Override Biometric with Pin option in IOS APP protection Policy

Shekhar, Sumeet (Cognizant) 66 Reputation points
2022-12-09T06:26:32.923+00:00

Scenario : We have the APP Protection Policy created for OUTLOOK for all the UNMANAGED DEVICES. (MAM without Enrollment). Face ID is enabled in the OUTLOOK APP.
Policy pic is attached.

The Setting Override Biometric with Pin after Timeout whether we select require or not require it always prompt for FaceID and PIN after Recheck the ACcess Requirement after(minutes of inactivity) is reached. Is this the correct behaviour?

268789-outlook-biometric-2022-12-09-115107.jpg

Microsoft Security | Intune | Application management
Microsoft Security | Intune | Other
0 comments No comments
{count} vote

Accepted answer
  1. Lu Dai-MSFT 28,496 Reputation points
    2022-12-12T08:25:54.453+00:00

    @Shekhar, Sumeet (Cognizant)

    0-30 minutes, nothing will be asked.
    30-60 minutes will be asked to use FaceID.
    After 60 minutes, only PIN will be asked.

    If we enable FaceID option in the APP Protection Policy, it will not automatically enable the setting "Require Face ID" in Outlook app. Honestly, there is no method to avoid end user changing this setting in this app, because intune doesn't control it.

    Based on my understanding, if end user manually enable "Require Face ID" in Outlook app, it is just asked to have once more FaceID.
    0-30 minutes will be asked to once FaceID.
    30-60 minutes will be asked to twice FaceID.
    After 60 minutes, it will be asked first once FaceID and then PIN.

    Hope it will clarify something.


2 additional answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,496 Reputation points
    2022-12-09T08:51:30.767+00:00

    @Shekhar, Sumeet (Cognizant) Thanks for posting in our Q&A.

    If we set "Override Biometric with Pin after Timeout" to "required", the value of "timeout (minutes of inactivity)" should be greater than the value specified under "Recheck the access requirements after (minutes of inactivity)". If this timeout value is not met, the biometric prompt will continue to show.

    I have done the test in my lab. What I configured is in the following:
    268911-image.png

    When I access Outlook during inactivity time between 2 minutes and 5 minutes, I will access it via FaceID. If we cancel FaceID manually or authenticate faceID failed, we can still use PIN.
    When I access Outlook after 5 minutes, I only can access it via PIN. The FaceID doesn't appear.

    Please try to set a greater timeout value. And check if only the PIN occurs when the timeout arrives.

    Hope it will clarify something.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Shekhar, Sumeet (Cognizant) 66 Reputation points
    2022-12-12T07:53:37.443+00:00

    Disabled the REQUIRE FACEID option in outlook app.
    As the timeout is set for 60 mins for Biometric and 30 mins for Access....till 0-30 nothing will be asked, 30 - 60 PIN will be prompted and after 60 mins Faceid should be prompted.
    Is the above statement correct?
    My confusion is once we enable the FACE ID option in the APP Protection Policy, will it be automatically enabled in the phone or what is the correct procedure?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.