App protection policies

Question

Hi,

I a testing enrollment of iphones to MS Endpoint Manager
I have successfully enrolled one iphone (downloaded the company portal and followed the steps)

No I want to try two thing

1. If I get an email in outlook with attachments, that I should not be allowed to save this to for example Dropbox
2. If I open a document in onedrive, and I copy some text, I should not be able to past this information into a new mail in the Gmail app.

I have tried to configure App protection policies but everything I have tried does not seem to work. I dont know if I need to wait to see in the iphone is in sync, or I have configured the settings wrong.

The iphone has ownership=personal, is that a problem ?
How can I change the ownership to corporate without re enrollment ?

Also do I need to configure a App Configuration Policy ? I am not sure what this actually do ?

The image shows also that it has not checked in, I have tried with the sync command and also check status within company portal.

Thanks for answers.

/Andy

Answer 1

@andreas bright , From your description, it seems we want to forbidden the data sharing between some apps. If there's any misunderstanding, feel free to let us know.

Your understanding is correct. App protection policy can help to protect data between apps. Here is the app protection policy I configured in my environment, You can set it for the reference:

https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios

Meanwhile, for other question, here are my answers:
Q1: I have tried to configure App protection policies but everything I have tried does not seem to work. I dont know if I need to wait to see in the iphone is in sync, or I have configured the settings wrong.
A1: The app protection policy will be synced when the device is checked in. Firstly, we can click check the devices state in company policy, then check the "Recheck the access requirement after (minutes of inactivity)", it is set as 30 minutes as default. That means we may need to wait 30 minutes before the app required the user to specify the access requirement to do the sign in. We can wait for the time to do the sign in or change the value to a small number. And try to sign in again after the waiting time. If the app is still not check in, we suggest to reinstall the app and sign in again.

Q2: The iphone has ownership=personal, is that a problem ? How can I change the ownership to corporate without re enrollment ?
A2: I think this is not the cause of our issue, We can change it by changing the device ownership. We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add#change-device-ownership

Q3: Also do I need to configure a App Configuration Policy ? I am not sure what this actually do ?
A3: No, no need to do this. based on my understanding, app configuration policy is a policy to assign configuration settings of the app to the user who run the app. We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

For iOS devices MDM and APP is a little different as compared to Android. In order to allow Intune to manage apps for APP, you will need to configure Config Key IntuneMAMUPN otherwise APP will not apply. You can read all about it at the official document below.

data-transfer-between-apps-manage-ios

Also, I have blogged about this very setup which may help you. Have a look.

intune-application-protection-policies.html