In this latest addition to the Keep it Simple with Intune series, I’m introducing how to enable app protection for your work data.

With the raise of modern ways of working users can work on a plethora of devices such as their own BYOD enrolled Windows 10 machines. With app protection, the business is able to protect corporate data by enabling rules which are enforced if a user attempts to move or access the data.

The standards for implementing should now be becoming familiar. A profile or policy is created and then assigned out to our devices or users.

So here we go.

In the MEM Admin Center

Fire up https://devicemanagement.portal.azure.com.

Go to Apps\App protection policies

AppProtect-001.JPGClick Create policy. You’ll be presented with a choice of device types, select Windows 10.

AppProtect-002.JPG

Give the policy a Name and optional Description. You have a choice for Enrollment state. In this instance we’ll be selecting With enrollment, for our enrolled devices. Click Next.

AppProtect-003.JPG

The next step in the policy wizard is to selected the Targeted Apps for the app protection policy. In the Protected apps section click Add. I have selected Office 365 for this blog post. Click OK.

AppProtect-004.JPG

Note that you have the option to exempt apps. Click Next.

AppProtect-005.JPG

In the Required settings section, choose the Windows Information Policy mode section I have selected Block but you have the option for Allow Overrides and Silent or even turn Off. For the Corporate Identity section I have left the default. Click Next.

AppProtect-006.JPG

In the Advanced settings you have the option to add in where protected apps can be accessed on the network. I have left this as is as I just want to protect the data wherever the device is. Click Next.

AppProtect-007.JPG

Now we assign out to our intended devices or user by selecting Included groups. In the Selected groups section click Select groups to include. Then choose your group/s and click Select. Then click Next.

AppProtect-008.JPGFinally review your settings and when happy click Create.

AppProtect-009.JPG

The newly created policy will show up in our list of policies.

AppProtect-010.JPG

On the endpoints

After our device has synced in and picked up the assigned policy we can see the App Protection policy in action.

I’ve opened up Microsoft Word and created a simple document.

AppProtect-011.JPG

When I save the document note the padlock in the File name field, I have the choice to mark as a Work or Personal. When saved as Work, our WIP policy kicks in.

AppProtect-012.JPG

Once protected, the next time I want to save the device I only have the choice to save as the protected document as this is a corporate document.

AppProtect-013.JPG

If I try to copy and paste out data I’m informed that I can’t.

AppProtect-014.JPG

This is a very basic example of app protection and I recommend that you read up on the Microsoft documentation in App protection policies overview here. For a full list of the Intune protected apps go here.

Be sure to take a look at the other blog posts in the series: