Android app protection policy settings in Microsoft Intune

This article describes the app protection policy settings for Android devices. The policy settings that are described can be configured for an app protection policy on the Settings pane in the portal. There are three categories of policy settings: data protection settings, access requirements, and conditional launch. In this article, the term policy-managed apps refers to apps that are configured with app protection policies.

Important

The Intune Company Portal is required on the device to receive App Protection Policies for Android devices.

The Intune Managed Browser has been retired. Use Microsoft Edge for your protected Intune browser experience.

Data protection

Data Transfer

Setting How to use Default value
Backup org data to Android backup services Select Block to prevent this app from backing up work or school data to the Android Backup Service.

Select Allow to allow this app to back up work or school data.
Allow
Send org data to other apps Specify what apps can receive data from this app:
  • Policy managed apps: Allow transfer only to other policy-managed apps.
  • All apps: Allow transfer to any app.
  • None: Don't allow data transfer to any app, including other policy-managed apps.

There are some exempt apps and services to which Intune may allow data transfer by default. In addition, you can create your own exemptions if you need to allow data to transfer to an app that doesn't support Intune APP. For more information, see Data transfer exemptions.

This policy may also apply to Android App Links. General web links are managed by the Open app links in Intune Managed Browser policy setting.

Note

Intune doesn't currently support the Android Instant Apps feature. Intune will block any data connection to or from the app. For more information, see Android Instant Apps in the Android Developer documentation.

If Send org data to other apps is configured to All apps, text data may still be transferred via OS sharing to the clipboard.

All apps
    Select apps to exempt
This option is available when you select Policy managed apps for the previous option.
    Save copies of org data
Choose Block to disable the use of the Save As option in this app. Choose Allow if you want to allow the use of Save As. When set to Block, you can configure the setting Allow user to save copies to selected services.

Note:
  • This setting is supported for Microsoft Excel, OneNote, PowerPoint, Word, and Edge. It may also be supported by third-party and LOB apps.
  • This setting is only configurable when the setting Send org data to other apps is set to Policy managed apps.
  • This setting will be "Allow" when the setting Send org data to other apps is set to All apps.
  • This setting will be "Block" with no allowed service locations when the setting Send org data to other apps is set to None.
  • This setting will save files as encrypted if Encrypt org data is set to Require.
Allow
      Allow user to save copies to selected services
Users can save to the selected services (OneDrive for Business, SharePoint, Photo Library, Box, and Local Storage). All other services will be blocked. 0 selected
    Transfer telecommunications data to
Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app:
  • None, do not transfer this data between apps: Don't transfer communication data when a phone number is detected.
  • A specific dialer app: Allow a specific dialer app to initiate contact when a phone number is detected.
  • Any policy-managed dialer app: Allow any policy managed dialer app to initiate contact when a phone number is detected.
  • Any dialer app: Allow any dialer app to be used to initiate contact when a phone number is detected.
Any dialer app
      Dialer App Package ID
When a specific dialer app has been selected, you must provide the app package ID. Blank
      Dialer App Name
When a specific dialer app has been selected, you must provide the name of the dialer app. Blank
    Transfer messaging data to
Typically, when a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app. For this setting, choose how to handle this type of content transfer when it's initiated from a policy-managed app:
  • None, do not transfer this data between apps: Don't transfer communication data when a phone number is detected.
  • A specific messaging app: Allow a specific messaging app to be used to initiate contact when a phone number is detected.
  • Any policy-managed messaging app: Allow any policy-managed messaging app to be used to initiate contact when a phone number is detected.
  • Any messaging app: Allow any messaging app to be used to initiate contact when a phone number is detected.
Any messaging app
      Messaging App Package ID
When a specific messaging app has been selected, you must provide the app package ID. Blank
      Messaging App Name
When a specific messaging app has been selected, you must provide the name of the messaging app. Blank
Receive data from other apps Specify what apps can transfer data to this app:
  • Policy managed apps: Allow transfer only from other policy-managed apps.
  • All apps: Allow data transfer from any app.
  • None: Don't allow data transfer from any app, including other policy-managed apps.

There are some exempt apps and services from which Intune may allow data transfer. See Data transfer exemptions for a full list of apps and services.

All apps
    Open data into Org documents
Select Block to disable the use of the Open option or other options to share data between accounts in this app. Select Allow if you want to allow the use of Open.

When set to Block you can configure the Allow user to open data from selected services to specific which services are allowed for Org data locations.

Note:
  • This setting is only configurable when the setting Receive data from other apps is set to Policy managed apps.
  • This setting will be "Allow" when the setting Receive data from other apps is set to All apps.
  • This setting will be "Block" with no allowed service locations when the setting Receive data from other apps is set to None.
  • The following apps support this setting:
    • OneDrive 6.14.1 or later.
    • Outlook for Android 4.2039.2 or later.
    • Teams for Android 1416/1.0.0.2021173701 or later.


Allow
      Allow users to open data from selected services
Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.

Supported services:
  • OneDrive for Business
  • SharePoint Online
  • Camera
  • Photo Library
Note: Camera doesn't include Photos or Photo Gallery access. When selecting Photo Library (includes Android's Photo picker tool) in the Allow users to open data from selected services setting within Intune, you can allow managed accounts to allow incoming image/video from their device's local storage to their managed apps.
All selected
Restrict cut, copy and paste between other apps Specify when cut, copy, and paste actions can be used with this app. Choose from:
  • Blocked: Don't allow cut, copy, and paste actions between this app and any other app.
  • Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.
  • Any app: No restrictions for cut, copy, and paste to and from this app.
Any app
    Cut and copy character limit for any app
Specify the number of characters that may be cut or copied from org data and accounts. This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.

Default Value = 0

Note: Requires Intune Company Portal version 5.0.4364.0 or later.

0
Screen capture and Google Assistant Select Block to block screen capture, block Circle to Search, and block Google Assistant accessing org data on the device when using this app. Choosing Block will also blur the App-switcher preview image when using this app with a work or school account.

Note: Google Assistant may be accessible to users for scenarios that don't access org data.

Block
Approved keyboards Select Require and then specify a list of approved keyboards for this policy.

Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. This setting requires the app to have the Intune SDK for Android version 6.2.0 or later.

Not required
    Select keyboards to approve
This option is available when you select Require for the previous option. Choose Select to manage the list of keyboards and input methods that can be used with apps protected by this policy. You can add additional keyboards to the list, and remove any of the default options. You must have at least one approved keyboard to save the setting. Over time, Microsoft may add additional keyboards to the list for new App Protection Policies, which will require administrators to review and update existing policies as needed.

To add a keyboard, specify:

  • Name: A friendly name that that identifies the keyboard, and is visible to the user.
  • Package ID: The Package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contoskeyboard.android.prod, then the Package ID is com.contosokeyboard.android.prod. This package ID is presented to the user as a simple link to download the keyboard from Google Play.

Note: A user assigned multiple App Protection Policies will be allowed to use only the approved keyboards common to all policies.

Encryption

Setting How to use Default value
Encrypt org data Choose Require to enable encryption of work or school data in this app. Intune uses a wolfSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted and can only be opened by apps that support Intune's app protection policies and have policy assigned. New files will be encrypted with 256-bit keys. Existing 128-bit encrypted files will undergo a migration attempt to 256-bit keys, but the process is not guaranteed. Files encrypted with 128-bit keys will remain readable.

The encryption method is FIPS 140-2 validated; for more information, see wolfCrypt FIPS 140-2 and FIPS 140-3.
Require
    Encrypt org data on enrolled devices
Select Require to enforce encrypting org data with Intune app layer encryption on all devices. Select Not required to not enforce encrypting org data with Intune app layer encryption on enrolled devices. Require

Functionality

Setting How to use Default value
Sync policy managed app data with native apps or add-ins Choose Block to prevent policy managed apps from saving data to the device's native apps (Contacts, Calendar and widgets) and to prevent the use of add-ins within the policy managed apps. If not supported by the application, saving data to native apps and using add-ins will be allowed.

If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.

Applications may provide additional controls to customize the data sync behavior to specific native apps or not honor this control.

Note: When you perform a selective wipe to remove work, or school data from the app, data synced directly from the policy managed app to the native app is removed. Any data synced from the native app to another external source won't be wiped.

Note: The following apps support this feature:
Allow
Printing Org data Choose Block to prevent the app from printing work or school data. If you leave this setting to Allow, the default value, users will be able to export and print all Org data. Allow
Restrict web content transfer with other apps Specify how web content (http/https links) is opened from policy-managed applications. Choose from:
  • Any app: Allow web links in any app.
  • Intune Managed Browser: Allow web content to open only in the Intune Managed Browser. This browser is a policy-managed browser.
  • Microsoft Edge: Allow web content to open only in the Microsoft Edge. This browser is a policy-managed browser.
  • Unmanaged browser: Allow web content to open only in the unmanaged browser defined by Unmanaged browser protocol setting. The web content will be unmanaged in the target browser.
    Note: Requires Intune Company Portal version 5.0.4415.0 or later.


  • Policy-managed browsers
    On Android, your end users can choose from other policy-managed apps that support http/https links if neither Intune Managed Browser nor Microsoft Edge is installed.

    If a policy-managed browser is required but not installed, your end users will be prompted to install the Microsoft Edge.

    If a policy-managed browser is required, Android App Links are managed by the Allow app to transfer data to other apps policy setting.

    Intune device enrollment
    If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune.

    Policy-managed Microsoft Edge
    The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. Users who sign in with their corporate Microsoft Entra accounts in the Microsoft Edge browser application will be protected by Intune. The Microsoft Edge browser integrates the APP SDK and supports all of its data protection policies, with the exception of preventing:

    • Save-as: The Microsoft Edge browser doesn't allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive).
    • Contact sync: The Microsoft Edge browser doesn't save to native contact lists.
    Note: The APP SDK cannot determine if a target app is a browser. On Android devices, other managed browser apps that support the http/https intent are allowed.
Not configured
    Unmanaged Browser ID
Enter the application ID for a single browser. Web content (http/https links) from policy managed applications will open in the specified browser. The web content will be unmanaged in the target browser. Blank
    Unmanaged Browser Name
Enter the application name for browser associated with the Unmanaged Browser ID. This name will be displayed to users if the specified browser is not installed. Blank
Org data notifications Specify how much org data is shared via OS notifications for org accounts. This policy setting will impact the local device and any connected devices such as wearables and smart speakers. Apps may provide additional controls to customize notification behavior or may choose to not honor all values. Select from:
  • Block: Don't share notifications.
    • If not supported by the application, notifications will be allowed.
  • Block org data: Don't share org data in notifications. For example, "You have new mail"; "You have a meeting".
    • If not supported by the application, notifications will be blocked.
  • Allow: Shares org data in the notifications

Note: This setting requires app support:

  • Outlook for Android 4.0.95 or later
  • Teams for Android 1416/1.0.0.2020092202 or later.
Allow

Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policies allow data transfer to and from. For example, all Intune-managed apps on Android must be able to transfer data to and from the Google Text-to-speech, so that text from your mobile device screen can be read aloud. This list is subject to change and reflects the services and apps considered useful for secure productivity.

Full exemptions

These apps and services are fully allowed for data transfer to and from Intune-managed apps.

App/service name Description
com.android.phone Native phone app
com.android.vending Google Play Store
com.google.android.webview WebView, which is necessary for many apps including Outlook.
com.android.webview Webview, which is necessary for many apps including Outlook.
com.google.android.tts Google Text-to-speech
com.android.providers.settings Android system settings
com.android.settings Android system settings
com.azure.authenticator Azure Authenticator app, which is required for successful authentication in many scenarios.
com.microsoft.windowsintune.companyportal Intune Company Portal
com.android.providers.contacts Native contacts app

Conditional exemptions

These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions.

App/service name Description Exemption condition
com.android.chrome Google Chrome Browser Chrome is used for some WebView components on Android 7.0+ and is never hidden from view. Data flow to and from the app, however, is always restricted.
com.skype.raider Skype The Skype app is allowed only for certain actions that result in a phone call.
com.android.providers.media Android media content provider The media content provider allowed only for the ringtone selection action.
com.google.android.gms; com.google.android.gsf Google Play Services packages These packages are allowed for Google Cloud Messaging actions, such as push notifications.
com.google.android.apps.maps Google Maps Addresses are allowed for navigation.
com.android.documentsui Android Document Picker Allowed when opening or creating a file.
com.google.android.documentsui Android Document Picker (Android 10+) Allowed when opening or creating a file.

For more information, see Data transfer policy exceptions for apps.

Access requirements

Setting How to use
PIN for access Select Require to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context.

Default value = Require

You can configure the PIN strength using the settings available under the PIN for access section.

Note: End-users that are allowed to access the app can reset the app PIN. This setting may not be visible in some cases on Android devices. Android devices have a maximum limitation of four available shortcuts. When the maximum has been reached, the end user must remove any personalized shortcuts (or access the shortcut from a different managed app view) to view the reset APP PIN shortcut. Alternatively, the end user could pin the shortcut to their homepage.

    PIN type
Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.

