When you use App Protection Policies in Intune for Windows 10 devices you will want to ring fence your applications and to manage and protect your organization’s data within an application.
When creating the App Protection rule you’ll add in the apps you want to protect. I have a simple example as part of my Keep it Simple with Intune series here.
As you can see below, I have attempted to save my Word file to OneDrive storage. Since I have added OneDrive to my App Protection Policy as a Protected App, along with my Microsoft 365 apps, then the document can only be saved as a Work document.
Note also, that the File Ownership is set on all files and folders in OneDrive as company protected.
When atttempting to save the file I received the following error.
You can't save the work here. Please choose another location, or change the file to Personal.
If I try and save via the Save icon in Word I received a slightly different error.
The file can only be saved to a work location. Please save it in a location that your organization has approved for work files.
And, if I try to open a document I will get the error.
This file can only be openeded from a work location. Please move it to a location that your organization has approved for work files.
If you take a look in Task Manager, under the Details tab, you can turn on the column for Enterprise context. Here you can see that both Word and OneDrive are using the Enterprise context.
So what’s going on here. Well as part of the App Protection Policy configuration you need to set up your network boundary and define the cloud resources based on the applications being used. Microsoft has a list of the URLs which need to be defined here.
For OneDrive we need to tap into the Sharepoint Online URLs which are listed as follows:
Obviously we need to swap out contoso with our own domain details. These will be the domain you use in your onmicrosoft.com address.
As you can see from my App Protection Policy, I don’t have a network bounday configured. Network boundary – 0 configued, hence my problem.
So edit your Advanced settings and click the +Add link under Any network boundaries you add will show up here.
Chosse Cloud resources from the Boundary type and give the rule a Name.
Add in the URLs you need in the Value section, separated by a Pipe | and also add /*AppCompat*/ to the end of your rules.
So for example:
The rule will be validated so any syntax problems will be result in a warning message.
With the rule defined and devices synched to pick up the policies, you’ll be able to save your work documents in the OneDrive storage as you originally intended.