Keep it Simple with Intune – #10 Applying App Protection

In this latest addition to the Keep it Simple with Intune series, I’m introducing how to enable app protection for your work data.

With the raise of modern ways of working users can work on a plethora of devices such as their own BYOD enrolled Windows 10 machines. With app protection, the business is able to protect corporate data by enabling rules which are enforced if a user attempts to move or access the data.

The standards for implementing should now be becoming familiar. A profile or policy is created and then assigned out to our devices or users.

So here we go.

In the MEM Admin Center

Fire up https://devicemanagement.portal.azure.com.

Go to Apps\App protection policies

Click Create policy. You’ll be presented with a choice of device types, select Windows 10.

Give the policy a Name and optional Description. You have a choice for Enrollment state. In this instance we’ll be selecting With enrollment, for our enrolled devices. Click Next.

The next step in the policy wizard is to selected the Targeted Apps for the app protection policy. In the Protected apps section click Add. I have selected Office 365 for this blog post. Click OK.

Note that you have the option to exempt apps. Click Next.

In the Required settings section, choose the Windows Information Policy mode section I have selected Block but you have the option for Allow Overrides and Silent or even turn Off. For the Corporate Identity section I have left the default. Click Next.

In the Advanced settings you have the option to add in where protected apps can be accessed on the network. I have left this as is as I just want to protect the data wherever the device is. Click Next.

Now we assign out to our intended devices or user by selecting Included groups. In the Selected groups section click Select groups to include. Then choose your group/s and click Select. Then click Next.

Finally review your settings and when happy click Create.

The newly created policy will show up in our list of policies.

On the endpoints

After our device has synced in and picked up the assigned policy we can see the App Protection policy in action.

I’ve opened up Microsoft Word and created a simple document.

When I save the document note the padlock in the File name field, I have the choice to mark as a Work or Personal. When saved as Work, our WIP policy kicks in.

Once protected, the next time I want to save the device I only have the choice to save as the protected document as this is a corporate document.

If I try to copy and paste out data I’m informed that I can’t.

This is a very basic example of app protection and I recommend that you read up on the Microsoft documentation in App protection policies overview here. For a full list of the Intune protected apps go here.

Be sure to take a look at the other blog posts in the series:

• #1 Enable password reset for users
• #2 Push out your customised Start Menu
• #3 Disk Encryption
• #4 Deploying a Win32 app
• #5 Intune session from Charlotte Systems Management User Group
• #6 Configure OneDrive and KFR
• #7 Deploying the Edge Browser
• #8 Introduction to Device Restrictions
• #9 Manually enrolling a Windows 10 device into Intune