Intune - App Protection Policies

Question

question

karthikpalani-9530 asked Feb 23, '22 Crystal-MSFT edited Feb 25, '22

Intune - App Protection Policies

Hi All,

Need some information on below

On IOS, MAC & Android - I am testing app protection policies in which my requirements to block accessing M365 applications via any browser including IE edge. I used conditional access policy to grant only approved apps, which means IE edge also part of it. I am able to block the access on third party browser but not on IE edge. Please advice on how to block IE edge office application access also
On Windows Platform - I applied Windows Information Protection in blocked mode. It is creating a problem while opening adobe reader and stated ACCESS DENIED. Also if i open portal.office.com from IE edge, i can copy or transfer all content to other unmanaged apps (It is only restricting M365 locally installed apps not browser). Also added Adobe reader as desktop apps under protected apps & IE edge as well.

Please suggest your expertise

mem-intune-general mem-intune-enrollment mem-intune-application-management mem-intune-conditional-access

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-02-24T01:37:39.663Z

Crystal-MSFT answered Feb 24, '22 Crystal-MSFT edited Feb 24, '22

@karthikpalani-9530, For your questions, Here are some suggestions from my side:
1. For conditional access, set another conditional policy, under conditions, choose platform: Android. iOS, macOS. Client apps: Browser. Access controls: block.
2. For WIP. I notice Adobe reader shows access denied. Please check if the app is added as below:

And see if the app is running in WIP by checking the Enterprise context:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context

For the data in portal.office.com, if we consider they are enterprise data that needs to be protected. We can add it ot cloud resource in network boundary.
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip#recommended-enterprise-cloud-resources

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

image.png (99.4 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2022-02-24T05:48:30.057Z

karthikpalani-9530 answered Feb 24, '22 Crystal-MSFT commented Feb 24, '22

Thanks Crystal-MSFT

One more query, I applied app protection policy in IOS/IPad/Android. I was able to restrict all transfers except copying

How to restrict copy from corporate OneDrive to local file storage and vice versa

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT · Feb 24 at 07:58 AM

@karthikpalani-9530,, We can try to set "Restrict cut, copy and paste between other apps" in app protection policy to see if it can help. Here is a link with more details for the reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#data-protection

0 ·

Answer 3 · 2022-02-24T13:32:01.17Z

karthikpalani-9530 answered Feb 24, '22 Crystal-MSFT edited Feb 25, '22

Sure i will test, as i understand there is no App protection policies for MAC device. Any insight on how to protect data in it please

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT · Feb 25 at 02:39 AM

@karthikpalani-9530,Thanks for the reply. As you will test, if any update, feel free to let us know.

Meanwhile, For MacOS device, currently, there is no app protection policy for it. You can feedback to Apple to see if we can get it in the future. At this moment, you can have some security controls for Mac OS by enrolling into Intune .More information refer this https://docs.microsoft.com/en-us/intune/macos-enroll

Hope it can help.

0 ·

question