Review client app protection logs

Learn about the settings you can review in the app protection logs. Access logs by enabling Intune Diagnostics on a mobile client.

The process to enable and collect logs varies by platform:

The following tables list the App protection policy setting name and supported values that are recorded in the log. In addition, each setting identifies the policy setting found within Microsoft Endpoint Manager portal. For detailed information on each setting, see iOS/iPadOS app protection policy settings and Android app protection policy settings in Microsoft Intune.

iOS/iPadOS App protection policy settings

Name Value details Setting in Microsoft Endpoint Manager App Protection Policy​
AccessRecheckOfflineTimeout​ x minutes Section: Conditional Launch
Setting: Offline grace period with action Block access (minutes)
AccessRecheckOnlineTimeout​ x minutes Section: Access requirements
Setting: Recheck the access requirements after (minutes of inactivity)
AllowedOutboundClipboardSharingExceptionLength x characters Section: Data protection
Setting: Cut and copy character limit for any app
AppPinDisabled​ 0 = Require
1 = Not required
Section: Access requirements
Setting: App PIN when device PIN is set
AppSharingFromLevel​ 0 = None​
1 = Policy Managed apps
2 = All apps
Section: Data Protection
Setting: Receive data from other apps​
AppSharingToLevel​ 0 = None
1 = Policy managed apps
2 = All app
Section: Data Protection
Setting: Send org data to other apps
ProtectManagedOpenInData 0 = False
1 = True
Section: Data Protection
Setting: Send org data to other apps is set to Policy Managed apps with Open-In/Share filtering when true
AuthenticationEnabled​ 0 = Not required​
1 = Require
Section: Access requirements
Setting: Work or school account credentials for access
ClipboardSharingLevel​ 0 = Blocked​
1 = Policy managed apps
2 = Policy managed apps with paste in
3 = Any app
Section: Data Protection
Setting: Restrict cut, copy, and paste between other apps​
ContactSyncDisabled​ 0 = Allow​
1 = Block
Section: Data Protection
Setting: Sync app with native contacts app
DataBackupDisabled​ 0 = Allow​
1 = Block​
Section: Data Protection
Setting: Prevent backups​
DeviceComplianceEnabled​ 0 = False​
1 = True​
Section: Conditional Launch
Setting: Jailbroken/rooted devices
DeviceComplianceFailureAction 0 = Block acess
1 = Wipe data
Section: Conditional Launch
Setting: Jailbroken/rooted devices​
DisableShareSense​ ​N/A N/A: Not actively used by Intune service.​
FileEncryptionLevel​ 0 = When device is locked​
1 = When device is locked and there are open files​
2 = After device restart​
3 = Use device settings​
Section: Data Protection
Setting: Encrypt org data
FileSharingSaveAsDisabled​ 0 = Allow​
1 = Block​
Section: Data Protection
Setting: Save copies of org data ​
IntuneIdentityUPN​ UPN of the Intune MAM user N/A​
ManagedBrowserRequired​ 0 = False​
1 = True​
Section: Data Protection
Setting: Restrict web content transfer with other apps
ManagedLocations​ A value that represents the number of managed storage locations to which the app can save data.​
1 = OneDrive
2 = SharePoint
3 = OneDrive and SharePoint
32 = Local Storage
33 = Local Storage & OneDrive
34 = Local Storage & SharePoint
35 = Local Storage, OneDrive, and SharePoint
Section: Data Protection
Setting: Allow user to save copies to selected services
MinAppVersion​ "0.0" = no minimum app version​
anything else = minimum app version
Section: Conditional launch
