This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
This is how I got it set. This is a policy for IOS on an unmanaged device. Let's use Outlook as an example here.
With this setting, does it mean that every 30 minutes, intune will check device activity, and it will allow up to 720 minutes (12 hours time-out) of inactivity? If there is no activity on the device after 12 hours, it will ask me to authenticate. If I don't respond to the authentication, my access to Outlook will be blocked for 12 hours (Offline grace period)? If I don't use Outlook on my phone for 365 days, it will delete the data on my Outlook on my phone where my corporate email is associated?
Could someone please confirm that I understand my setting correctly? If this is correct, what happens to the users' access after a weekend? Will they not be able to access Outlook on Monday and have to wait after the 12-hour block is done before the next authentication or PIN request? Does inactivity mean user opening or using Outlook? What if user does not open Outlook for 12 hours but is actively receiving emails and calendar alerts on the phone? Do they count as an activity? Thank you.
will it wipe ALL the data due to the company policy
Technically, that's up to how the app is designed, however, the intent is to only wipe the work data associated with the app. In the case of Outlook on iOS, which supports multiple profiles, only the work profile will be deleted and any user/personal profiles will be left untouched as they are not managed by Intune.
For resetting a PIN, I believe the Reset Passcode functionality will reset the passcode for APP managed apps as well: https://learn.microsoft.com/en-us/mem/intune/user-help/reset-your-passcode-cpwebsite
For the record, I was able to test it, and this is the result for those who may have the same question.
Inactivity and Offline are not the same. Inactivity is if the device is idle. No email is received or the user does not open the app. Offline is if the device is in airplane mode or completely has no wifi connection. In this case, if my device is idle for 720 minutes or 12 hours, I will be asked for a PIN or biometrics. If the device is in offline mode for 12 hours, I will get a message if I want to remove the account on the device or turn back on wifi and "Go Back" to access. If the device is in offline mode for 365 days, it will wipe the data.
Hi,
Thank you very much for your feedback and sharing.
It's appreciated that you could click "Accept Answer" to your answer, this will help other users to search for useful information more quickly. If you have any questions in future, we warmly welcome you to post in Microsoft Q&A forum again.
Have a nice day!
Best Regards,
Simon
Some additional info.
First, these settings are all documented at https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios.
Next, some answers to the direct questions posed:
does it mean that every 30 minutes, intune will check device activity
No. Activity/inactivity is app specific, not device specific. It's actually a bit more nuanced than that though as the activity timer can be shared by multiple managed apps that shared the same APP. The following note from the official docs (linked previously) sums this up fairly well:
"Note: On iOS/iPadOS, the PIN is shared amongst all Intune-managed apps of the same publisher. The PIN timer for a specific PIN is reset once the app leaves the foreground on the device. The user wouldn't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting. This policy setting format supports a positive whole number."
If there is no activity on the device after 12 hours, it will ask me to authenticate.
No, as noted, this is app specific as these are "app" protection policies. Apps have no way of detecting activity at a device level.
If I don't respond to the authentication, my access to Outlook will be blocked for 12 hours (Offline grace period)?
No, that's not what the offline grace period signifies. As @EE-9037 calls out, the offline grace period is the amount of time the app is allowed to run in the foreground while it is not connected (for whatever reason) to Intune (since all apps that are APP aware communicate with Intune directly to download APP policies). Thus, this says that an app where this policy is applied is allowed to work without connectivity for 12 hours and then will be locked from further use.
If I don't use Outlook on my phone for 365 days, it will delete the data on my Outlook on my phone where my corporate email is associated?
Correct.
If this is correct, what happens to the users' access after a weekend?
Nothing specifically. There's nothing special about a weekend. For anything to happen, the user would have to actively using the app while not connected for 12+ hours. Then, as soon as the connection is re-established, the app would be unlocked, and functionality would be returned. The question here is why they wouldn't have connectivity over the weekend?
Will they not be able to access Outlook on Monday and have to wait after the 12-hour block is done before the next authentication or PIN request?
No, as noted, that's not what the grace period is. Unblocking has nothing to do with the grace period, unblocking is based on connectivity. If the app never loses connectivity, the grace period is irrelevant. Even if they do lose connectivity (once again for whatever reason), they would have to be actively using the app for a total of 12 hours for it to block and 365 days for it to wipe.
Does inactivity mean user opening or using Outlook?
As noted, it means the apps targeted by the policy being in the background and not having focus on the device.
What if user does not open Outlook for 12 hours but is actively receiving emails and calendar alerts on the phone?
Nothing. As noted, the 12 hours is only significant if the app isn't connected and the user uses the app for 12+ hours.
Do they count as an activity?
Receiving e-mail and calendar alerts does not constitute activity. This is app specific.
@Jason Sandys - Thank you for the clarifications. It helps a lot. I just have a few more follow-up questions.
With regards to the device being offline - Let's say, for example, the user has a personal phone and had his work email connected to it. Later on, he turned off the device or disconnected the service but did not remove his account, and kept it in storage for 365 days. According to the policy, if the device is offline for 365 days it will wipe the data. In this case, if the user decides to re-use his phone or remember to look up important information on that phone after one year for any reason when he turns it on, will it wipe ALL the data due to the company policy? Will he be given at least an option to not wipe, or it will only delete the Outlook data? I am concerned about wiping all the data on a personal (unmanaged) device as we don't own all their personal data on the device.
The second question is if a user forgets the PIN that they set on the app, how do they reset it? Can I remove the user or exclude him from the policy to remove the PIN in case of an emergency?
Lastly, in my post below, to clarify, I mentioned "weekend" because I was thinking of a scenario that the user will access his app on Friday, but not work over the weekend. I was wondering what would happen when he comes back on Monday, but you answered that question. Thank you.