How to create exceptions to the Intune App Protection Policy (APP) data transfer policy
As an administrator, you can create exceptions to the Intune App Protection Policy (APP) data transfer policy. An exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps. Your IT must trust the unmanaged apps that you include in the exception list.
You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data leak risks.
Within an Intune Application Protection Policy, setting Allow app to transfer data to other apps to Policy managed apps means that the app can transfer data only to apps managed by Intune. If you need to allow data to be transferred to specific apps that don't support Intune APP, you can create exceptions to this policy by using Select apps to exempt. Exemptions allow applications managed by Intune to invoke unmanaged applications based on URL protocol (iOS) or package name (Android). By default, Intune adds vital native applications to this list of exceptions.
Modifying or adding to the data transfer policy exceptions doesn't impact other App Protection Policies, such as cut, copy, and paste restrictions.
iOS data transfer exceptions
For a policy targeting iOS, you can configure data transfer exceptions by URL protocol. To add an exception, check the documentation provided by the developer of the app to find information about supported URL protocols. For more information about iOS data transfer exceptions, see iOS app protection policy settings - Data transfer exemptions.
Microsoft does not have a method to manually find the URL protocol for creating app exceptions for third-party applications.
Android data transfer exceptions
For a policy targeting Android, you can configure data transfer exceptions by app package name. You can check the Google Play store page for the app you would like to add an exception for to find the app package name. For more information about Android data transfer exceptions, see Android app protection policy settings - Data transfer exemptions.
You can find the package ID of an app by browsing to the app on the Google Play store. The package ID is contained in the URL of the app's page. For example, the package ID of the Microsoft Word app is com.microsoft.office.word.
By adding the Webex package as an exception to the MAM data transfer policy, Webex links inside a managed Outlook email message are allowed to open directly in the Webex application. Data transfer is still restricted in other unmanaged apps.
iOS Webex example: To exempt the Webex app so that it's allowed to be invoked by Intune managed apps, you must add a data transfer exception for the following string:
iOS Maps example: To exempt the native Maps app so that it's allowed to be invoked by Intune managed apps, you must add a data transfer exception for the following string:
Android Webex example: To exempt the Webex app so that it's allowed to be invoked by Intune managed apps, you must add a data transfer exception for the following string:
Android SMS example: To exempt the native SMS app so that it's allowed to be invoked by Intune managed apps across different messaging apps and Android devices, you must add data transfer exceptions for the following strings:
Android Certificate installer example: To exempt the native Certificate installer app so that Outlook for Android can install a S/MIME certificate (delivered as an email attachment) into the Android KeyStore, you must add the data transfer exception for the following string:
com.android.certinstaller. For more information, see Sensitivity labeling and protection in Outlook for iOS and Android.