Create androidManagedAppProtection

Namespace: microsoft.graph

Important: Microsoft Graph APIs under the /beta version are subject to change; production use is not supported.

Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.

Create a new androidManagedAppProtection object.

    ## Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from most to least privileged)
Delegated (work or school account)
    Mobile app management (MAM) DeviceManagementApps.ReadWrite.All
    Policy Set DeviceManagementApps.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application
    Mobile app management (MAM) DeviceManagementApps.ReadWrite.All
    Policy Set DeviceManagementApps.ReadWrite.All

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

HTTP Request

POST /deviceAppManagement/androidManagedAppProtections

Request headers

Header Value
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Accept application/json

Request body

In the request body, supply a JSON representation for the androidManagedAppProtection object.

The following table shows the properties that are required when you create the androidManagedAppProtection.

Property Type Description
displayName String Policy display name. Inherited from managedAppPolicy
description String The policy's description. Inherited from managedAppPolicy
createdDateTime DateTimeOffset The date and time the policy was created. Inherited from managedAppPolicy
lastModifiedDateTime DateTimeOffset Last time the policy was modified. Inherited from managedAppPolicy
roleScopeTagIds String collection List of Scope Tags for this Entity instance. Inherited from managedAppPolicy
id String Key of the entity. Inherited from managedAppPolicy
version String Version of the entity. Inherited from managedAppPolicy
periodOfflineBeforeAccessCheck Duration The period after which access is checked when the device is not connected to the internet. Inherited from managedAppProtection
periodOnlineBeforeAccessCheck Duration The period after which access is checked when the device is connected to the internet. Inherited from managedAppProtection
allowedInboundDataTransferSources managedAppDataTransferLevel Sources from which data is allowed to be transferred. Inherited from managedAppProtection. Possible values are: allApps, managedApps, none.
allowedOutboundDataTransferDestinations managedAppDataTransferLevel Destinations to which data is allowed to be transferred. Inherited from managedAppProtection. Possible values are: allApps, managedApps, none.
organizationalCredentialsRequired Boolean Indicates whether organizational credentials are required for app use. Inherited from managedAppProtection
allowedOutboundClipboardSharingLevel managedAppClipboardSharingLevel The level to which the clipboard may be shared between apps on the managed device. Inherited from managedAppProtection. Possible values are: allApps, managedAppsWithPasteIn, managedApps, blocked.
dataBackupBlocked Boolean Indicates whether the backup of a managed app's data is blocked. Inherited from managedAppProtection
deviceComplianceRequired Boolean Indicates whether device compliance is required. Inherited from managedAppProtection
managedBrowserToOpenLinksRequired Boolean Indicates whether internet links should be opened in the managed browser app. Inherited from managedAppProtection
saveAsBlocked Boolean Indicates whether users may use the "Save As" menu item to save a copy of protected files. Inherited from managedAppProtection
periodOfflineBeforeWipeIsEnforced Duration The amount of time an app is allowed to remain disconnected from the internet before all managed data it is wiped. Inherited from managedAppProtection
pinRequired Boolean Indicates whether an app-level pin is required. Inherited from managedAppProtection
maximumPinRetries Int32 Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped. Inherited from managedAppProtection
simplePinBlocked Boolean Indicates whether simplePin is blocked. Inherited from managedAppProtection
minimumPinLength Int32 Minimum pin length required for an app-level pin if PinRequired is set to True Inherited from managedAppProtection
pinCharacterSet managedAppPinCharacterSet Character set which may be used for an app-level pin if PinRequired is set to True. Inherited from managedAppProtection. Possible values are: numeric, alphanumericAndSymbol.
periodBeforePinReset Duration TimePeriod before the all-level pin must be reset if PinRequired is set to True. Inherited from managedAppProtection
allowedDataStorageLocations managedAppDataStorageLocation collection Data storage locations where a user may store managed data. Inherited from managedAppProtection. Possible values are: oneDriveForBusiness, sharePoint, localStorage.
contactSyncBlocked Boolean Indicates whether contacts can be synced to the user's device. Inherited from managedAppProtection
printBlocked Boolean Indicates whether printing is allowed from managed apps. Inherited from managedAppProtection
