Android app protection policy settings in Microsoft Intune
This article describes the app protection policy settings for Android devices. The policy settings that are described can be configured for an app protection policy on the Settings blade in the Azure portal. There are two categories of policy settings: data protection settings and access settings. In this article, the term policy-managed apps refers to apps that are configured with app protection policies.
Data protection settings
|Setting||How to use||Default value(s)|
|Prevent Android backups||Select Yes to prevent this app from backing up work or school data to the Android Backup Service.
Select No to allow this app to back up work or school data.
|Allow app to transfer data to other apps||Specify what apps can receive data from this app:
There are some exempt apps and services to which Intune may allow data transfer by default. In addition, you can create your own exemptions if you need to allow data to transfer to an app that doesn't support Intune APP. See Data transfer exemptions for more information.
This policy may also apply to Android App Links. General web links are managed by the Restrict web content transfer with other apps policy setting.
Note: Intune doesn't currently support the Android Instant Apps feature. Intune will block any data connection to or from the app. See the Android Developer documentation for more information about Android Instant Apps.
|Allow app to receive data from other apps||Specify what apps can transfer data to this app:
There are some exempts apps and services from which Intune may allow data transfer. See Data transfer exemptions for a full list of apps and services.
|Prevent "Save As"||Choose Yes to disable the use of the Save As option in this app. Choose No if you want to allow the use of Save As. Note: This setting is supported for Microsoft Excel, OneNote, PowerPoint, and Word. It may also be supported by third-party and LOB apps.
Select which storage services corporate data can be saved to
|Restrict cut, copy, and paste with other apps||Specify when cut, copy, and paste actions can be used with this app. Choose from:
|Restrict web content transfer with other apps||Specify how web content (http/https links) are opened from policy-managed applications. Choose from:
If you're using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.
If you deploy multiple policy-managed browsers, only one will be launched. The launch order will be Intune Managed Browser and then Microsoft Edge. On Android, your end users can choose from other policy-managed apps that support http/https links if neither Intune Managed Browser nor Microsoft Edge are installed.
If a policy-managed browser is required but not installed, your end users will be prompted to install the Intune Managed Browser.
If a policy-managed browser is required, Android App Links are managed by the Allow app to transfer data to other apps policy setting.
Intune device enrollment
Policy-managed Microsoft Edge
The APP SDK cannot determine if a target app is a browser. On Android devices, other managed browser apps that support the http/https intent are allowed.
|Encrypt app data||Choose Yes to enable encryption of work or school data in this app. Intune uses an OpenSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted. The SDK will continue to provide support of 128-bit keys for compatibility with content and apps that use older SDK versions.
The encryption method is not FIPS 140-2 certified.
|Disable app encryption when device encryption is enabled||Choose Yes to disable app encryption for internal app storage when device encryption is detected on an enrolled device.
Note: Intune can only detect device enrollment with Intune MDM. External app storage will still be encrypted to ensure data cannot be accessed by unmanaged applications.
|Disable contact sync||Choose Yes to prevent the app from saving data to the native Contacts app on the device. If you choose No, the app can save data to the native Contacts app on the device.
When you perform a selective wipe to remove work, or school data from the app, contacts synced directly from the app to the native Contacts app are removed. Any contacts synced from the native address book to another external source can't be wiped. Currently this applies only to the Microsoft Outlook app.
|Disable printing||Choose Yes to prevent the app from printing work or school data.||No|
The encryption method for the Encrypt app data setting is not FIPS 140-2 certified.
Data transfer exemptions
There are some exempt apps and platform services that Intune app protection policy may allow data transfer to and from. For example, all Intune-managed apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. This list is subject to change and reflects the services and apps considered useful for secure productivity.
These apps and services are fully allowed for data transfer to and from Intune-managed apps.
|com.android.phone||Native phone app|
|com.android.vending||Google Play Store|
|com.android.documentsui||Android Document Picker|
|com.google.android.webview||WebView, which is necessary for many apps including Outlook.|
|com.android.webview||Webview, which is necessary for many apps including Outlook.|
|com.android.providers.settings||Android system settings|
|com.android.settings||Android system settings|
|com.azure.authenticator||Azure Authenticator app, which is required for successful authentication in many scenarios.|
|com.microsoft.windowsintune.companyportal||Intune Company Portal|
These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.
|App/service name||Description||Exemption condition|
|com.android.chrome||Google Chrome Browser||Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. Data flow to and from the app, however, is always restricted.|
|com.skype.raider||Skype||The Skype app is allowed only for certain actions that result in a phone call.|
|com.android.providers.media||Android media content provider||The media content provider allowed only for the ringtone selection action.|
|com.google.android.gms; com.google.android.gsf||Google Play Services packages||These packages are allowed for Google Cloud Messaging actions, such as push notifications.|
For more information, see Data transfer policy exceptions for apps.
|Setting||How to use|
|Require PIN for access||Select Yes to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context.
Default value = Yes.
Configure the following settings for PIN strength:
|Require corporate credentials for access||Choose Yes to require the user to sign in with their work or school account instead of entering a PIN for app access. When set to Yes, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.
Default value = No
|Recheck the access requirements after (minutes)||Configure the following setting:
|Block screen capture and Android Assistant||Select Yes to block screen capture and the Android Assistant capabilities of the device when using this app. Choosing Yes will also blur the App-switcher preview image when using this app with a work or school account.
Default value = No
To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on Android, see Intune MAM frequently asked questions and Selectively wipe data using app protection policy access actions in Intune.
Configure conditional launch settings to set sign-in security requirements for your access protection policy.
By default, several settings are provided with pre-configured values and actions. You can delete some of settings, like the Min OS version. You can also select additional settings from the Select one dropdown.
|Setting||How to use|
|Max PIN attempts||Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. This policy setting format supports a positive whole number. Actions include:
|Offline grace period||The number of minutes that MAM apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. Actions include:
Default value = 90 days This entry can appear multiple times, with each instance supporting a different action.
|Jailbroken/rooted devices||There is no value to set for this setting. Actions include:
|Min OS version||Specify a minimum Android operating system that is required to use this app.. Actions include:
|Min app version||Specify a value for the minimum operating system value. Actions include:
This entry can appear multiple times, with each instance supporting a different action.
This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.
|Min patch version||Require devices have a minimum Android security patch released by Google.
|Device manufacturer(s)||Specify a device manufacturer that is required to use this app. Actions include: