Wednesday 12 September 2018

Creating App Protection policies in Microsoft Intune

Microsoft Intune provides a great service in managing devices, whether they are iOS, Android, MacOS or Windows (and yes, including Windows Mobile to an extent for the time being..), but what happens if you want a lighter way or providing security governance to corporate data without having to manage the whole device? Well.. that would be Microsoft Intune App Protection.

You can have app protection policies in-place even if you have fully managed devices by Intune - however the service supports an unmanaged device having managed apps with protection wrapped around the apps to provide corporate governance - so how exactly do we set this up?

Let's take a look.

In the Azure Portal, open Microsoft Intune. From here, let's drill down into 'Client Apps'

From here we have a variety of options from app configuration policies to pushing apps out to devices. What we are looking for in this instance however is 'App protection policies'

Select this and then select 'Add Policy'

We now need to name our policy, select what OS it is for (this example is for Android), provide a description if necessary (always a good idea!) and select the required Apps. In this instance I am creating a policy for Outlook, but in this example I have shown you can multi-select Apps into a single protection policy if you so wish. Be warned they'll all share the same protection policy configuration. If you need Apps with different configurations, create seperate policies.

There are a variety of options available to configure. In this example I am specifying that a device backup cannot back up any of the App data. I also have options to disable data transfer to other apps, as well as specifying user data transfer - I am specifying here 'Policy managed apps with paste in' here. The options available and what they mean are detailed below

Blocked: Do not allow cut, copy, and paste operations between this app and other apps.

Policy managed apps: Only allow cut, copy, and paste operations between this app and other restricted apps.

Policy managed apps with paste in: Allow data cut or copied from this app only to be pasted into other restricted apps. Allow data cut or copied from any app to be pasted into this app.

Any app: No restrictions to cut, copy, and paste operations to or from this app.

In 'Access Actions' I specify whether access requires a password or pin, you can see I can protect the app with a variety of security options, even enforcing full credential requirements if warranted. There is however a level or security versus productiy, so in this example I am specifying a 4 digit pin.

We can also set sign-in security requirements, we have the option at leaving them at the defaults or changing their values and actions. Actions are defined, and we select them from pre-defined capabilities. We can also delete each one if we believe they are not a requirement for our protection policy.

 Once you have saved the policy you'll see the policy under 'Client Apps | App protection policies

I will now assign this to a select Azure AD group I have created. I drill into the policy and select 'Assignments'

I specify my Azure AD Group and save it.

So my App protection policy is all set! Assuming my user has an Intune license assigned how does an App within the protection policy behave? Let's take a look.

I'm using Outlook as the example. I'll download it from the store and open it.

 Once I sign-in with my Office 365 credentials I am prompted I need to activate a device administrator

I select 'Activate' to continue the process

It will give me information on what device adminstrator will do - a collection of policies from my App protection policy.

It will then take me through setting up the requirements for access to the App.

For both Android and iOS there is a requirement to have the Company Portal app installed. The app doesn't have to be signed into or the device to become managed, but at this time it's needed. Select 'Keep Account' and we'll then download the App.

So that's it. So what happens when I open Outlook? The answer is I am asked to enter a 4 digit pin - just what I configured in the policy. On top of this my data transfer settings and app paste in options are also configured and honoured.

That's it - take care :)

Have fun!

No comments: