How-To protect your company data with Intune App Protection
Updated: Jul 25, 2018
Protect data assets is one of the business priority. Nowadays, tons of information transit by emails (personal data, company data and document, legal & financial information ...).
With Intune Application Protection policy, it's possible to containerized personal data and professional data on the same device.
By this way, user can have a personal phone, but accessing company data without risk of business information leaks (intentional or unintentional).
In the age of BYOD, data protection is a huge challenge and has to be well planned. For a good start, you have to think about different parameters:
Do I want to protect only company data or the whole device? - MAM, MDM, MAM+MDM.
What is the user experience I would like to have? - Enrollment process with MDM asks users actions. With MAM only, few or no user interaction is required.
What are my security requirements? - blocking device capabilities as screen capture, enforce device security with no root/jailbroken, enforce encryption ...
With this in mind, you can begin to think about the future security strategy you are going to implement.
With Intune App Protection, you can protect your corporate data, regardless of the device ownership (personal or business) within business app(s) used by your users.
In this how-to guide, we are going to protect emails and data within Outlook for iOS.
Create App Protection Policy
To begin, within Intune App Protection service (1), access app protection policies (2). App protection policies blade lets you create a new policy by clicking +Add a policy (3).
New app protection policy blade is now appearing and let you begin with the following parameters.
1. Chose a name for your policy.
Note: an advice, keeps it simple but consistent for your policies. The nomenclature I would recommend: DeviceOS-DeviceStateScope-PolicyType.
2. Select the Platform, in our case: iOS.
3. Target to all app types - Yes.
Note: with this option, you have the capability to select if the policy will apply to
Non Intune managed device.
Intune managed device.
Next step is to select which application you would like to target by clicking Apps menu.
Next goal is to set up the security settings, click on Settings.
Based on most business security requirements I've implemented, I suggest the followings. These settings can be fine tuned to be adjusted and fit to your requirements.
Data relocation security features
1. Prevent iTunes and iCloud backups - Yes
Business data won't be backed up only personal.
2. Allow app to transfer data to other apps - Policy managed apps.
Business data can transit only between managed apps (i.e. apps you've selected).
3. Filter Open-In/Share Dialog to only policy managed apps - Yes
Apple Open-In/Share features are restricted to only managed apps.
4. Allow app to receive data from other apps - All apps
Managed apps can receive data from any app (non-managed or managed).
5. Prevent "Save As" - Yes
"Save As" is grayed out within managed apps.
6. Select which storage services corporate data can be saved to - 2 selected (OneDrive & SharePoint)
Only the storage option(s) you've selected will be available within the managed apps.
7. Restrict cut, copy and paste with other apps - Policy managed apps with paste in
Cut, copy and paste will be restricted between managed apps only. Also, managed apps can receive paste in from any apps (non-managed or managed apps).
8. Restrict web content to display in the Managed Browser - No
Link to an online document (i.e. document stored on OneDrive/SharePoint) or website are forced to be opened in the Intune Managed Browser.
9. Encrypt app data - Yes
Data contained within managed apps are encrypted. Encryption occurred when the device is locked.
10. Disable contacts sync - No
Contact sync feature from Outlook app is disabled. This feature allow contacts from Exchange to be available within the native address book.
Note: for user experience, this security feature is deactivated. If it's turned on, the user has to recreate all the business contacts he has within Exchange address book in his native address book.
11. Disable printing - Yes
Printing option is deactivated from the managed apps.
Second part of the app protection policy is focus on the access control. The following are also recommendations based on business requirements and proven experience.
1. Require PIN for access - Yes
PIN is required to access managed apps.
2. Select Type - Numeric
PIN type, numeric contains numbers only. Passcode can contain letter and alphanumeric characters.
3. Allow Simple PIN - No
Usage of PIN as 1111 or 1234 is not authorize.
4. PIN Length - 6
This length is between the two other available value (4 and 8). 4 is too weak and 8 is too long; in term of user experience, that can be upsetting.
5. Allow fingerprint instead of PIN (iOS 8+) - Yes
Fingerprint can be set up to access managed apps. It's more secure and less painful for the user to access his application(s).
6. Allow facial recognition instead of PIN (iOS 11+) - Yes
Facial recognition can also be set up. Once again, bio metrics systems are more secure.
7. Disable app PIN when device PIN is managed - No
If the device is enrolled with Intune, and PIN is managed by it, managed apps PIN is still required to access the business apps.
8. Require corporate credentials for access - No
User doesn't have to enter the PIN and his business account password to access managed apps. In term of user experience, it's not conceivable. Except for high risk/value accounts.
9. Recheck the access requirements after (minutes) - 30
PIN is asked after 30 minutes of inactivity within managed apps. This is an average time frame; not too often and not too long.
Sign in Security requirements
1. Max PIN attempts - Value: 5/Action: Reset Pin
Managed apps PIN reset after 5 unsuccessful attempts. After 5 errors, the user is redirected to Office365 portal and has to enter his account password. After a successful login, PIN reset can start.
2. Offline grace period - Value: 720/Action: Block access (minutes)
This setting control for how long the managed application can run offline without checking the user access requirements.
3. Offline grace period - Value: 90/Action: Wipe data (days)
Even if it seems the same setting has previously, this one wipe company data from managed apps after 90 days of inactivity and if the user didn't succeed to access his Office365 user account.
4. Jailbroken/rooted devices - Action: Block access
For security and integrity reasons, jailbroken devices are blocked to access the managed application.
5. Min OS version - Value: 8.0/Action: Block access
iOS device with a version under 8.0 is blocked to access managed apps. Because bio metric capabilities are included with version 8.0, this is a preferred version.
After setting up your security and features to protect company data within managed apps, you can save and finish the app protection policy creation.
The next step is to assign the protection policy to a targeted group of user.
User group assignment
After the creation of the app protection policy you'll have to assign it to a group of user (it's not possible to assign it user(s) directly.
1. On the policy you've just created, click on Assignments.
2. Then click on Select groups to include.
Note: no validation is required, the policy will start to apply automatically after the selection.
After a while, your app protection policy will be deployed on user devices. It's important to be aware about the change and process the user can go through.
With Intune App Protection only (MAM only), user experience is easier. Few actions need to be done by them. And the secured controls are applied really fast through the business apps you want to manage and protect.
Following, in relation to the security settings we configured, some examples of user experience are exposed.
Accessing Managed Application
During the first launch of the managed app(s), a message appears on the screen to inform the user that data in the app are now protected by the company. Restarting the app is required.
And that's it! Data are protected.
Copy and paste restriction to non-managed app(s)
In this example, if the user tries to copy from Outlook App to Google Doc, the copied text is automatically translated to an informative message about the data protection in place.
Restrict document business storage only
As we configured, corporate documents can only be saved with business storage space.
For the user, local storage is grayed out. Only OneDrive/SharePoint are available.
If the user tries to click on More (under Other Locations), a restriction message appears as below.
If another cloud location is added (with +Add a place), restriction is also applied when the user tries to save on other cloud storage space (i.e. Dropbox as exemple).
Another security feature we configured. Print restriction is applied when a company document is opened within the managed application.
As a user perspective, Print button is grayed out.
Intune App Protection Policy offers a fast and easy way to secure your data within the most business applications used by companies (Word, Excel, PowerPoint, Outlook ...).
In addition, intune app protection policies allow a good user experience and change management is done in a smoothly way.