Set app protection settings for Android or iOS devices
Create an app management policy
Sign in to Microsoft 365 Business with global admin credentials.
In the admin center, on the Device policies card, choose Add policy.
On the Add policy pane, enter a unique name for this policy.
Under Policy type, choose Application Management for Android or Application Management for iOS depending on which set of policies you want to create.
Expand Protect work files when devices are lost or stolen and Manage how users access Office files on mobile devices > configure the settings how you would like. The Manage how users access Office files on mobile devices is Off by default, but it is recommended that you turn it On and accept the default values. See Available settings for more information.
You can always use the Reset default settings link to return to the default setting.
Next decide Who will get these settings? If you don't want to use the default All Users security group, choose Change, choose the security groups who will get these settings > Select.
Finally, choose Done to save the policy, and assign it to devices.
Edit an app management policy
On the Policies card, choose Edit policy.
On the Edit policy pane, choose the policy you want to change
Choose Edit next to each setting to change the values in the policy. When you change a value, it is automatically saved into the policy
When you are finished, close the Edit policy pane.
Delete an app management policy
On the Policies card, choose Delete policy.
On the Delete policy pane, choose the policies you want to delete > Select, then Confirm to delete the policy or policies you chose.
The following tables give detailed information about the available settings to protect work files on devices and the settings that control how users access Office files from their mobile devices.
See How do protection features in Microsoft 365 Business map to Intune settings for more information.
Settings that protect work files
The following settings are available to protect work files if a user's device is lost or stolen:
|Delete work files from an inactive device after this many days
||If a device is not used for the number of days that you specify here, any work files stored on the device will automatically be deleted.
|Force users to save all work files to OneDrive for Business
||If this setting is On, the only available save location for work files will be OneDrive for Business.
|Encrypt work files
||Keep this setting On so that work files are protected by encryption. Even if the device is lost or stolen, no one will be able to read your company data.
Settings that control how users access Office files on mobile devices
The following settings are available to manage how users access Office work files:
|Require a PIN or fingerprint to access Office apps
||If this settings is On users have to provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile device.
|Reset PIN when login fails this many times
||To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify.
|Require users to sign in again after Office apps have been idle for
||This setting determines how long a user can be idle before they are prompted to sign in again.
|Deny access to work files on jailbroken or rooted devices
||Clever users may have a device that is jailbroken or rooted. This means that the user can modify the operating system, which can make the device more subject to malware. These devices are blocked when this setting is On.
|Allow users to copy content from Office apps into personal apps
||We do allow this by default, but if the setting is On, the user could copy information in a work file to a personal file. If the setting is Off, the user will be unable to copy information from a work account into a personal app or personal account.