How to create and assign app protection policies

Learn how to create and assign Microsoft Intune app protection policies (APP) for users of your organization. This topic also describes how to make changes to existing policies.

Before you begin

App protection policies can apply to apps running on devices that may or may not be managed by Intune. For a more detailed description of how app protection policies work and the scenarios that are supported by Intune app protection policies, see What are Microsoft Intune app protection policies?

If you're looking for a list of MAM supported apps, see MAM apps list.

For information about adding your organization's line-of-business (LOB) apps to Microsoft Intune to prepare for app protection policies, see Add apps to Microsoft Intune.

App protection policies for iOS/iPadOS and Android apps

When you create an app protection policy for iOS/iPadOS and Android apps, you follow a modern Intune process flow that results in a new app protection policy.

Create an iOS/iPadOS or Android app protection policy

  1. Sign in to Intune.

  2. In Intune portal, choose Client apps > App protection policies. This selection opens the App protection policies details, where you create new policies and edit existing policies.

  3. Select Create policy and select either iOS/iPadOS or Android. The Create policy blade is displayed.

  4. On the Basics page, add the following values:

    Value Description
    Name The name of this app protection policy.
    Description [Optional] The description of this app protection policy.

    The Platform value is set based on your above choice.

    Screenshot of the Basics page of the Create policy blade

  5. Click Next to display the Apps page.
    The Apps page allows you to choose how you want to apply this policy to apps on different devices. You must add at least one app.

    Value/Option Description
    Target to apps on all devices types Use this option to target your policy to apps on devices of any management state. Choose No to target apps on specific devices types. For information, see Target app protection policies based on device management state
    Device types Use this option to specify whether this policy applies to MDM managed devices or unmanaged devices. For iOS APP policies, select from Unmanaged and Managed devices. For Android APP policies, select from Unmanaged, Android device administrator, and Android Enterprise.
    Public apps Click Select public apps to choose the apps to target.
    Custom apps Click Select custom apps to select custom apps to target based on a Bundle ID.

    The app(s) you have selected will appear in the public and custom apps list.

  6. Click Next to display the Data protection page.
    This page provides settings for data loss prevention (DLP) controls, including cut, copy, paste, and save-as restrictions. These settings determine how users interact with data in the apps that this app protection policy applies.​

    Data protection settings:

  7. Click Next to display the Access requirements page.
    This page provides settings to allow you to configure the PIN and credential requirements that users must meet to access apps in a work context.

    Access requirements settings:

  8. Click Next to display the Conditional launch page.
    This page provides settings to set the sign-in security requirements for your app protection policy. Select a Setting and enter the Value that users must meet to sign in to your company app. Then select the Action you want to take if users do not meet your requirements. In some cases, multiple actions can be configured for a single setting.

    Conditional launch settings:

  9. Click Next to display the Assignments page.
    The Assignments page allows you to assign the app protection policy to groups of users.

    Important

    If you're using Intune with Configuration Manager to manage your devices, the policy is only applied to the users directly in the group that you selected. Members of child groups nested within the group you selected aren't affected.

  10. Click Next: Review + create to review the values and settings you entered for this app protection policy.

  11. When you are done, click Create to create the app protection policy in Intune.

    Tip

    These policy settings are enforced only when using apps in the work context. When end users use the app to do a personal task, they aren't affected by these policies. Note that when you create a new file it is considered a personal file.

End users can download the apps from the App store or Google Play. For more information, see:

Change existing policies

You can edit an existing policy and apply it to the targeted users. However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an eight-hour period.

To see the effect of the changes immediately, the end user must sign out of the app, and then sign back in.

To change the list of apps associated with the policy

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Properties.

  3. Next to the section titled Apps, select Edit.

  4. The Apps page allows you to choose how you want to apply this policy to apps on different devices. You must add at least one app.

    Value/Option Description
    Target to apps on all devices types Use this option to target your policy to apps on devices of any management state. Choose No to target apps on specific devices types. For information, see Target app protection policies based on device management state
    Device types Use this option to specify whether this policy applies to MDM managed devices or unmanaged devices. For iOS APP policies, select from Unmanaged and Managed devices. For Android APP policies, select from Unmanaged, Android device administrator, and Android Enterprise.
    Public apps Click Select public apps to choose the apps to target.
    Custom apps Click Select custom apps to select custom apps to target based on a Bundle ID.

    The app(s) you have selected will appear in the public and custom apps list.

  5. Click Review + create to review the apps selected for this policy.

  6. When you are done, click Save to update the app protection policy.

To change the list of user groups

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Properties.

  3. Next to the section titled Assignments, select Edit.

  4. To add a new user group to the policy, on the Include tab choose Select groups to include, and select the user group. Choose Select to add the group.

  5. To exclude a user group, on the Exclude tab choose Select groups to exclude, and select the user group. Choose Select to remove the user group.

  6. To delete groups that were added previously, on either the Include or Exclude tabs, select the ellipsis (...) and select Delete.

  7. Click Review + create to review the user groups selected for this policy.

  8. After your changes to the assignments are ready, select Save to save the configuration and deploy the policy to the new set of users. If you select Cancel before you save your configuration, you will discard all changes you've made to the Include and Exclude tabs.

To change policy settings

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Properties.

  3. Next to the section corresponding to the settings you want to change, select Edit. Then change the settings to new values.

  4. Click Review + create to review the updated settings for this policy.

  5. Select the Save to save your changes. Repeat the process to select a settings area and modify and then save your changes, until all your changes are complete. You can then close the Intune App Protection - Properties pane.

Target app protection policies based on device management state

In many organizations, it’s common to allow end users to use both Intune Mobile Device Management (MDM) managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app protection policies. Unmanaged devices are often known as Bring Your Own Devices (BYOD).

Because Intune app protection policies target a user’s identity, the protection settings for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no MDM). Therefore, you can target an Intune app protection policy to either Intune enrolled or unenrolled iOS and Android devices. You can have one protection policy for unmanaged devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed. For more information how this works on personal Android Enterprise devices, see App protection policies and work profiles.

To create these policies, browse to Client apps > App protection policies in the Intune console, and then select Create policy. You can also edit an existing app protection policy. To have the app protection policy apply to both managed and un-managed devices, navigate to the Apps page and confirm that Target to apps on all device types is set to Yes, the default value. If you want to granularly assign based on management state, set Target to apps on all device types to No.

Device types

  • Unmanaged: Unmanaged devices are devices where Intune MDM management has not been detected. This includes devices managed by third-party MDM vendors.
  • Intune managed devices: Managed devices are managed by Intune MDM.
  • Android device administrator: Intune-managed devices using the Android Device Administration API.
  • Android Enterprise: Intune-managed devices using Android Enterprise Work Profiles or Android Enterprise Full Device Management.

Note

Android devices will prompt to install the Intune Company Portal app regardless of which Device type is chosen. For example, if you select 'Android Enterprise' then users with unmanaged Android devices will still be prompted.

For iOS, additional app configuration settings are required to target app protection policy (APP) settings to apps on Intune enrolled devices:

Note

For specific iOS support information about app protection policies based on device management state, see MAM protection policies targeted based on management state.

Policy settings

To see a full list of the policy settings for iOS and Android, select one of the following links:

Next steps

Monitor compliance and user status

See also