defaultManagedAppProtection resource type
Namespace: microsoft.graph
Important: Microsoft Graph APIs under the /beta version are subject to change; production use is not supported.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Policy used to configure detailed management settings for a specified set of apps for all users not targeted by a TargetedManagedAppProtection Policy
Inherits from managedAppProtection
Methods
| Method | Return Type | Description |
|---|---|---|
| List defaultManagedAppProtections | defaultManagedAppProtection collection | List properties and relationships of the defaultManagedAppProtection objects. |
| Get defaultManagedAppProtection | defaultManagedAppProtection | Read properties and relationships of the defaultManagedAppProtection object. |
| Create defaultManagedAppProtection | defaultManagedAppProtection | Create a new defaultManagedAppProtection object. |
| Delete defaultManagedAppProtection | None | Deletes a defaultManagedAppProtection. |
| Update defaultManagedAppProtection | defaultManagedAppProtection | Update the properties of a defaultManagedAppProtection object. |
Properties
| Property | Type | Description |
|---|---|---|
| displayName | String | Policy display name. Inherited from managedAppPolicy |
| description | String | The policy's description. Inherited from managedAppPolicy |
| createdDateTime | DateTimeOffset | The date and time the policy was created. Inherited from managedAppPolicy |
| lastModifiedDateTime | DateTimeOffset | Last time the policy was modified. Inherited from managedAppPolicy |
| roleScopeTagIds | String collection | List of Scope Tags for this Entity instance. Inherited from managedAppPolicy |
| id | String | Key of the entity. Inherited from managedAppPolicy |
| version | String | Version of the entity. Inherited from managedAppPolicy |
| periodOfflineBeforeAccessCheck | Duration | The period after which access is checked when the device is not connected to the internet. Inherited from managedAppProtection |
| periodOnlineBeforeAccessCheck | Duration | The period after which access is checked when the device is connected to the internet. Inherited from managedAppProtection |
| allowedInboundDataTransferSources | managedAppDataTransferLevel | Sources from which data is allowed to be transferred. Inherited from managedAppProtection. Possible values are: allApps, managedApps, none. |
| allowedOutboundDataTransferDestinations | managedAppDataTransferLevel | Destinations to which data is allowed to be transferred. Inherited from managedAppProtection. Possible values are: allApps, managedApps, none. |
| organizationalCredentialsRequired | Boolean | Indicates whether organizational credentials are required for app use. Inherited from managedAppProtection |
| allowedOutboundClipboardSharingLevel | managedAppClipboardSharingLevel | The level to which the clipboard may be shared between apps on the managed device. Inherited from managedAppProtection. Possible values are: allApps, managedAppsWithPasteIn, managedApps, blocked. |
| dataBackupBlocked | Boolean | Indicates whether the backup of a managed app's data is blocked. Inherited from managedAppProtection |
| deviceComplianceRequired | Boolean | Indicates whether device compliance is required. Inherited from managedAppProtection |
| managedBrowserToOpenLinksRequired | Boolean | Indicates whether internet links should be opened in the managed browser app, or any custom browser specified by CustomBrowserProtocol (for iOS) or CustomBrowserPackageId/CustomBrowserDisplayName (for Android) Inherited from managedAppProtection |
| saveAsBlocked | Boolean | Indicates whether users may use the "Save As" menu item to save a copy of protected files. Inherited from managedAppProtection |
| periodOfflineBeforeWipeIsEnforced | Duration | The amount of time an app is allowed to remain disconnected from the internet before all managed data it is wiped. Inherited from managedAppProtection |
| pinRequired | Boolean | Indicates whether an app-level pin is required. Inherited from managedAppProtection |
| maximumPinRetries | Int32 | Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped. Inherited from managedAppProtection |
| simplePinBlocked | Boolean | Indicates whether simplePin is blocked. Inherited from managedAppProtection |
| minimumPinLength | Int32 | Minimum pin length required for an app-level pin if PinRequired is set to True Inherited from managedAppProtection |
| pinCharacterSet | managedAppPinCharacterSet | Character set which may be used for an app-level pin if PinRequired is set to True. Inherited from managedAppProtection. Possible values are: numeric, alphanumericAndSymbol. |
| periodBeforePinReset | Duration | TimePeriod before the all-level pin must be reset if PinRequired is set to True. Inherited from managedAppProtection |
| allowedDataStorageLocations | managedAppDataStorageLocation collection | Data storage locations where a user may store managed data. Inherited from managedAppProtection |
| contactSyncBlocked | Boolean | Indicates whether contacts can be synced to the user's device. Inherited from managedAppProtection |
| printBlocked | Boolean | Indicates whether printing is allowed from managed apps. Inherited from managedAppProtection |
| fingerprintBlocked | Boolean | Indicates whether use of the fingerprint reader is allowed in place of a pin if PinRequired is set to True. Inherited from managedAppProtection |
| disableAppPinIfDevicePinIsSet | Boolean | Indicates whether use of the app pin is required if the device pin is set. Inherited from managedAppProtection |
| maximumRequiredOsVersion | String | Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection |
| maximumWarningOsVersion | String | Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection |
| maximumWipeOsVersion | String | Versions bigger than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection |
| minimumRequiredOsVersion | String | Versions less than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection |
| minimumWarningOsVersion | String | Versions less than the specified version will result in warning message on the managed app from accessing company data. Inherited from managedAppProtection |
| minimumRequiredAppVersion | String | Versions less than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection |
| minimumWarningAppVersion | String | Versions less than the specified version will result in warning message on the managed app. Inherited from managedAppProtection |
| minimumWipeOsVersion | String | Versions less than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection |
| minimumWipeAppVersion | String | Versions less than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection |
| appActionIfDeviceComplianceRequired | managedAppRemediationAction | Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken, if DeviceComplianceRequired is set to true. Inherited from managedAppProtection. Possible values are: block, wipe, warn. |
| appActionIfMaximumPinRetriesExceeded | managedAppRemediationAction | Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts. Inherited from managedAppProtection. Possible values are: block, wipe, warn. |
| pinRequiredInsteadOfBiometricTimeout | Duration | Timeout in minutes for an app pin instead of non biometrics passcode Inherited from managedAppProtection |
| allowedOutboundClipboardSharingExceptionLength | Int32 | Specify the number of characters that may be cut or copied from Org data and accounts to any application. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed. Inherited from managedAppProtection |
| notificationRestriction | managedAppNotificationRestriction | Specify app notification restriction Inherited from managedAppProtection. Possible values are: allow, blockOrganizationalData, block. |
| previousPinBlockCount | Int32 | Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection |
| managedBrowser | managedBrowserType | Indicates in which managed browser(s) that internet links should be opened. When this property is configured, ManagedBrowserToOpenLinksRequired should be true. Inherited from managedAppProtection. Possible values are: notConfigured, microsoftEdge. |
| maximumAllowedDeviceThreatLevel | managedAppDeviceThreatLevel | Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection. Possible values are: notConfigured, secured, low, medium, high. |
| mobileThreatDefenseRemediationAction | managedAppRemediationAction | Determines what action to take if the mobile threat defense threat threshold isn't met. Warn isn't a supported value for this property Inherited from managedAppProtection. Possible values are: block, wipe, warn. |
