Review client app protection logs

Learn about the settings you can review in the app protection logs. Access logs by enabling Intune Diagnostics on a mobile client.

The process to enable and collect logs varies by platform:

The following table lists the name and an explanation of the settings recorded in the log.

App protection policy settings

Name Possible Value(s)​ Setting in Azure Intune Mobile Application Management portal​
AccessRecheckOfflineTimeout​ x minutes [Access] Recheck access requirements - Offline Grace Period
Note: This is the time period before access requirements for the app are rechecked if the device is offline.
AccessRecheckOnlineTimeout​ x minutes [Access] Recheck access requirements - Timeout.
Note: This is the time period before access requirements for the app are rechecked after the app is launched if the device is online.
AllowedOutboundClipboardSharingExceptionLength x characters [Access] Specify the number of characters that may be cut or copied from a managed app. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed.
AppPinDisabled​ 0 = No​
1 = Yes
[Access] Disable app PIN when device PIN is managed​.
AppSharingFromLevel​ 0 = No apps​
1 = Managed apps
2 = Any app.
[Data Relocation] Allow this app to receive data from other apps.​
AppSharingToLevel​ 0 = No apps​
1 = Managed apps
2 = Any app.
[Data Relocation] Allow this app to transfer data to other apps​..
AuthenticationEnabled​ 0 = No​
1 = Yes
[Access] Require corporate credentials for access instead of a PIN​.
ClipboardSharingLevel​ 0 = Blocked​
1 = Managed apps.
2 = Managed apps with paste in.
3 = Any app
[Data Relocation] Restrict cut, copy, and paste with other apps​.
ContactSyncDisabled​ 0 = No​
1 = Yes
[Data Relocation] Disable contacts sync​.
DataBackupDisabled​ 0 = No​
1 = Yes​
[Data Relocation] Prevent iTunes and iCloud backups.​
DeviceComplianceEnabled​ 0 = No​
1 = Yes​
[Access] Block managed apps from running on jailbroken or rooted devices.​
DisableShareSense​ ​N/A N/A: not actively used by Intune service.​
FileEncryptionLevel​ 0 = When device is locked​
1 = When device is locked and there are open files​
2 = After device restart​
3 = Use device settings​.
[Data Relocation] Encrypt app data​.
FileSharingSaveAsDisabled​ 0 = No​
1 = Yes​
[Data Relocation] Prevent “Save As” ​
IntuneIdentityUPN​ UPN of the Intune MAM user. N/A​
ManagedBrowserRequired​ 0 = No​
1 = Yes​
[Data Relocation] Restrict web content to display in the Intune Managed Browser app​.
ManagedLocations​ A value that represents the number of managed storage locations to which the app can save data.​
1 = OneDrive
2 = SharePoint
3 = OneDrive and SharePoint
32 = Local Storage
33 = Local Storage & OneDrive
34 = Local Storage & SharePoint
35 = Local Storage, OneDrive, and SharePoint
[Data Relocation] Select which storage services corporate data can be saved to​.
MinAppVersion​ ”0.0” = no minimum app version​
anything else = minimum app version
[Access] Require minimum app version.
MinAppVersionWarning​ ”0.0” = no minimum app version​.
anything else = minimum app version​.
[Access] Require minimum app version (warning only)​
MinOsVersion​ ”0.0” = no minimum OS version​
anything else = minimum OS version​
[Access] Require minimum iOS operating system​.
MinOsVersionWarning​ ”0.0” = no minimum OS version​
anything else = minimum OS version​
[Access] Require minimum iOS operating system (warning only).​
MinSDKVersion​ ”0.0” = no minimum SDK version​
anything else = minimum OS version.​
[Access] Require minimum Intune app protection policy SDK version​.
PINCharacterType​ ​N/A N/A
PINEnabled​ 0 = No​
1 = Yes​
[Access] Require PIN for access​
PINMinLength​ x characters [Access] PIN length​
PINNumRetry​ x attempts [Access] Number of attempts before PIN reset​
PrintingBlocked​ 0 = No​
1 = Yes​
[Data Relocation] Disable printing​
SimplePINAllowed​ 0 = No
1 = Yes​​
[Access] Allow Simple PIN​
TouchIDEnabled​ 0 = No​
1 = Yes​
[Access] Allow fingerprint instead of PIN (iOS 8+)​.

Next steps