Default value = Numeric

Note: Special characters allowed include the special characters and symbols on the Android English language keyboard.
    Simple PIN
Select Allow to allow users to use simple PIN sequences like 1234, 1111, abcd or aaaa. Select Blocks to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. If Block is configured, 1235 or 1112 wouldn't be accepted as PIN set by the end user, but 1122 would be allowed.

Default value = Allow

Note: If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter or at least one special character in their PIN. If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number and one letter and at least one special character in their PIN.
    Select minimum PIN length
Specify the minimum number of digits in a PIN sequence.

Default value = 4
    Biometrics instead of PIN for access
Select Allow to allow the user to use biometrics to authenticate users on Android devices. If allowed, biometrics is used to access the app on Android 10 or higher devices.
    Override biometric with PIN after timeout
To use this setting, select Require and then configure an inactivity timeout.

Default value = Require
      Timeout (minutes of inactivity)
Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a biometric. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.

Default value = 30
    Class 3 biometrics (Android 9.0+)
Select Require to require the user to sign in with class 3 biometrics. For more information on class 3 biometrics, see Biometrics in Google's documentation.
    Override biometrics with PIN after biometric updates
Select Require to override the use of biometrics with PIN when a change in biometrics is detected.

NOTE:
This setting only takes effect once a biometric has been used to access the app. Depending on the Android device manufacturer, not all forms of biometrics may be supported for cryptographic operations. Currently, cryptographic operations are supported for any biometric (e.g., fingerprint, iris, or face) on the device that meets or exceeds the requirements for Class 3 biometrics, as defined in the Android documentation. See the BIOMETRIC_STRONG constant of the BiometricManager.Authenticators interface and the authenticate method of the BiometricPrompt class. You may need to contact your device manufacturer to understand the device-specific limitations.

    PIN reset after number of days
Select Yes to require users to change their app PIN after a set period of time, in days.

When set to Yes, you then configure the number of days before the PIN reset is required.

Default value = No
      Number of days
Configure the number of days before the PIN reset is required.

Default value = 90
    Select number of previous PIN values to maintain
This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining.

Default value = 0
    App PIN when device PIN is set
Select Not required to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.

Default value = Require.
Work or school account credentials for access Choose Require to require the user to sign in with their work or school account instead of entering a PIN for app access. When set to Require, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.

Default value = Not required
Recheck the access requirements after (minutes of inactivity) Configure the following setting:
  • Timeout: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. When using this setting, the user won't have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value.

    This policy setting format supports a positive whole number.

    Default value = 30 minutes

    Note: On Android, the PIN is shared with all Intune-managed apps. The PIN timer is reset once the app leaves the foreground on the device. The user won't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting.

Note

To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on Android, see Intune MAM frequently asked questions and Selectively wipe data using app protection policy access actions in Intune.

Conditional launch

Configure conditional launch settings to set sign-in security requirements for your app protection policy.

By default, several settings are provided with pre-configured values and actions. You can delete some settings, like the Min OS version. You can also select additional settings from the Select one dropdown.

App conditions

Setting How to use
Max PIN attempts Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must reset their pin after successfully logging into their account and completing a Multi-Factor Authentication (MFA) challenge if required. This policy setting format supports a positive whole number.

Actions include:

  • Reset PIN - The user must reset their PIN.
  • Wipe data - The user account that is associated with the application is wiped from the device.
Default value = 5
Offline grace period The number of minutes that managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked.

Actions include:

  • Block access (minutes) - The number of minutes that managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. After this period expires, the app requires user authentication to Microsoft Entra ID so that the app can continue to run.

    This policy setting format supports a positive whole number.

    Default value = 1440 minutes (24 hours)

    Note: Configuring the Offline grace period timer for blocking access to be less than the default value may result in more frequent user interruptions as policy is refreshed. Choosing a value of less than 30 mins is not recommended as it may result in user interruptions at each application launch or resume.
  • Wipe data (days) - After this many days (defined by the admin) of running offline, the app will require the user to connect to the network and reauthenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the user's account and data. For more information, see How to wipe only corporate data from Intune-managed apps. This policy setting format supports a positive whole number.

    Default value = 90 days
This entry can appear multiple times, with each instance supporting a different action.
Min app version Specify a value for the minimum application version value.

Actions include:

  • Warn - The user sees a notification if the app version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user is blocked from access if the app version on the device doesn't meet the requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
As apps often have distinct versioning schemes between them, create a policy with one minimum app version targeting one app (for example, Outlook version policy).

This entry can appear multiple times, with each instance supporting a different action.

This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.

Additionally, you can configure where your end users can get an updated version of a line-of-business (LOB) app. End users will see this in the min app version conditional launch dialog, which will prompt end users to update to a minimum version of the LOB app. On Android, this feature uses the Company Portal. To configure where an end user should update a LOB app, the app needs a managed app configuration policy sent to it with the key, com.microsoft.intune.myappstore. The value sent will define which store the end user will download the app from. If the app is deployed via the Company Portal, the value must be CompanyPortal. For any other store, you must enter a complete URL.
Disabled account There is no value to set for this setting.

Actions include:

  • Block access - The user is blocked from access because their account has been disabled.
  • Wipe data - The user account that is associated with the application is wiped from the device.
Non-working time There is no value to set for this setting.

Actions include:

  • Block access - The user is blocked from access because the user account that is associated with the application is in non-working time.
  • Warn - The user sees a notification if the user account that is associated with the application is in non-working time. The notification can be dismissed.
Note: This setting must only be configured if the tenant has been integrated with the Working Time API. For more information about integrating this setting with the Working Time API, see Limit access to Microsoft Teams when frontline workers are off shift. Configuring this setting without integrating with the Working Time API could result in accounts getting blocked due to missing working time status for the managed account associated with the application.

The following apps support this feature with Company Portal v5.0.5849.0 or later:

  • Teams for Android v1416/1.0.0.2023226005 (2023226050) or later
  • Edge for Android v125.0.2535.96 or later

Device conditions

Setting How to use
Jailbroken/rooted devices Specify whether to block access to the device or wipe the device data for jailbroken/rooted devices. Actions include:
  • Block access - Prevent this app from running on jailbroken or rooted devices. The user continues to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app.
  • Wipe data - The user account that is associated with the application is wiped from the device.
Min OS version Specify a minimum Android operating system that is required to use this app. OS versions below the specified Min OS version will trigger the actions. Actions include:
  • Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.
Max OS version Specify a maximum Android operating system that is required to use this app. OS versions below the specified Max OS version will trigger the actions. Actions include:
  • Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
This policy setting format supports either major.minor, major.minor.build, major.minor.build.revision.
Min patch version Require devices have a minimum Android security patch released by Google.
  • Warn - The user will see a notification if the Android version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user will be blocked from access if the Android version on the device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
This policy setting supports the date format of YYYY-MM-DD.
Device manufacturer(s) Specify a semicolon separated list of manufacturer(s). These values are not case sensitive. Actions include:
  • Allow specified (Block non-specified) - Only devices that match the specified manufacturer can use the app. All other devices are blocked.
  • Allow specified (Wipe non-specified) - The user account that is associated with the application is wiped from the device.
For more information on using this setting, see Conditional Launch actions.
Play integrity verdict App protection policies support some of Google Play Integrity APIs. This setting in particular configures Google's Play Integrity check on end user devices to validate the integrity of those devices. Specify either Basic integrity or Basic integrity and device integrity.

Basic integrity tells you about the general integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Basic integrity & certified devices tells you about the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check.

If you select Play integrity verdict as required for conditional launch, you can specify that a strong integrity check is used as the evaluation type. The presence of a strong integrity check as the evaluation type will indicate greater integrity of a device. Devices that do not support strong integrity checks will be blocked by the MAM policy if they are targeted with this setting. The strong integrity check provides a more robust root detection in response to newer types of rooting tools and methods that cannot always be reliably detected by a software only solution. Within APP, hardware attestation will be enabled by setting Play integrity verdict evaluation type to Check strong integrity once Play integrity verdict is configured, and Required SafetyNet evaluation type to strong integrity check once Device integrity check is configured. Hardware backed attestation leverages a hardware-based component which shipped with devices installed with Android 8.1 and later. Devices that were upgraded from an older version of Android to Android 8.1 are unlikely to have the hardware-based components necessary for hardware backed attestation. While this setting should be widely supported starting with devices that shipped with Android 8.1, Microsoft strongly recommends testing devices individually before enabling this policy setting broadly.

Important: Devices that do not support this evaluation type will be blocked or wiped based on the Device integrity check action. Organizations that would like to use this functionality will need to ensure users have supported devices. For more information on Google’s recommended devices, see Android Enterprise Recommended requirements.

