What to expect when your iOS app is managed by app protection policies
This topic describes the user experience when using apps with app protection policies applied to. App protection policies are applied only when apps are used in the work context; for example, when the user is accessing apps with a work account or accessing files that are stored in a company OneDrive for business location.
If the device is not enrolled in Intune, the user is asked to restart the app when they first use it. A restart is required so that app protection polices can be applied to the app.
For devices that are enrolled for management in Intune, the user sees a message that their app is now managed.
Use apps with multi-identity support
Apps that support multi-identity let you use different accounts (work and personal) to access the same apps, while app protection policies are applied only when the apps are used in the work context.
For example, the user gets a PIN prompt when accessing work data. For the Outlook app, the user is prompted for a PIN when they launch the app. For the OneDrive app, the user is prompted for a pin when they type in the work account. For Microsoft Word, PowerPoint, and Excel, the user is prompted for a pin when they access documents that are stored in the company OneDrive for Business location.
- Learn more about the apps that support app protection and multi-identity with Intune.
App protection polices are only applied in the work context. Therefore, the app might behave differently depending on whether the context is work or personal.
Manage user accounts on the device
Multi-identity applications allow users to add multiple accounts. Intune APP supports only one managed account. Intune APP does not limit the number of unmanaged accounts.
When there is a managed account in an application:
- If a user attempts to add a second managed account, the user is asked to select which managed account to use. The other account is removed.
- If the IT admin adds policy to a second existing account, the user is asked to select which managed account to use. The other account is removed.
Read the following example scenario to get a deeper understanding of how multiple user accounts are treated.
User A works for two companies—Company X and Company Y. User A has a work account for each company, and both use Intune to deploy app protection policies. Company X deploys app protection policies before Company Y. The account that's associated with Company X gets the app protection policy first. If you want the user account that's associated with Company Y to be managed by the app protection policies, you must remove the user account that's associated with Company X and add the user account that's associated with Company Y.
Add a second account
If you are using an iOS device, when you try to add a second work account on that device, you might see a blocking message. The accounts are displayed, and then you can choose the account you want to remove.