- article
As more and more organizations implement mobile device policies to access work or school data, preventing data breaches has become critical. Intune's data loss prevention mobile application management solution is Application Protection Policies (APP). Apps are the rules that ensure your organization's data remains secure or included in managed apps, whether the device is enrolled or not. For more information, seeOverview of Application Protection Policies.
When configuring an application protection policy, the number of different configurations and options allow organizations to tailor protection to their specific needs. Because of this flexibility, the permutation of policy settings required to implement a complete scenario may not be obvious. To help organizations prioritize their client endpoint hardening efforts, Microsoft introduces a new taxonomySecurity settings in Windows 10Intune utilizes a similar taxonomy for managing mobile applications in its application data protection framework.
The application data protection configuration framework is divided into three different configuration scenarios:
Basic Enterprise 1 Data Protection: Microsoft recommends this setting as the minimum data protection configuration for enterprise devices.
Level 2 Enhanced Enterprise Data Protection: Microsoft recommends this setting for devices where users have access to sensitive information. This setting works for most mobile users who access data at work or school. Certain controls may affect user experience.
Enterprise Data Protection Level 3: Microsoft recommends this setting for devices managed by organizations with larger or more complex security teams, or for specific users or groups with uniquely high risk (users who handle highly sensitive data, not Authorized disclosure can lead to major problems). Material damage to the organization). An organization that could be a target for a well-funded and experienced adversary should be targeted with this setup.
App Data Protection Framework Application Methodology
As with any new software, feature, or configuration implementation, Microsoft recommends investing in a ring approach to test validation before implementing an application's data protection framework. Defining deployment rings is often an isolated (or at least rare) incident, but IT should review these groups to ensure the order is still correct.
Microsoft recommends the following ring implementation methods for the APP data protection framework:
| annual ring | tenant | evaluation team | Production | chronology |
|---|---|---|---|---|
| quality assurance | pre-production lessee | Mobile Feature Owner, Security, Risk Assessment, Privacy, User Experience | Function script verification, document design | 0-30 days |
| Advance payment | production tenant | Mobile enablers, user experience | End User Scenario Validation, User Facing Documentation | 7-14 days after quality assurance |
| Production | production tenant | Mobile Feature Owner, IT Help Desk | not applicable | 7 days to several weeks, after preview |
As shown in the table above, all changes to the application protection policy should be made first in a pre-production environment to understand the effect of the policy settings. After testing is complete, the changes can be moved to production and applied to a subset of production users, usually IT and other appropriate groups. Finally, the rollout to the rest of the mobile user community can be done. Deployment to production may take longer, depending on the scale of impact of the change. If there is no impact on users, the change should be implemented quickly, whereas if the change has an impact on users, the implementation may need to be slower because the change needs to be communicated to the user community.
Keep this in mind when testing changes to your applicationdelivery time.You can track the application delivery status for a specific user. For more information, seeHow to Monitor Application Protection Policies.
Individual app settings for each app can be verified on the device using Edge and a URLRelated: Intune Help.For details, seeCheck the client application protection logsyesAccess managed application logs using Edge for iOS and Android.
Configure the application's data protection framework
The following app protection policy settings must be enabled for applicable apps and assigned to all mobile users. For details about each policy setting , seeiOS App Privacy Policy SettingsyesConfigure the Android application protection policy.
Microsoft recommends that you review and categorize your usage scenarios, then use this level of guidance to provision users. As with any framework, settings may need to be tuned to the appropriate level based on the needs of the organization, as data protection requires an assessment of the threat environment, risk appetite, and impact on availability.
Admins can incorporate the following configuration levels into their ring deployment method for testing and production use by importing the exampleJSON template for configuring Intune app protection policiescheatPowerShell and Intune scripts.
Conditional Access Policy
Azure Active Directory Conditional Access Policies are required to ensure that only applications that comply with the application protection policies can access data in work or school accounts. These policies areConditional Access: Require Approval for Client Applications or Application Protection Policies.
VersionClient application or mobile application protection policy that requires approvalexistConditional Access: Require Approval for Client Applications or Application Protection PoliciesSteps to implement specific policies. Finally, apply the steps toBlock Legacy AuthenticationBlock iOS and Android apps using traditional authentication.
use
These policies use appropriation controlApproved client application requiredyesRequires an application protection policy.
Applications to be included in the application protection policy
For each application protection policy, target the Core Microsoft Apps group, which includes the following applications:
- must
- stand out
- office
- a drive
- a note
- panoramic
- power point
- share point
- equipment
- I am doing
- word
Policies should include other Microsoft applications based on business needs, other third-party public applications that integrate the Intune SDK used in the organization, and line-of-business applications that integrate the Intune SDK.Intune SDK(or already wrapped).
Basic Enterprise Data Protection Tier 1
Level 1 is the minimum data protection setting for enterprise mobile devices. This setting replaces the need for a basic Exchange Online device access policy by requiring a PIN to access work or school data, encrypting work or school account data, and providing the ability to selectively delete data from school or work. However, unlike the Exchange Online device access policy, the following app protection policy settings apply to all apps selected in the policy, ensuring that data access is protected outside of mobile messaging scenarios.
Policies in Tier 1 enforce a reasonable level of data access while minimizing impact to users, and reflect the default data protection and access requirement settings when creating application protection policies in Microsoft Endpoint Manager.
data protection
| work | Setup instructions | strength | platform |
|---|---|---|---|
| data transmission | Back up your organization's data to... | allow | iOS/iPadOS, Android |
| data transmission | Send organizational data to other applications | all applications | iOS/iPadOS, Android |
| data transmission | Get data from other apps | all applications | iOS/iPadOS, Android |
| data transmission | Restrict cutting, copying and pasting between applications | any application | iOS/iPadOS, Android |
| data transmission | third-party keyboard | allow | iOS/iPad operating system |
| data transmission | recognized keyboard | unnecessary | android |
| data transmission | Screenshots and Google Assistant | allow | android |
| encryption | Organization Data Encryption | Require | iOS/iPadOS, Android |
| encryption | Encrypt organizational data on enrolled devices | Require | android |
| Feature | Synchronize the application with the native contacts application | allow | iOS/iPadOS, Android |
| Feature | print organization data | allow | iOS/iPadOS, Android |
| Feature | Restrict transfer of web content and other applications | any application | iOS/iPadOS, Android |
| Feature | Organization Data Notification | allow | iOS/iPadOS, Android |
access requirements
| work | strength | platform | Bachelor of Science |
|---|---|---|---|
| Access PIN | Require | iOS/iPadOS, Android | |
| pin type | numerical | iOS/iPadOS, Android | |
| simple password | allow | iOS/iPadOS, Android | |
| Choose a minimum PIN length | 4 | iOS/iPadOS, Android | |
| Touch ID instead of PIN login (iOS 8+/iPadOS) | allow | iOS/iPad operating system | |
| Invalid biometrics with PIN after timeout | Require | iOS/iPadOS, Android | |
| Standby time (active minutes) | 720 | iOS/iPadOS, Android | |
| Face ID instead of PIN for access (iOS 11+/iPadOS) | allow | iOS/iPad operating system | |
| Biometric access instead of a PIN | allow | iOS/iPadOS, Android | |
| Reset PIN in a few days | No | iOS/iPadOS, Android | |
| Select the number of previous PIN values you want to keep | 0 | android | |
| App PIN when setting device PIN | Require | iOS/iPadOS, Android | If the device is already enrolled in Intune, administrators may consider setting it to "Not required" if they enforce a secure device PIN through device compliance policies. |
| Work or school account credentials for access | unnecessary | iOS/iPadOS, Android | |
| Recheck access requirements after (minutes of inactivity) | 30 | iOS/iPadOS, Android |
speech
| work | Setup instructions | value/action | platform | Bachelor of Science |
|---|---|---|---|---|
| Application conditions | Maximum PIN Attempts | 5 / Reset password | iOS/iPadOS, Android | |
| Application conditions | offline grace period | 720 / Block access (minutes) | iOS/iPadOS, Android | |
| Application conditions | offline grace period | 90 / clear data (days) | iOS/iPadOS, Android | |
| equipment condition | Jailbroken/rooted device | N/A / Block access | iOS/iPadOS, Android | |
| equipment condition | SafetyNet Device Certification | Basic Integrity and Authentication Device/Access Blocking | android | This setting configures Google SafetyNet attestation on end-user devices. Basic integrity verifies the integrity of the device. Root devices, emulators, virtual devices, and tampered devices fail basic integrity requirements. Core Integrity and Certified Devices verify device compatibility with Google services. Only unmodified devices certified by Google will pass this verification. |
| equipment condition | Need for application threat analysis | N/A / Block access | android | This setting ensures that Google App Verification scanning is enabled for end-user devices. If set, end-user access will be blocked until you enable Google App Scanning on your Android device. |
| equipment condition | device lock required | low/warning | android | This setting ensures that the device password for Android devices meets the minimum password requirements. |
Level 2 Enhanced Enterprise Data Protection
Level 2 is the standard data protection setting recommended for devices where users have access to more sensitive information. These devices are a natural target for today's businesses. These recommendations don't require a large number of highly skilled security professionals, so they should be within reach of most enterprise organizations. This setting extends the Tier 1 setup by restricting data transfer scenarios and requiring a minimum OS version.