Actions include:

  • Warn - The user sees a notification if the device does not meet Google's device integrity check based on the value configured. This notification can be dismissed.
  • Block access - The user is blocked from access if the device does not meet Google's device integrity check based on the value configured.
  • Wipe data - The user account that is associated with the application is wiped from the device.
For commonly asked questions related to this setting, see Frequently asked questions about MAM and app protection.
Require threat scan on apps App protection policies support some of Google Play Protect's APIs. This setting in particular ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end user will be blocked from access until they turn on Google's app scanning on their Android device. Actions include:
  • Warn - The user sees a notification if Google's Verify Apps scan on the device is not turned on. This notification can be dismissed.
  • Block access - The user is blocked from access if Google's Verify Apps scan on the device is not turned on.
Results from Google's Verify Apps scan are surfaced in the Potentially Harmful Apps report in the console.
Required SafetyNet evaluation type Hardware backed attestation enhances the existing SafetyNet attestation service check. You can set the value to Hardware-backed key after setting SafteyNet device attestation.
Require device lock This setting determines whether the Android device has a device PIN that meets the minimum password requirement. The App protection policy can take action if the device lock doesn’t meet the minimum password requirement.

Values include:

  • Low Complexity
  • Medium Complexity
  • High Complexity

This complexity value is targeted to Android 12+. For devices operating on Android 11 and earlier, setting a complexity value of low, medium, or high will default to the expected behavior for Low Complexity. For more information, see Google's developer documentation getPasswordComplexity, PASSWORD_COMPLEXITY_LOW, PASSWORD_COMPLEXITY_MEDIUM, and PASSWORD_COMPLEXITY_HIGH.

Actions include:

  • Warn - The user sees a notification if the device lock doesn’t meet the minimum password requirement. The notification can be dismissed.
  • Block access - The user will be blocked from access if the device lock doesn’t meet the minimum password requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device if the device lock doesn’t meet the minimum password requirement.
Min Company Portal version By using the Min Company Portal version, you can specify a specific minimum defined version of the Company Portal that is enforced on an end user device. This conditional launch setting allows you to set values to Block access, Wipe data, and Warn as possible actions when each value is not met. The possible formats for this value follow the pattern [Major].[Minor], [Major].[Minor].[Build], or [Major].[Minor].[Build].[Revision]. Given that some end users may not prefer a forced update of apps on the spot, the 'warn' option may be ideal when configuring this setting. The Google Play Store does a good job of only sending the delta bytes for app updates, but this can still be a large amount of data that the user may not want to utilize if they are on data at the time of the update. Forcing an update and thereby downloading an updated app could result in unexpected data charges at the time of the update. For more information, see Android policy settings.
Max Company Portal version age (days) You can set a maximum number of days as the age of the Company Portal (CP) version for Android devices. This setting ensures that end users are within a certain range of CP releases (in days). The value must be between 0 and 365 days. When the setting for the devices is not met, the action for this setting is triggered. Actions include Block access, Wipe data, or Warn. For related information, see Android policy settings. Note: The age of the Company Portal build is determined by Google Play on the end user device.
Samsung Knox device attestation Specify if the Samsung Knox device attestation check is required. Only unmodified devices that have been verified by Samsung can pass this check. For the list of supported devices, see samsungknox.com.

By using this setting, Microsoft Intune will also verify communication from the Company Portal to the Intune Service was sent from a healthy device.

Actions include:
  • Warn - The user sees a notification if the device doesn't meet Samsung Knox device attestation check. This notification can be dismissed.
  • Block access - The user account is blocked from access if the device doesn't meet Samsung's Knox device attestation check.
  • Wipe data - The user account that is associated with the application is wiped from the device.

Note: The user must accept the Samsung Knox terms before the device attestation check can be performed. If the user doesn't accept the Samsung Knox terms, the specified action will occur.

Note: This setting will apply to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune.

Max allowed device threat level App protection policies can take advantage of the Intune-MTD connector. Specify a maximum threat level acceptable to use this app. Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device. Specify either Secured, Low, Medium, or High. Secured requires no threats on the device and is the most restrictive configurable value, while High essentially requires an active Intune-to-MTD connection.

Actions include:

  • Block access - The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
For more information on using this setting, see Enable the Mobile Threat Defense connector in Intune for unenrolled devices.
Primary MTD service If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device.

Values include:

  • Microsoft Defender for Endpoint - if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information.
  • Mobile Threat Defense (Non-Microsoft) - if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.

You must configure the setting “Max allowed device threat level” to use this setting.

There are no Actions for this setting.