| mobileThreatDefensePartnerPriority | mobileThreatDefensePartnerPriority | Indicates how to prioritize which Mobile Threat Defense (MTD) partner is enabled for a given platform, when more than one is enabled. An app can only be actively using a single Mobile Threat Defense partner. When NULL, Microsoft Defender will be given preference. Otherwise setting the value to defenderOverThirdPartyPartner or thirdPartyPartnerOverDefender will make explicit which partner to prioritize. Possible values are: null, defenderOverThirdPartyPartner, thirdPartyPartnerOverDefender and unknownFutureValue. Default value is null Inherited from managedAppProtection. Possible values are: defenderOverThirdPartyPartner, thirdPartyPartnerOverDefender, unknownFutureValue. |
| blockDataIngestionIntoOrganizationDocuments | Boolean | Indicates whether a user can bring data into org documents. Inherited from managedAppProtection |
| allowedDataIngestionLocations | managedAppDataIngestionLocation collection | Data storage locations where a user may store managed data. Inherited from managedAppProtection |
| appActionIfUnableToAuthenticateUser | managedAppRemediationAction | If set, it will specify what action to take in the case where the user is unable to checkin because their authentication token is invalid. This happens when the user is deleted or disabled in AAD. Inherited from managedAppProtection. Possible values are: block, wipe, warn. |
| dialerRestrictionLevel | managedAppPhoneNumberRedirectLevel | The classes of dialer apps that are allowed to click-to-open a phone number. Inherited from managedAppProtection. Possible values are: allApps, managedApps, customApp, blocked. |
| gracePeriodToBlockAppsDuringOffClockHours | Duration | A grace period before blocking app access during off clock hours. Inherited from managedAppProtection |
| protectedMessagingRedirectAppType | messagingRedirectAppType | Defines how app messaging redirection is protected by an App Protection Policy. Default is anyApp. Inherited from managedAppProtection. Possible values are: anyApp, anyManagedApp, specificApps, blocked. |
| appDataEncryptionType | managedAppDataEncryptionType | Type of encryption which should be used for data in a managed app. (iOS Only). Possible values are: useDeviceSettings, afterDeviceRestart, whenDeviceLockedExceptOpenFiles, whenDeviceLocked. |
| screenCaptureBlocked | Boolean | Indicates whether screen capture is blocked. (Android only) |
| encryptAppData | Boolean | Indicates whether managed-app data should be encrypted. (Android only) |
| disableAppEncryptionIfDeviceEncryptionIsEnabled | Boolean | When this setting is enabled, app level encryption is disabled if device level encryption is enabled. (Android only) |
| minimumRequiredSdkVersion | String | Versions less than the specified version will block the managed app from accessing company data. (iOS Only) |
| customSettings | keyValuePair collection | A set of string key and string value pairs to be sent to the affected users, unalterned by this service |
| deployedAppCount | Int32 | Count of apps to which the current policy is deployed. |
| minimumRequiredPatchVersion | String | Define the oldest required Android security patch level a user can have to gain secure access to the app. (Android only) |
| minimumWarningPatchVersion | String | Define the oldest recommended Android security patch level a user can have for secure access to the app. (Android only) |
| exemptedAppProtocols | keyValuePair collection | iOS Apps in this list will be exempt from the policy and will be able to receive data from managed apps. (iOS Only) |
| exemptedAppPackages | keyValuePair collection | Android App packages in this list will be exempt from the policy and will be able to receive data from managed apps. (Android only) |
| faceIdBlocked | Boolean | Indicates whether use of the FaceID is allowed in place of a pin if PinRequired is set to True. (iOS Only) |
| minimumWipeSdkVersion | String | Versions less than the specified version will block the managed app from accessing company data. |
| minimumWipePatchVersion | String | Android security patch level less than or equal to the specified value will wipe the managed app and the associated company data. (Android only) |
