How to create and assign app protection policies

Learn how to create and assign Microsoft Intune app protection policies to your users. This topic also describes how to make changes to existing policies.

Before you begin

App protection policies can apply to apps running on devices that may or may not be managed by Intune. For a more detailed description of how app protection policies work and the scenarios that are supported by Intune app protection policies, see What are Microsoft Intune app protection policies?

If you're looking for a list of MAM supported apps, see MAM apps list.

For information about adding your organization's line-of-business (LOB) apps to Microsoft Intune to prepare for app protection policies, see Add apps to Microsoft Intune.

Create an app protection policy

  1. In Intune portal, go to Client apps > App protection policies. This selection opens the App protection policies details, where you create new policies and edit existing policies.

  2. Select Create Policy.

    Screenshot of the 'Add a policy' blade

  3. Specify a name for the policy, add a brief description, and select the platform type for your policy. You can create more than one policy for each platform.

  4. Select Apps to open the Apps blade, where a list of available apps is displayed. Select one or more apps from the list that you want to associate with the policy that you're creating. Select at least one app to create a policy.

  5. Once you've selected the apps, choose Select to save your selection.

  6. On the Add a policy blade, select Configure required settings to open Settings.

    There are three categories of policy settings:

    • Data relocation - This group includes the data loss prevention (DLP) controls, like cut, copy, paste, and save-as restrictions. These settings determine how users interact with data in the apps.
    • Access requirements - This group contains the per-app PIN options that determine how the end user accesses the apps in a work context.
    • Conditional launch - This group holds settings like the minimum OS settings, jailbreak and rooted device detection, and offline grace periods.

    To get you started, the policy settings have default values. If the default values meet your requirements, you don't have to make any changes.

    Tip

    These policy settings are enforced only when using apps in the work context. When end users use the app to do a personal task, they aren't affected by these policies. Note that when you create a new file it is considered a personal file.

  7. Select OK to save this configuration. You're now back in the Add a policy blade.

  8. Select Create to create the policy and save your settings.

New policies you create aren't deployed to any users until you explicitly do so. To deploy a policy, see Deploy a policy to users.

Deploy a policy to users

  1. In the App protection policies pane, select a policy.

  2. In the *Intune App Protection pane, select Assignments to open the Intune App Protection - Assignments pane. On the Include tab, select Select groups to include.

    Screenshot of the Assignments pane with Select groups to include menu

  3. A list of all the security groups in your Azure Active Directory is displayed. Select the user groups that you want this policy to apply to, and then choose Select.

    Screenshot of the Add user group pane with list of Azure AD users

  4. After you include and exclude groups, select Save to save the configuration and deploy the policy to users. If you select Discard before you save your configuration, you will discard all changes you've made to the Include and Exclude tabs.

    Screenshot showing the save and discard options

You've now created a policy and deployed it to users.

Only users with assigned Microsoft Intune licenses are affected by the policy. Users in the selected security group that don’t have an assigned Intune license aren't affected.

Important

If you're using Intune with Configuration Manager to manage your devices, the policy is only applied to the users directly in the group that you selected. Members of child groups nested within the group you selected aren't affected.

End users can download the apps from the App store or Google Play. For more information, see:

Change existing policies

You can edit an existing policy and apply it to the targeted users. However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an eight-hour period.

To see the effect of the changes immediately, the end user must sign out of the app, and then sign back in.

To change the list of apps associated with the policy

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Targeted apps to open the list of apps.

  3. Remove or add apps from the list and then select the Save icon to save your changes.

To change the list of user groups

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Assignments to open the Intune App Protection - Assignments pane that shows the list of current user groups who have this policy.

  3. To add a new user group to the policy, on the Include tab choose Select groups to include, and select the user group. Choose Select to add the group.

  4. To exclude a user group, on the Exclude tab choose Select groups to exclude, and select the user group. Choose Select to remove the user group.

  5. To delete groups that were added previously, on either the Include or Exclude tabs, select the ellipsis (...) and select Delete.

  6. After your changes to the assignments are ready, select Save to save the configuration and deploy the policy to the new set of users. If you select Discard before you save your configuration, you will discard all changes you've made to the Include and Exclude tabs.

To change policy settings

  1. In the App protection policies pane, choose the policy you want to change.

  2. In the Intune App Protection pane, select Properties to open the list of settings areas you can edit.

  3. Select the settings area with the settings you want to change, like Data relocation or Access requirements. Then change the settings to new values.

  4. Select the Save icon to save your changes. Repeat the process to select a settings area and modify and then save your changes, until all your changes are complete. You can then close the Intune App Protection - Properties pane.

Target app protection policies based on device management state

In many organizations, it’s common to allow end users to use both Intune Mobile Device Management (MDM) managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app protection policies. Unmanaged devices are often known as Bring Your Own Devices (BYOD).

Because Intune app protection policies target a user’s identity, the protection settings for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no MDM). Therefore, you can target an Intune app protection policy to either Intune enrolled or unenrolled iOS and Android devices. You can have one protection policy for un-managed devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed.

To create these policies, browse to Client apps > App protection policies in the Intune console, and then select Create Policy. You can also edit an existing app protection policy. To have the app protection policy apply to both managed and un-managed devices, confirm that Target to all app types is set to Yes, the default value. If you want to granularly assign base on management state, set Target to all app types to No.

Screenshot of the Add a policy blade with Target to all app types

For iOS, additional app configuration settings are required to target APP settings to apps on Intune enrolled devices:

Note

For specific iOS support information about app protection policies based on device management state, see MAM protection policies targeted based on management state.

Policy settings

To see a full list of the policy settings for iOS and Android, select one of the following links:

Next steps

Monitor compliance and user status

See also