Policy settings that apply to level 2 include all recommended policy settings from level 1, but only the following settings are listed that have been added or changed to allow more control and more complex configuration than level 1. While these settings may have a slightly higher impact on users or applications, implement a level of data protection more commensurate with the risks users face when accessing sensitive information on mobile devices.
data protection
| work | Setup instructions | strength | platform | Bachelor of Science |
|---|---|---|---|---|
| data transmission | Back up your organization's data to... | jam | iOS/iPadOS, Android | |
| data transmission | Send organizational data to other applications | Apps for policy management | iOS/iPadOS, Android | For iOS/iPadOS, administrators can set this value to "Policy Managed App", "Policy Managed App with OS Sharing", or "Policy Managed App with Open/Share Filter". When the device is also enrolled in Intune, apps can be managed using policies with OS sharing. This setting allows data transfer to other apps managed by policy, and file transfer to other apps managed by Intune. Use Open/Share Filtering Applications that manage policies to filter the operating system's Open/Share dialog to show only apps that manage policies. For more information, seeiOS App Privacy Policy Settings. |
| data transmission | Select apps to exclude | Presets/Skype, App Configuration, calshow, itms, itmss, itms-apps, itms-appss, itms-services, | iOS/iPad operating system | |
| data transmission | Save a copy of your organization's data | jam | iOS/iPadOS, Android | |
| data transmission | Allow users to save copies to selected services | OneDrive for Business, SharePoint Online, Photo Library | iOS/iPadOS, Android | |
| data transmission | Telecom data transfer to | any calling app | iOS/iPadOS, Android | |
| data transmission | Restrict cutting, copying and pasting between applications | Applications that manage sticky policies | iOS/iPadOS, Android | |
| data transmission | Screenshots and Google Assistant | jam | android | |
| Feature | Restrict transfer of web content and other applications | Microsoft Frontier | iOS/iPadOS, Android | |
| Feature | Organization Data Notification | block organization data | iOS/iPadOS, Android | For a list of apps that support this setting, seeiOS App Privacy Policy SettingsyesConfigure the Android application protection policy. |
speech
| work | Setup instructions | value/action | platform | Bachelor of Science |
|---|---|---|---|---|
| Application conditions | account disabled | N/A / Block access | iOS/iPadOS, Android | |
| equipment condition | Minimum version of the operating system | Format: Major.Minor.Build Example: 14.8/ access block | iOS/iPad operating system | Microsoft recommends that you set the minimum major iOS version to match the supported iOS versions for Microsoft applications. Microsoft apps support the N-1 approach, where N is the current major version of iOS. For the minor version and build values, Microsoft recommends that you make sure your device is up to date and has the appropriate security updates installed. I understandApple Security UpdatesGet the latest recommendations from Apple |
| equipment condition | Minimum version of the operating system | Form: major.minor Example: 9.0/ access block | android | Microsoft recommends that you set the minimum major Android version to match the supported Android versions for Microsoft applications. OEMs and devices meeting the recommended Android Enterprise requirements must support the current shipping version + single-letter updates. Android currently recommends Android 9.0 and higher for knowledge workers. I understandRecommended Android Enterprise RequirementsGet the latest Android recommendations |
| equipment condition | Minimum patch version | Format: YYYY-MM-DD Example: 2020-01-01/ access block | android | Android devices can receive monthly security patches, but releases are dependent on the OEM and/or carrier. Organizations should ensure that deployed Android devices receive security updates before deploying this setting. I understandAndroid Security BulletinGet the latest patch release. |
| equipment condition | SafetyNet rating type required | Keys with hardware support | android | Proof of hardware support is achieved by utilizing a method calledwith hardware support, providing stronger root detection in response to newer rooting tools and methods that cannot always be reliably detected by pure software solutions. As the name implies, hardware-assisted authentication utilizes a hardware-based component that ships with devices running Android 8.1 and higher. Devices upgraded to Android 8.1 from older versions of Android are unlikely to have the hardware-based components required for hardware support certification. Although this setting should be widely supported starting with devices launching with Android 8.1, Microsoft recommends testing individual devices before enabling this policy setting in general. |
| equipment condition | device lock required | Media/Block Access | android | This setting ensures that the device password for Android devices meets the minimum password requirements. |
Advanced Enterprise Data Protection 3
Level 3 is the standard recommended data protection setting for organizations with large, complex security organizations or for specific users and groups who will be the only targets of adversaries. Such organizations are often the target of well-financed and experienced adversaries and as such should be subject to the additional restrictions and controls described above. This setting extends the Level 2 setup by limiting other data transfer scenarios, adding complexity to PIN setup, and adding mobile threat detection.