| allowedIosDeviceModels | String | Semicolon seperated list of device models allowed, as a string, for the managed app to work. (iOS Only) |
| appActionIfIosDeviceModelNotAllowed | managedAppRemediationAction | Defines a managed app behavior, either block or wipe, if the specified device model is not allowed. (iOS Only). Possible values are: block, wipe, warn. |
| allowedAndroidDeviceManufacturers | String | Semicolon seperated list of device manufacturers allowed, as a string, for the managed app to work. (Android only) |
| appActionIfAndroidDeviceManufacturerNotAllowed | managedAppRemediationAction | Defines a managed app behavior, either block or wipe, if the specified device manufacturer is not allowed. (Android only). Possible values are: block, wipe, warn. |
| thirdPartyKeyboardsBlocked | Boolean | Defines if third party keyboards are allowed while accessing a managed app. (iOS Only) |
| filterOpenInToOnlyManagedApps | Boolean | Defines if open-in operation is supported from the managed app to the filesharing locations selected. This setting only applies when AllowedOutboundDataTransferDestinations is set to ManagedApps and DisableProtectionOfManagedOutboundOpenInData is set to False. (iOS Only) |
| disableProtectionOfManagedOutboundOpenInData | Boolean | Disable protection of data transferred to other apps through IOS OpenIn option. This setting is only allowed to be True when AllowedOutboundDataTransferDestinations is set to ManagedApps. (iOS Only) |
| protectInboundDataFromUnknownSources | Boolean | Protect incoming data from unknown source. This setting is only allowed to be True when AllowedInboundDataTransferSources is set to AllApps. (iOS Only) |
| requiredAndroidSafetyNetDeviceAttestationType | androidManagedAppSafetyNetDeviceAttestationType | Defines the Android SafetyNet Device Attestation requirement for a managed app to work. Possible values are: none, basicIntegrity, basicIntegrityAndDeviceCertification. |
| appActionIfAndroidSafetyNetDeviceAttestationFailed | managedAppRemediationAction | Defines a managed app behavior, either warn or block, if the specified Android SafetyNet Attestation requirement fails. Possible values are: block, wipe, warn. |
| requiredAndroidSafetyNetAppsVerificationType | androidManagedAppSafetyNetAppsVerificationType | Defines the Android SafetyNet Apps Verification requirement for a managed app to work. Possible values are: none, enabled. |
| appActionIfAndroidSafetyNetAppsVerificationFailed | managedAppRemediationAction | Defines a managed app behavior, either warn or block, if the specified Android App Verification requirement fails. Possible values are: block, wipe, warn. |
| customBrowserProtocol | String | A custom browser protocol to open weblink on iOS. (iOS only) |
| customBrowserPackageId | String | Unique identifier of a custom browser to open weblink on Android. (Android only) |
| customBrowserDisplayName | String | Friendly name of the preferred custom browser to open weblink on Android. (Android only) |
| minimumRequiredCompanyPortalVersion | String | Minimum version of the Company portal that must be installed on the device or app access will be blocked |
| minimumWarningCompanyPortalVersion | String | Minimum version of the Company portal that must be installed on the device or the user will receive a warning |
| minimumWipeCompanyPortalVersion | String | Minimum version of the Company portal that must be installed on the device or the company data on the app will be wiped |
| allowedAndroidDeviceModels | String collection | List of device models allowed, as a string, for the managed app to work. (Android Only) |
| appActionIfAndroidDeviceModelNotAllowed | managedAppRemediationAction | Defines a managed app behavior, either block or wipe, if the specified device model is not allowed. (Android Only). Possible values are: block, wipe, warn. |
| customDialerAppProtocol | String | Protocol of a custom dialer app to click-to-open a phone number on iOS, for example, skype:. |
| customDialerAppPackageId | String | PackageId of a custom dialer app to click-to-open a phone number on Android. |
| customDialerAppDisplayName | String | Friendly name of a custom dialer app to click-to-open a phone number on Android. |
