempts​
PrintingBlocked​ 0 = Allow
1 = Block​
Section: Data Protection
Setting: Printing org data​
SimplePINAllowed​ 0 = Block
1 = Allow​​
Section: Access requirements
Setting: Simple PIN​
TouchIDEnabled​ 0 = Block
1 = Allow​
Section: Access requirements
Setting: Touch ID instead of PIN for access (iOS 8+/iPadOS)
ThirdPartyKeyboardsBlocked 0 = Allow
1 = Block
Section: Data Protection
Setting: Third party keyboards
FaceIDEnabled 0 = Block
1 = Allow​
Section: Access requirements
Setting: Face ID instead of PIN for access (iOS 11+/iPadOS)
PINExpiryDays x characters​ Section: Access requirements
Setting: PIN reset after number of days > Number of days
NonBioPassTimeOutRequired 0 = Not required
1 = Require
Section: Access requirements
Setting: Override Touch ID with PIN after timeout
NonBioPassTimeOut x minutes​ Section: Access requirements
Setting: Override Touch ID with PIN after timeout > Timeout (minutes of inactivity)
DictationBlocked 0 = Allow
1 = Block​
No administration control for this setting.
OfflineWipeInterval x days​ Note: No admin control for this setting.
ProtocolExclusions 0 = Allow
1 = Block​
Section: Data Protection
Setting: Select apps to exempt
EnableOpenInFilter 0 = Disabled
1 = Enabled​
Section: Data Protection
Setting: Send Org data to other apps > Policy managed apps with Open-In/Share filtering
MinimumRequiredDeviceThreatProtectionLevel 0 = Not configured
1 = Secured
2 = Low
3 = Medium
4 = High
Section: Conditional launch
Setting: Max allowed device threat level
MobileThreatDefenseRemediationAction 0 = Block access
1 = Wipe data
Section: Access requirements
Setting: Max allowed device threat level action)
AllowedIOSModelsElseBlock x characters​ Section: Conditional launch
Setting: Device model(s) with action Allow specified (Block non-specific)
AllowedIOSModelsElseWipe x characters​ Section: Conditional launch
Setting: Device model(s) with action Allow specified (Wipe non-specific)
ProtectAllIncomingUnknownSourceData N/A​ Note: Not actively used by Intune service.

Next steps