fingerprintBlocked Boolean Indicates whether use of the fingerprint reader is allowed in place of a pin if PinRequired is set to True. Inherited from managedAppProtection
disableAppPinIfDevicePinIsSet Boolean Indicates whether use of the app pin is required if the device pin is set. Inherited from managedAppProtection
minimumRequiredOsVersion String Versions less than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection
minimumWarningOsVersion String Versions less than the specified version will result in warning message on the managed app from accessing company data. Inherited from managedAppProtection
minimumRequiredAppVersion String Versions less than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection
minimumWarningAppVersion String Versions less than the specified version will result in warning message on the managed app. Inherited from managedAppProtection
minimumWipeOsVersion String Versions less than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection
minimumWipeAppVersion String Versions less than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection
appActionIfDeviceComplianceRequired managedAppRemediationAction Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken, if DeviceComplianceRequired is set to true. Inherited from managedAppProtection. Possible values are: block, wipe, warn.
appActionIfMaximumPinRetriesExceeded managedAppRemediationAction Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts. Inherited from managedAppProtection. Possible values are: block, wipe, warn.
pinRequiredInsteadOfBiometricTimeout Duration Timeout in minutes for an app pin instead of non biometrics passcode Inherited from managedAppProtection
allowedOutboundClipboardSharingExceptionLength Int32 Specify the number of characters that may be cut or copied from Org data and accounts to any application. This setting overrides the AllowedOutboundClipboardSharingLevel restriction. Default value of '0' means no exception is allowed. Inherited from managedAppProtection
notificationRestriction managedAppNotificationRestriction Specify app notification restriction Inherited from managedAppProtection. Possible values are: allow, blockOrganizationalData, block.
isAssigned Boolean Indicates if the policy is deployed to any inclusion groups or not. Inherited from targetedManagedAppProtection
targetedAppManagementLevels appManagementLevel The intended app management levels for this policy Inherited from targetedManagedAppProtection. Possible values are: unspecified, unmanaged, mdm, androidEnterprise.
screenCaptureBlocked Boolean Indicates whether a managed user can take screen captures of managed apps
disableAppEncryptionIfDeviceEncryptionIsEnabled Boolean When this setting is enabled, app level encryption is disabled if device level encryption is enabled
encryptAppData Boolean Indicates whether application data for managed apps should be encrypted
deployedAppCount Int32 Count of apps to which the current policy is deployed.
minimumRequiredPatchVersion String Define the oldest required Android security patch level a user can have to gain secure access to the app.
minimumWarningPatchVersion String Define the oldest recommended Android security patch level a user can have for secure access to the app.
exemptedAppPackages keyValuePair collection App packages in this list will be exempt from the policy and will be able to receive data from managed apps.
minimumWipePatchVersion String Android security patch level less than or equal to the specified value will wipe the managed app and the associated company data.
allowedAndroidDeviceManufacturers String Semicolon seperated list of device manufacturers allowed, as a string, for the managed app to work.
appActionIfAndroidDeviceManufacturerNotAllowed managedAppRemediationAction Defines a managed app behavior, either block or wipe, if the specified device manufacturer is not allowed. Possible values are: block, wipe, warn.
requiredAndroidSafetyNetDeviceAttestationType androidManagedAppSafetyNetDeviceAttestationType Defines the Android SafetyNet Device Attestation requirement for a managed app to work. Possible values are: none, basicIntegrity, basicIntegrityAndDeviceCertification.
appActionIfAndroidSafetyNetDeviceAttestationFailed managedAppRemediationAction Defines a managed app behavior, either warn or block, if the specified Android SafetyNet Attestation requirment fails. Possible values are: block, wipe, warn.
requiredAndroidSafetyNetAppsVerificationType androidManagedAppSafetyNetAppsVerificationType Defines the Android SafetyNet Apps Verification requirement for a managed app to work. Possible values are: none, enabled.
appActionIfAndroidSafetyNetAppsVerificationFailed managedAppRemediationAction Defines a managed app behavior, either warn or block, if the specified Android App Verification requirment fails. Possible values are: block, wipe, warn.
customBrowserPackageId String Unique identifier of a custom browser to open weblink on Android.
customBrowserDisplayName String Friendly name of the preferred custom browser to open weblink on Android.