| biometricAuthenticationBlocked | Boolean | Indicates whether use of the biometric authentication is allowed in place of a pin if PinRequired is set to True. (Android Only) |
| requiredAndroidSafetyNetEvaluationType | androidManagedAppSafetyNetEvaluationType | Defines the Android SafetyNet evaluation type requirement for a managed app to work. (Android Only). Possible values are: basic, hardwareBacked. |
| blockAfterCompanyPortalUpdateDeferralInDays | Int32 | Maximum number of days Company Portal update can be deferred on the device or app access will be blocked. |
| warnAfterCompanyPortalUpdateDeferralInDays | Int32 | Maximum number of days Company Portal update can be deferred on the device or the user will receive the warning |
| wipeAfterCompanyPortalUpdateDeferralInDays | Int32 | Maximum number of days Company Portal update can be deferred on the device or the company data on the app will be wiped |
| deviceLockRequired | Boolean | Defines if any kind of lock must be required on device. (android only) |
| appActionIfDeviceLockNotSet | managedAppRemediationAction | Defines a managed app behavior, either warn, block or wipe, if the screen lock is required on device but is not set. (android only). Possible values are: block, wipe, warn. |
| connectToVpnOnLaunch | Boolean | Whether the app should connect to the configured VPN on launch (Android only). |
| appActionIfDevicePasscodeComplexityLessThanLow | managedAppRemediationAction | If the device does not have a passcode of low complexity or higher, trigger the stored action. Possible values are: block, wipe, warn. |
| appActionIfAccountIsClockedOut | managedAppRemediationAction | Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time). Possible values are: block, wipe, warn. |
| appActionIfDevicePasscodeComplexityLessThanMedium | managedAppRemediationAction | If the device does not have a passcode of medium complexity or higher, trigger the stored action. Possible values are: block, wipe, warn. |
| appActionIfDevicePasscodeComplexityLessThanHigh | managedAppRemediationAction | If the device does not have a passcode of high complexity or higher, trigger the stored action. Possible values are: block, wipe, warn. |
| requireClass3Biometrics | Boolean | Require user to apply Class 3 Biometrics on their Android device. |
| requirePinAfterBiometricChange | Boolean | A PIN prompt will override biometric prompts if class 3 biometrics are updated on the device. |
| fingerprintAndBiometricEnabled | Boolean | Indicate to the client to enable both biometrics and fingerprints for the app. |
| minimumWarningSdkVersion | String | Versions less than the specified version will result in warning message on the managed app from accessing company data. (iOS only) |
| messagingRedirectAppUrlScheme | String | When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app url redirect schemes which are allowed to be used. |
| messagingRedirectAppDisplayName | String | When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app name which are allowed to be used. |
| messagingRedirectAppPackageId | String | When a specific app redirection is enforced by protectedMessagingRedirectAppType in an App Protection Policy, this value defines the app package ids which are allowed to be used. |
Relationships
| Relationship | Type | Description |
|---|---|---|
| apps | managedMobileApp collection | List of apps to which the policy is deployed. |
| deploymentSummary | managedAppPolicyDeploymentSummary | Navigation property to deployment summary of the configuration. |
JSON Representation
Here is a JSON representation of the resource.
{
"@odata.type": "#microsoft.graph.defaultManagedAppProtection",
"displayName": "String",
"description": "String",
"createdDateTime": "String (timestamp)",
"lastModifiedDateTime": "String (timestamp)",
"roleScopeTagIds": [
"String"
],
"id": "String (identifier)",
"version": "String",
"periodOfflineBeforeAccessCheck": "String (duration)",
"periodOnlineBeforeAccessCheck": "String (duration)",
"allowedInboundDataTransferSources": "String",
"allowedOutboundDataTransferDestinations": "String",
"organizationalCredentialsRequired": true,
"allowedOutboundClipboardSharingLevel": "String",
"dataBackupBlocked": true,
