What to expect when your Android app is managed by app protection policies
This article describes the user experience for apps with app protection policies. App protection policies are applied only when apps are used in a work context: for example, when the user is accessing apps with a work account or accessing files that are stored in a OneDrive for Business location.
The Company Portal app is required for all apps that are associated with app protection policies on Android devices.
For devices that are not enrolled in Intune, the Company Portal app must be installed on the device. However, the user does not have to launch or sign into the Company Portal app before they can use apps that are managed by app protection policies.
The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.
Use apps with multi-identity support
App protection polices are only applied in the work context. Therefore, the app might behave differently depending on whether the context is work or personal.
For example, the user gets a PIN prompt when accessing work data. For the Outlook app, the user is prompted for a PIN when they launch the app. For the OneDrive app, the user is prompted for the pin when they type in the work account. For Microsoft Word, PowerPoint, and Excel, the user is prompted for the pin when they access documents that are stored in the company OneDrive for Business location.
Manage user accounts on the device
Multi-identity applications allow users to add multiple accounts. Intune APP supports only one managed account. Intune APP does not limit the number of unmanaged accounts.
When there is a managed account in an application:
- If a user attempts to add a second managed account, the user is asked to select which managed account to use. The other account is removed.
- If the IT admin adds a policy to a second existing account, the user is asked to select which managed account to use. The other account is removed.
Read the following example scenario to get a deeper understanding of how multiple user accounts are treated.
User A works for two companies—Company X and Company Y. User A has a work account for each company, and both use Intune to deploy app protection policies. Company X deploys app protection policies before Company Y. The account that's associated with Company X gets the app protection policy, but not the account that's associated with Company Y. If you want the user account that's associated with Company Y to be managed by the app protection policies, you must remove the user account that's associated with Company X and add the account that is associated with Company Y.
Add a second account
If you are using an Android device, you might see a blocking message with instructions to remove the existing account and add a new one. To remove the existing account, go to Settings >General > Application Manager >Company Portal. Then choose Clear Data.
View media files with the Azure Information Protection app
To view company AV, PDF, and image files on Android devices, use the Azure Information Protection app (previously known as the Rights Management sharing app).
Download this app from the Google Play store.
The following file types are supported:
- Audio: AAC LC, HE-AACv1 (AAC+), HE-AACv2 (enhanced AAC+), AAC ELD (enhanced low delay AAC), AMR-NB, AMR-WB, FLAC, MP3, MIDI, Ogg Vorbis, PCM/WAVE
- Video: H.263, H.264 AVC, MPEG-4 SP, VP8
- Image: .jpg, .pjpg, .png, .ppng, .bmp, .pbmp, .gif, .pgif, .jpeg, .pjpeg
- Documents: PDF, PPDF
|Pfile is a generic “wrapper” format for protected files that encapsulates the encrypted content and the Azure Information Protection licenses. It can be used to protect any file type.|