The policy settings that are described in this topic can be configured for an app protection policy on the Settings blade in the Azure portal. There are two categories of policy settings: data relocation settings and access settings. In this topic, the term policy-managed apps refers to apps that are configured with app protection policies.
Data relocation settings
|Setting||How to use||Default value(s)|
|Prevent Android backups||Choose Yes to prevent this app from backing up work or school data to the Android Backup Service Choose No to allow this app to back up work or school data.||Yes|
|Allow app to transfer data to other apps||Specify what apps can receive data from this app:
There are some exempts apps and services to which Intune may allow data transfer. See Data transfer exemptions for a full list of apps and services.
|Allow app to receive data from other apps||Specify what apps can transfer data to this app:
There are some exempts apps and services from which Intune may allow data transfer. See Data transfer exemptions for a full list of apps and services.
|Prevent "Save As"||Choose Yes to disable the use of the Save As option in this app. Choose No if you want to allow the use of Save As.
|Restrict cut, copy and paste with other apps||Specify when cut, copy, and paste actions can be used with this app. Choose from:
|Restrict web content to display in the Managed Browser||Choose Yes to enforce web links in the app to be opened in the Managed Browser app.
For devices not enrolled in Intune, the web links in policy-managed apps can open only in the Managed Browser app.
If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.
|Encrypt app data||Choose Yes to enable encryption of work or school data in this app. Intune uses an OpenSSL, 128-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted.
The encryption method is not FIPS 140-2 certified.
|Disable app encryption when device encryption is enabled||Choose Yes to disable app encryption for internal app storage when device encryption is detected on an enrolled device.
Note: Intune can only detect device enrollment with Intune MDM. External app storage will still be encrypted to ensure data cannot be accessed by unmanaged applications.
|Disable contact sync||Choose Yes to prevent the app from saving data to the native Contacts app on the device. If you choose No, the app can save data to the native Contacts app on the device.
When you perform a selective wipe to remove work or school data from the app, contacts synced directly from the app to the native Contacts app are removed. Any contacts synced from the native address book to another external source cannot be wiped. Currently this applies only to the Microsoft Outlook app.
|Disable printing||Choose Yes to prevent the app from printing work or school data.||No|
The encryption method for the Encrypt app data setting is not FIPS 140-2 certified.
Data transfer exemptions
There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from. For example, all Intune-enlightened apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. This list is subject to change and reflects the services and apps considered useful for secure productivity.
These apps and services are fully allowed for data transfer to and from Intune-managed apps.
|com.android.phone||Native phone app|
|com.android.vending||Google Play Store|
|com.android.documentsui||Android Document Picker|
|com.google.android.webview||WebView, which is necessary for many apps including Outlook.|
|com.android.webview||Webview, which is necessary for many apps including Outlook.|
|com.android.providers.settings||Android system settings|
|com.azure.authenticator||Azure Authenticator app, which is required for successful authentication in many scenarios.|
|com.microsoft.windowsintune.companyportal||Intune Company Portal|
These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.
|App/service name||Description||Exemption condition|
|com.android.chrome||Google Chrome Browser||Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. Data flow to and from the app, however, is always restricted.|
|com.skype.raider||Skype||The Skype app is allowed only for certain actions that result in a phone call.|
|com.android.providers.media||Android media content provider||The media content provider allowed only for the ringtone selection action.|
|com.google.android.gms; com.google.android.gsf||Google Play Services packages||These packages are allowed for Google Cloud Messaging actions, such as push notifications.|
|Setting||How to use||Default value(s)|
|Require PIN for access||Choose Yes to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. Default value = Yes.
Configure the following settings for PIN strength:
|Require PIN: Yes
PIN reset attempts: 5
Allow simple PIN: Yes
PIN length: 4
Allow fingerprint: Yes
|Require corporate credentials for access||Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. If you set this to Yes, this overrides the requirements for PIN or Touch ID.||No|
|Block managed apps from running on jailbroken or rooted devices||Choose Yes to prevent this app from running on jailbroken or rooted devices. The user will continue to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app.||Yes|
|Recheck the access requirements after (minutes)||Configure the following settings:
|Offline interval before app data is wiped (days)||After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and reauthenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users account and data. See How to wipe only corporate data from Intune-managed apps for more information on what data is removed with a selective wipe.
|Block screen capture and Android Assistant (Android 6.0+)||Choose Yes to block screen capture and the Android Assistant capabilities of the device when using this app. Choosing Yes will also blur the App-switcher preview image when using this app with a work or school account.||No|
|Disable app PIN when device PIN is managed||Choose Yes to disable the app PIN when a device lock is detected on an enrolled device.||No|