Setting: Min app version with action Block access
MinAppVersionWarning​ "0.0" = no minimum app version.
anything else = minimum app version​
Section: Conditional launch
Setting: Min app version with action Warn
MinAppVersionWipe "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min app version with action Wipe data
MinOsVersion​ "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Block access
MinOsVersionWarning​ "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Warn
MinOsVersionWipe "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Wipe data
MinSDKVersion​ "0.0" = no minimum SDK version​
anything else = minimum OS version
Section: Conditional launch
Setting: Min SDK version with action Block access​
MinSDKVersion​Wipe "0.0" = no minimum SDK version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min SDK version with action Block access​​
NotificationRestriction 0 = Allow​
1 = Block Org Data
2 = Block
Section: Data Protection
Setting: Org data notifications
PINCharacterType​ 0 = Passcode
1 = Numeric
Section: Access requirements
Setting: Pin type
PINEnabled​ 0 = Not required​
1 = Require​
Section: Access requirements
Setting: PIN for access​
PINMinLength​ x characters Section: Access requirements
Setting: Select minimum PIN length​
PINNumRetry​ x attempts Section: Conditional launch
Setting: Max PIN attempts​
MaxPinRetryExceededAction 0 = Reset PIN
1 = Wipe data
Section: Conditional launch
Setting: Max PIN attempts​
PrintingBlocked​ 0 = Allow
1 = Block​
Section: Data Protection
Setting: Printing org data​
SimplePINAllowed​ 0 = Block
1 = Allow​​
Section: Access requirements
Setting: Simple PIN​
TouchIDEnabled​ 0 = Block
1 = Allow​
Section: Access requirements
Setting: Touch ID instead of PIN for access (iOS 8+/iPadOS)
ThirdPartyKeyboardsBlocked 0 = Allow
1 = Block
Section: Data Protection
Setting: Third party keyboards
FaceIDEnabled 0 = Block
1 = Allow​
Section: Access requirements
Setting: Face ID instead of PIN for access (iOS 11+/iPadOS)
PINExpiryDays x characters​ Section: Access requirements
Setting: PIN reset after number of days > Number of days
NonBioPassTimeOutRequired 0 = Not required
1 = Require
Section: Access requirements
Setting: Override Touch ID with PIN after timeout
NonBioPassTimeOut x minutes​ Section: Access requirements
Setting: Override Touch ID with PIN after timeout > Timeout (minutes of inactivity)
DictationBlocked 0 = Allow
1 = Block​
No administration control for this setting.
OfflineWipeInterval x days​ Note: No admin control for this setting.
ProtocolExclusions 0 = Allow
1 = Block​
Section: Data Protection
Setting: Select apps to exempt
EnableOpenInFilter 0 = Disabled
1 = Enabled​
Section: Data Protection
Setting: Send Org data to other apps > Policy managed apps with Open-In/Share filtering
MinimumRequiredDeviceThreatProtectionLevel 0 = Not configured
1 = Secured
2 = Low
3 = Medium
4 = High
Section: Conditional launch
Setting: Max allowed device threat level
MobileThreatDefenseRemediationAction 0 = Block access
1 = Wipe data
Section: Access requirements
Setting: Max allowed device threat level action)
AllowedIOSModelsElseBlock x characters​ Section: Conditional launch
Setting: Device model(s) with action Allow specified (Block non-specific)
AllowedIOSModelsElseWipe x characters​ Section: Conditional launch
Setting: Device model(s) with action Allow specified (Wipe non-specific)
ProtectAllIncomingUnknownSourceData N/A​ Note: Not actively used by Intune service.

