How to monitor app protection policies
You can monitor the compliance status of the mobile app management (MAM) policies that you've applied to users from the Intune app protection pane in the Azure portal. Additionally, you can find information about the users affected by MAM policies, MAM policy compliance status, and any issues that your users might be experiencing.
There are three different places to monitor app protection policies:
- Summary view
- Detailed view
- Reporting view
For information about creating app protection policies, see How to create and assign app protection policies.
The retention period for app protection data is 90 days. Any app instances that have checked in to the MAM service within the past 90 days will be included in the App Protection Status report. An app instance is a unique user + app + device.
- Sign in to Intune.
- On the Intune pane, choose Client apps.
- In the Client apps workload, choose App protection status from the Monitor section, to see the summary view:
Assigned users: The total number of assigned users in your company who are using an app that is associated with a policy in a work context and are protected and licensed, as well as the assigned users that are unprotected and unlicensed.
Flagged users: The number of users who are experiencing issues. Jailbroken (iOS) and rooted (Android) devices are reported under Flagged users. Users with devices that are flagged by the Google SafetyNet device attestation check (if turned on by the IT admin) are reported here.
Users with potentially harmful apps: The number of users who may have a harmful app on their Android device detected by Google Play Protect.
User status for iOS and User status for Android: The number of users who have used an app who have a policy assigned to them in a work context for the related platform. This information shows the number of users managed by the policy, as well as the number of users who are using an app that is not targeted by any policy in a work context. You might consider adding these users to the policy.
Top Protected iOS Apps: Based on the most used iOS apps, this information shows the number of protected and unprotected iOS apps.
Top Protected Android Apps: Based on the most used Android apps, this information shows the number of protected and unprotected Android apps.
Top Configured iOS Apps Without Enrollment: Based on the most used iOS apps for unenrolled devices, this information shows the number of configured iOS apps.
Top Configured Android Apps Without Enrollment: Based on the most used Android apps for unenrolled devices, this information shows the number of configured Android apps.
If you have multiple policies per platform, a user is considered managed by policy when they have at least one policy is assigned to them.
You can get to the detailed view of the summary by choosing the User status tile (based on device OS platform), the Users with potentially harmful apps and the Flagged users tile.
You can search for a single user and check the compliance status for that user. The App reporting pane shows the following information for a selected user:
- Icon: Displays whether the app status is up to date.
- App Name: The name of the app.
- Device Name: Devices that are associated with the user's account.
- Device Type: The type of device or operating system the device is running.
- Policies: The policies associated with the app.
- Checked in: The policy was deployed to the user, and the app was used in the work context at least once.
- Not checked in: The policy was deployed to the user, but the app has not been used in the work context since then.
- Last Sync: When the app was last synced with Intune.
The column 'Last Sync' represents the same value in both the in-console User status report and the App Protection Policy exportable .csv report. The difference is a small delay in synchronisation between the value in the 2 reports.
The time referenced in 'Last Sync' is when Intune last saw the "app instance". An app instance is a unique combination of app + user + device. When an end user launches an app, it may or may not talk to the Intune App Protection service at that launch time, depending on when it last checked in. This documentation helps clarify the retry interval times for App Protection Policy check-in. So if an end user hasn't used that particular app in the last check-in interval (which is usually 30 minutes for active usage) and they launch the app, then:
- The App Protection Policy exportable .csv report will have the newest time within 1 minute (usual; minimum) to 30 minutes (the maximum SLA actually provided by SQL aggregation used by Intune Reporting).
- The User status report will have the newest time instantly.
For example, consider a targeted, and licensed end user that launches a protected app at 12:00 PM:
- If this is a sign in for the first time, that means the end user was logged out before (not active use), which would mean they didn't have an app instance registration with Intune. Once they sign in, they'll get a new app instance registration and be checked-in immediately pending no connectivity issues; with the same time delays listed above for future check-ins. Thus, the Last Sync time would report as 12:00 PM in the User status report, and 12:01 PM (or 12:30 PM worst case) App Protection Policy report.
- If they were just launching the app, the 'Last Sync' time reported will depend on when they last checked in.
To see the reporting for a user, follow these steps:
To select a user, choose the User status summary tile.
On the App reporting pane that opens, choose Select user to search for an Azure Active Directory user.
Select the user from the list. You can see the details of the compliance status for that user.
If the users you searched for do not have the MAM policy deployed to them, you see a message informing you that the user is not targeted by any MAM policies.
The detailed view shows the error message, the app that was accessed when the error happened, the device OS platform affected, and a time stamp. Users with devices that are flagged by the 'SafetyNet device attestation' conditional launch check are reported here with the reason as reported by Google.
Users with potentially harmful apps
The detailed view shows the user, the app package ID, if the app is MAM enabled, threat category, email, device name, and a time stamp. Users with devices that are flagged by 'Require threat scan on apps' conditional launch check are reported here with the threat category as reported by Google. If there are apps listed in this report that are being deployed through Intune, contact the app developer for the app, and/or remove the app from being assigned to your end users.
You can find the same reports at the top of the App protection status blade.
Intune provides additional device reporting fields, including App Registration Id, Android manufacturer, model, and security patch version, as well as iOS model. In Intune, these fields are available by selecting Client apps > App protection status and choosing App Protection Report: iOS, Android. In addition, these parameters will help you configure the Allow list for device manufacturer (Android), the Allow list for device model (Android and iOS), and the minimum Android security patch version setting.
Additional reports are available to help you with the MAM policy compliance status. To view these reports, select Client apps > App protection status > Reports.
The Reports blade provides several reports based on user and app, including the following:
User report: This report outlines the same information you can find at the User status report under the Detailed view section above.
App report: In addition to selecting the platform and app, this report provides two different app protection statuses that you can select before generating the report. The statuses can be Protected or Unprotected.
User status for managed MAM activity (Protected): This report outlines the activity of each managed MAM app, on a per user basis. It shows all apps targeted by MAM policies for each user, and break down the status of each app as checked in with MAM policies, or that was targeted with a MAM policy but the app was never checked in.
User status for unmanaged MAM activity (Unprotected): This report outlines the activity of MAM-enabled apps that are currently unmanaged, on a per user basis. This might happen according to the following reasons:
- These apps are either being used by a user or an app that is not currently targeted by a MAM policy.
- All apps are checked in, but aren't getting any MAM policies.
User configuration report: Based on a selected user, this report provides details about any app configurations the user has received.
App configuration report: Base on the selected platform and app, this report provides details about which users have received configurations for the selected app.
App learning report for Windows Information Protection: This report shows which apps are attempting to cross policy boundaries.
Website learning for Windows Information Protection: This report shows which websites are attempting to cross policy boundaries.
Once the App protection user report data is displayed, you can aggregate data by the following:
- Validation result: The data shows up grouped by app protection status, which can be failure, warning or success.
- App name: The data shows up grouped by apps (the actual app name) with failure, warning, or success.
Export app protection activities to CSV
You can export all your app protection policy activities to a single .csv file. This can be helpful to analyze all the app protection statuses reported from the users.
Follow these steps to generate the App protection report:
On the Intune mobile application management pane, choose App protection report.
Choose Yes to save your report, then choose Save As and select the folder you want to save the report in.