"deviceComplianceRequired": true,
"managedBrowserToOpenLinksRequired": true,
"saveAsBlocked": true,
"periodOfflineBeforeWipeIsEnforced": "String (duration)",
"pinRequired": true,
"maximumPinRetries": 1024,
"simplePinBlocked": true,
"minimumPinLength": 1024,
"pinCharacterSet": "String",
"periodBeforePinReset": "String (duration)",
"allowedDataStorageLocations": [
"String"
],
"contactSyncBlocked": true,
"printBlocked": true,
"fingerprintBlocked": true,
"disableAppPinIfDevicePinIsSet": true,
"maximumRequiredOsVersion": "String",
"maximumWarningOsVersion": "String",
"maximumWipeOsVersion": "String",
"minimumRequiredOsVersion": "String",
"minimumWarningOsVersion": "String",
"minimumRequiredAppVersion": "String",
"minimumWarningAppVersion": "String",
"minimumWipeOsVersion": "String",
"minimumWipeAppVersion": "String",
"appActionIfDeviceComplianceRequired": "String",
"appActionIfMaximumPinRetriesExceeded": "String",
"pinRequiredInsteadOfBiometricTimeout": "String (duration)",
"allowedOutboundClipboardSharingExceptionLength": 1024,
"notificationRestriction": "String",
"previousPinBlockCount": 1024,
"managedBrowser": "String",
"maximumAllowedDeviceThreatLevel": "String",
"mobileThreatDefenseRemediationAction": "String",
"mobileThreatDefensePartnerPriority": "String",
"blockDataIngestionIntoOrganizationDocuments": true,
"allowedDataIngestionLocations": [
"String"
],
"appActionIfUnableToAuthenticateUser": "String",
"dialerRestrictionLevel": "String",
"gracePeriodToBlockAppsDuringOffClockHours": "String (duration)",
"protectedMessagingRedirectAppType": "String",
"appDataEncryptionType": "String",
"screenCaptureBlocked": true,
"encryptAppData": true,
"disableAppEncryptionIfDeviceEncryptionIsEnabled": true,
"minimumRequiredSdkVersion": "String",
"customSettings": [
{
"@odata.type": "microsoft.graph.keyValuePair",
"name": "String",
"value": "String"
}
],
"deployedAppCount": 1024,
"minimumRequiredPatchVersion": "String",
"minimumWarningPatchVersion": "String",
"exemptedAppProtocols": [
{
"@odata.type": "microsoft.graph.keyValuePair",
"name": "String",
"value": "String"
}
],
"exemptedAppPackages": [
{
"@odata.type": "microsoft.graph.keyValuePair",
"name": "String",
"value": "String"
}
],
"faceIdBlocked": true,
"minimumWipeSdkVersion": "String",
"minimumWipePatchVersion": "String",
"allowedIosDeviceModels": "String",
"appActionIfIosDeviceModelNotAllowed": "String",
"allowedAndroidDeviceManufacturers": "String",
"appActionIfAndroidDeviceManufacturerNotAllowed": "String",
"thirdPartyKeyboardsBlocked": true,
"filterOpenInToOnlyManagedApps": true,
"disableProtectionOfManagedOutboundOpenInData": true,
"protectInboundDataFromUnknownSources": true,
"requiredAndroidSafetyNetDeviceAttestationType": "String",
"appActionIfAndroidSafetyNetDeviceAttestationFailed": "String",
"requiredAndroidSafetyNetAppsVerificationType": "String",
"appActionIfAndroidSafetyNetAppsVerificationFailed": "String",
"customBrowserProtocol": "String",
"customBrowserPackageId": "String",
"customBrowserDisplayName": "String",
"minimumRequiredCompanyPortalVersion": "String",
"minimumWarningCompanyPortalVersion": "String",
"minimumWipeCompanyPortalVersion": "String",
"allowedAndroidDeviceModels": [
"String"
],
"appActionIfAndroidDeviceModelNotAllowed": "String",
"customDialerAppProtocol": "String",
"customDialerAppPackageId": "String",
"customDialerAppDisplayName": "String",
"biometricAuthenticationBlocked": true,
"requiredAndroidSafetyNetEvaluationType": "String",
"blockAfterCompanyPortalUpdateDeferralInDays": 1024,
"warnAfterCompanyPortalUpdateDeferralInDays": 1024,
"wipeAfterCompanyPortalUpdateDeferralInDays": 1024,
"deviceLockRequired": true,
"appActionIfDeviceLockNotSet": "String",
"connectToVpnOnLaunch": true,
"appActionIfDevicePasscodeComplexityLessThanLow": "String",
"appActionIfAccountIsClockedOut": "String",
"appActionIfDevicePasscodeComplexityLessThanMedium": "String",
"appActionIfDevicePasscodeComplexityLessThanHigh": "String",
"requireClass3Biometrics": true,
"requirePinAfterBiometricChange": true,
"fingerprintAndBiometricEnabled": true,
"minimumWarningSdkVersion": "String",
"messagingRedirectAppUrlScheme": "String",
"messagingRedirectAppDisplayName": "String",
"messagingRedirectAppPackageId": "String"
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for