Android App protection policy settings

Name Value details Setting in Microsoft Endpoint Manager App Protection Policy​
AccessRecheckOfflineTimeout​ x minutes Section: Conditional Launch
Setting: Offline grace period with action Block access (minutes)
AccessRecheckOnlineTimeout​ x minutes Section: Access requirements
Setting: Recheck the access requirements after (minutes of inactivity)
AppPinDisabled​ true = Require
false = Not required
Section: Access requirements
Setting: App PIN when device PIN is set
AllowedAndroidManufacturersElseBlock Empty if not set​, otherwise list of allowed manufacturers Section: Conditional launch
Setting: Device manufacturers with action Allow specified (Block non-specified)
AllowedAndroidManufacturersElseWipe Empty if not set​, otherwise list of allowed manufacturers Section: Conditional launch
Setting: Device manufacturers with action Allow specified (Wipe non-specified)
AllowedAndroidModelsElseBlock Empty if not set​, otherwise list of allowed models No administration control for this setting.
AllowedAndroidModelsElseWipe Empty if not set​, otherwise list of allowed models No administration control for this setting.
AndroidSafetyNetDeviceAttestationEnforcement NOT_REQUIRED = not set
BASIC_INTEGRITY = Basic Integrity
BASIC_INTEGRITY_AND_DEVICE_CERTIFICATION = Basic Integrity and certified devices
Section: Conditional launch
Setting: SafetyNet device attestation
AndroidSafetyNetDeviceAttestationFailedAction BLOCK = Block access
WARN = Warn
WIPE_DATA = Wipe Data
Section: Conditional launch
Setting: SafetyNet device attestation
AndroidSafetyNetVerifyAppsEnforcementType NOT_REQUIRED = not set
REQUIRE_ENABLED = configured
Section: Conditional launch
Setting: Require threat scan on apps
AndroidSafetyNetVerifyAppsFailedAction BLOCK = Block access
WARN = Warn
Section: Conditional launch
Setting: Require threat scan on apps
AppSharingFromLevel​ BLOCKED = None​
MANAGED = Policy Managed apps
UNRESTRICTED = All apps
Section: Data Protection
Setting: Receive data from other apps​
AppSharingToLevel​ BLOCKED = None​
MANAGED = Policy Managed apps
UNRESTRICTED = All app
Section: Data Protection
Setting: Send org data to other apps
AuthenticationEnabled​ false = Not required​
true = Require
Section: Access requirements
Setting: Work or school account credentials for access
BlockScreenCapture false = Allow
true = Block
Section: Data Protection
Setting: Screen capture and Google Assistant​
ClipboardCharacterExceptionLength x characters Section: Data protection
Setting: Cut and copy character limit for any app
ClipboardSharingLevel​ BLOCKED = Blocked​
MANAGED = Policy managed apps
MANAGED_PASTE_IN = Policy managed apps with paste in
UNMANAGED = Any app
Section: Data Protection
Setting: Restrict cut, copy, and paste between other apps​
ConditionalEncryptionEnabled false = Require
true = Not required
Section: Data Protection
Setting: Encrypt org data on enrolled devices​
ContactSyncDisabled​ false = Allow​
true = Block
Section: Data Protection
Setting: Sync app with native contacts app
DataBackupDisabled​ false = Allow​
true = Block​
Section: Data Protection
Setting: Prevent backups​
DeviceComplianceEnabled​ false = False​
true = True​
Section: Conditional Launch
Setting: Jailbroken/rooted devices
DeviceComplianceFailureAction BLOCK = Block acess
WIPE_DATA = Wipe data
Section: Conditional Launch
Setting: Jailbroken/rooted devices​
DialerRestrictionLevel 0 = None, do not transfer this data between apps
1 = A specific dialer app
2 = Any policy-managed dialer app
3 = Any dialer app ​
Section: Data Protection
Setting: Transfer telecommunication data to
DictationBlocked false = Allow
true = Block​
No administration control for this setting.
FileEncryptionKeyLength​ 128
256 ​
No administration control for this setting.
FileSharingSaveAsDisabled​ false = Allow​
true = Block​
Section: Data Protection
Setting: Save copies of org data ​
IntuneMAMPolicyVersion version number N/A​
isManaged true
false
N/A​
KeyboardsRestricted true = Required​
false = Not required​
Section: Data Protection
Setting: Approved keyboards
ManagedBrowserRequired​ true = Microsoft Edge or Unmanaged browser
false = Any app​
Section: Data Protection
Setting: Restrict web content transfer to other apps app​.
ManagedLocations​ A value that represents the number of managed storage locations to which the app can save data, separated by a semi-colon.​
ONEDRIVE_FOR_BUSINESS
SHAREPOINT
LOCAL
Section: Data Protection
Setting: Allow user to save copies to selected services
MaxPinRetryExceededAction RESET_PIN = Reset PIN
WIPE_DATA = Wipe data
Section: Conditional launch
Setting: Max PIN attempts​