Policy settings applied to Layer 3 include all policy settings recommended for Layer 2, but only those listed below have been added or changed to allow more control and more complex configuration than Layer 2. These policy setting policies can have potentially significant implications. Impose a level of security on users or applications commensurate with the risk to the target organization.
data protection
| work | Setup instructions | strength | platform | Bachelor of Science |
|---|---|---|---|---|
| data transmission | Telecom data transfer to | Any calling application that manages policy | android | Administrators can also configure this setting to use calling applications that do not support application protection policies by selectingExclusive calling appand provide itCall App Bundle IDyesdialer namevalue. |
| data transmission | Telecom data transfer to | Exclusive calling app | iOS/iPad operating system | |
| data transmission | Dialer application URL scheme | replace_with_dialer_app_url_scheme | iOS/iPad operating system | On iOS/iPadOS, this value should be replaced with the URL scheme of the custom dialer being used. If you don't know the URL scheme, please contact the application developer for more information. For more information on URL combinations , seeDefine a custom URL scheme for your application. |
| data transmission | Get data from other apps | Apps for policy management | iOS/iPadOS, Android | |
| data transmission | Open Data in Organization Documents | jam | iOS/iPadOS, Android | |
| data transmission | Allow user to open data for selected services | OneDrive for Business, SharePoint, Camera, Photo Library | iOS/iPadOS, Android | For related information, seeConfigure the Android application protection policyyesiOS App Privacy Policy Settings. |
| data transmission | third-party keyboard | jam | iOS/iPad operating system | On iOS/iPadOS, this prevents all third-party keyboards from working within the app. |
| data transmission | recognized keyboard | Require | android | |
| data transmission | Select keyboards to approve | Add/remove keyboards | android | For Android, you must select an available keyboard based on the Android devices you are deploying to. |
| Feature | print organization data | jam | iOS/iPadOS, Android |
access requirements
| work | strength | platform |
|---|---|---|
| simple password | jam | iOS/iPadOS, Android |
| Choose a minimum PIN length | 6 | iOS/iPadOS, Android |
| Reset PIN in a few days | Yes | iOS/iPadOS, Android |
| number of days | 365 | iOS/iPadOS, Android |
| Biometric Class 3 (Android 9.0+). | Require | android |
| Bypass biometrics with PIN after biometrics update | Require | android |
speech
| work | Setup instructions | value/action | platform | Bachelor of Science |
|---|---|---|---|---|
| equipment condition | device lock required | high access/block | android | This setting ensures that the device password for Android devices meets the minimum password requirements. |
| equipment condition | Jailbroken/rooted device | N/A / Clear data | iOS/iPadOS, Android | |
| equipment condition | Maximum Allowed Threat Level | Secure/Locked Access | iOS/iPadOS, Android | Unregistered devices can be checked for threats using Mobile Threat Defense. For more information, seeMobile Threat Defense Against Unregistered Devices. If the device is enrolled, you can override this setting to deploy Mobile Threat Defense to the enrolled device. For more information, seeRegister your device with Mobile Threat Defense. |
| equipment condition | The highest version of the operating system | Form: major.minor Example: 11.0/ access block | android | Microsoft recommends that you set a maximum major version of Android to ensure that beta or unsupported versions of the OS are not used. I understandRecommended Android Enterprise RequirementsGet the latest Android recommendations |
| equipment condition | The highest version of the operating system | Format: Major.Minor.Build Example: 15.0/ access block | iOS/iPad operating system | Microsoft recommends that you set a maximum major version of iOS/iPadOS to ensure that no beta or unsupported versions of the OS are used. I understandApple Security UpdatesGet the latest recommendations from Apple |
Next step
Admins can incorporate the above configuration levels into their ring development approach for testing and production use by importing the exampleJSON template for configuring Intune app protection policiescheatPowerShell and Intune scripts.
see also
- How to Create and Deploy Application Protection Policies Using Microsoft Intune
- Microsoft Intune provides Android app protection policy settings
- Microsoft Intune offers iOS/iPadOS app privacy settings