MinAppVersion​ "0.0" = no minimum app version​
anything else = minimum app version
Section: Conditional launch
Setting: Min app version with action Block access
MinAppVersionWarning​ "0.0" = no minimum app version.
anything else = minimum app version​
Section: Conditional launch
Setting: Min app version with action Warn
MinAppVersionWipe "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min app version with action Wipe data
MinOsVersion​ "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Block access
MinOsVersionWarning​ "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Warn
MinOsVersionWipe "0.0" = no minimum OS version​
anything else = minimum OS version​
Section: Conditional launch
Setting: Min OS version with action Wipe data
MinPatchVersion​ "0000-00-00" = no minimum Patch version​
anything else = minimum Patch version​
Section: Conditional launch
Setting: Min Patch version with action Block access
MinPatchVersionWarning​ "0000-00-00" = no minimum Patch version​
anything else = minimum Patch version​
Section: Conditional launch
Setting: Min Patch version with action Warn
MinPatchVersionWipe "0000-00-00" = no minimum Patch version​
anything else = minimum Patch version​
Section: Conditional launch
Setting: Min Patch version with action Wipe data
MinimumRequiredCompanyPortalVersion​ "0.0" = no minimum Company Portal version​
anything else = minimum Company Portal version
Section: Conditional launch
Setting: Min Company Portal version with action Block access
MinimumRequiredDeviceThreatProtectionLevel​ NOT_SET = not defined in the policy
SECURED = Secured
LOW = Low
MEDIUM = Medium
HIGH = High
Section: Conditional launch
Setting: Max allowed device threat level
MinimumWarningCompanyPortalVersion​ "0.0" = no minimum Company Portal version​
anything else = minimum Company Portal version
Section: Conditional launch
Setting: Min Company Portal version with action Warn
MinimumWipeCompanyPortalVersion​ "0.0" = no minimum Company Portal version​
anything else = minimum Company Portal version
Section: Conditional launch
Setting: Min Company Portal version with action Wipe data
MobileThreatDefenseRemediationAction BLOCK = Block Access
WIPE_DATA = Wipe data
Section: Conditional launch
Setting: Max allowed device threat level
NonBioPassTimeOut x minutes​ Section: Access requirements
Setting: Override fingerprint with PIN after timeout > Timeout (minutes of inactivity)
NonBioPassTimeOutRequired false = Not required
true = Require
Section: Access requirements
Setting: Override fingerprint with PIN after timeout
NotificationRestriction UNRESTRICTED = Allow​
BLOCK_ORG_DATA = Block Org Data
BLOCK = Block
Section: Data Protection
Setting: Org data notifications
PINCharacterType​ PASSCODE = Passcode
NUMERIC = Numeric
Section: Access requirements
Setting: Pin type
PINEnabled​ false = Not required​
true = Require​
Section: Access requirements
Setting: PIN for access​
PINMinLength​ x characters Section: Access requirements
Setting: Select minimum PIN length​
PINNumRetry​ x attempts Section: Conditional launch
Setting: Max PIN attempts​
PackageExclusions Empty if no bundle IDs are configured, otherwise bundle IDs separated by a semi-colon Section: Data protection
Setting: Select apps to exempt
PinHistoryLength x PIN values to maintain Section: Access requirements
Setting: Select number of previous PIN values to maintain​
PolicyCount number N/A​
PrintingBlocked​ false = Allow
true = Block​
Section: Data Protection
Setting: Printing org data​
RequireFileEncryption false = Not required
true = Require
Section: Data Protection
Setting: Encrypt org data
SimplePINAllowed​ false = Block
true = Allow​​
Section: Access requirements
Setting: Simple PIN​
SpecificDialerDisplayName Dialer app name​​ Section: Data Protection
Setting: Dialer app name​
SpecificDialerPackageID Dialer app bundle ID Section: Data Protection
Setting: Dialer App Package ID​
TouchIDEnabled​ false = Block
true = Allow​
Section: Access requirements
Setting: Fingerprint instead of PIN for access (Android 6.0+)
ThirdPartyKeyboardsBlocked 0 = Allow
1 = Block
Section: Data Protection
Setting: Third party keyboards
FaceIDEnabled 0 = Block
1 = Allow​
Section: Access requirements
Setting: Face ID instead of PIN for access (iOS 11+/iPadOS)
PINExpiryDays x characters​ Section: Access requirements
Setting: PIN reset after number of days > Number of days
UnmanagedBrowserDisplayName Unmanaged web browser display name​ Section: Data protection
Setting: Unmanaged Browser name
UnmanagedBrowserPackageID Unmanaged web browser package ID Section: Data protection
Setting: Unmanaged Browser ID

Next steps