Response

If successful, this method returns a 201 Created response code and a androidManagedAppProtection object in the response body.

Example

Request

Here is an example of the request.

POST https://graph.microsoft.com/beta/deviceAppManagement/androidManagedAppProtections
Content-type: application/json
Content-length: 2967

{
  "@odata.type": "#microsoft.graph.androidManagedAppProtection",
  "displayName": "Display Name value",
  "description": "Description value",
  "roleScopeTagIds": [
    "Role Scope Tag Ids value"
  ],
  "version": "Version value",
  "periodOfflineBeforeAccessCheck": "-PT17.1357909S",
  "periodOnlineBeforeAccessCheck": "PT35.0018757S",
  "allowedInboundDataTransferSources": "managedApps",
  "allowedOutboundDataTransferDestinations": "managedApps",
  "organizationalCredentialsRequired": true,
  "allowedOutboundClipboardSharingLevel": "managedAppsWithPasteIn",
  "dataBackupBlocked": true,
  "deviceComplianceRequired": true,
  "managedBrowserToOpenLinksRequired": true,
  "saveAsBlocked": true,
  "periodOfflineBeforeWipeIsEnforced": "-PT3M22.1587532S",
  "pinRequired": true,
  "maximumPinRetries": 1,
  "simplePinBlocked": true,
  "minimumPinLength": 0,
  "pinCharacterSet": "alphanumericAndSymbol",
  "periodBeforePinReset": "PT3M29.6631862S",
  "allowedDataStorageLocations": [
    "sharePoint"
  ],
  "contactSyncBlocked": true,
  "printBlocked": true,
  "fingerprintBlocked": true,
  "disableAppPinIfDevicePinIsSet": true,
  "minimumRequiredOsVersion": "Minimum Required Os Version value",
  "minimumWarningOsVersion": "Minimum Warning Os Version value",
  "minimumRequiredAppVersion": "Minimum Required App Version value",
  "minimumWarningAppVersion": "Minimum Warning App Version value",
  "minimumWipeOsVersion": "Minimum Wipe Os Version value",
  "minimumWipeAppVersion": "Minimum Wipe App Version value",
  "appActionIfDeviceComplianceRequired": "wipe",
  "appActionIfMaximumPinRetriesExceeded": "wipe",
  "pinRequiredInsteadOfBiometricTimeout": "-PT3M9.8396734S",
  "allowedOutboundClipboardSharingExceptionLength": 14,
  "notificationRestriction": "blockOrganizationalData",
  "isAssigned": true,
  "targetedAppManagementLevels": "unmanaged",
  "screenCaptureBlocked": true,
  "disableAppEncryptionIfDeviceEncryptionIsEnabled": true,
  "encryptAppData": true,
  "deployedAppCount": 0,
  "minimumRequiredPatchVersion": "Minimum Required Patch Version value",
  "minimumWarningPatchVersion": "Minimum Warning Patch Version value",
  "exemptedAppPackages": [
    {
      "@odata.type": "microsoft.graph.keyValuePair",
      "name": "Name value",
      "value": "Value value"
    }
  ],
  "minimumWipePatchVersion": "Minimum Wipe Patch Version value",
  "allowedAndroidDeviceManufacturers": "Allowed Android Device Manufacturers value",
  "appActionIfAndroidDeviceManufacturerNotAllowed": "wipe",
  "requiredAndroidSafetyNetDeviceAttestationType": "basicIntegrity",
  "appActionIfAndroidSafetyNetDeviceAttestationFailed": "wipe",
  "requiredAndroidSafetyNetAppsVerificationType": "enabled",
  "appActionIfAndroidSafetyNetAppsVerificationFailed": "wipe",
  "customBrowserPackageId": "Custom Browser Package Id value",
  "customBrowserDisplayName": "Custom Browser Display Name value"
}

Response

Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 3139

{
  "@odata.type": "#microsoft.graph.androidManagedAppProtection",
  "displayName": "Display Name value",
  "description": "Description value",
  "createdDateTime": "2017-01-01T00:02:43.5775965-08:00",
  "lastModifiedDateTime": "2017-01-01T00:00:35.1329464-08:00",
  "roleScopeTagIds": [
    "Role Scope Tag Ids value"
  ],
  "id": "cf517ced-7ced-cf51-ed7c-51cfed7c51cf",
  "version": "Version value",
  "periodOfflineBeforeAccessCheck": "-PT17.1357909S",
  "periodOnlineBeforeAccessCheck": "PT35.0018757S",
  "allowedInboundDataTransferSources": "managedApps",
  "allowedOutboundDataTransferDestinations": "managedApps",
  "organizationalCredentialsRequired": true,
  "allowedOutboundClipboardSharingLevel": "managedAppsWithPasteIn",
  "dataBackupBlocked": true,
  "deviceComplianceRequired": true,
  "managedBrowserToOpenLinksRequired": true,
  "saveAsBlocked": true,
  "periodOfflineBeforeWipeIsEnforced": "-PT3M22.1587532S",
  "pinRequired": true,
  "maximumPinRetries": 1,
  "simplePinBlocked": true,
  "minimumPinLength": 0,
  "pinCharacterSet": "alphanumericAndSymbol",
  "periodBeforePinReset": "PT3M29.6631862S",
  "allowedDataStorageLocations": [
    "sharePoint"
  ],
  "contactSyncBlocked": true,
  "printBlocked": true,
  "fingerprintBlocked": true,
  "disableAppPinIfDevicePinIsSet": true,
  "minimumRequiredOsVersion": "Minimum Required Os Version value",
  "minimumWarningOsVersion": "Minimum Warning Os Version value",
  "minimumRequiredAppVersion": "Minimum Required App Version value",
  "minimumWarningAppVersion": "Minimum Warning App Version value",
  "minimumWipeOsVersion": "Minimum Wipe Os Version value",
  "minimumWipeAppVersion": "Minimum Wipe App Version value",
  "appActionIfDeviceComplianceRequired": "wipe",
  "appActionIfMaximumPinRetriesExceeded": "wipe",
  "pinRequiredInsteadOfBiometricTimeout": "-PT3M9.8396734S",
  "allowedOutboundClipboardSharingExceptionLength": 14,
  "notificationRestriction": "blockOrganizationalData",
  "isAssigned": true,
  "targetedAppManagementLevels": "unmanaged",
  "screenCaptureBlocked": true,
  "disableAppEncryptionIfDeviceEncryptionIsEnabled": true,
  "encryptAppData": true,
  "deployedAppCount": 0,
  "minimumRequiredPatchVersion": "Minimum Required Patch Version value",
  "minimumWarningPatchVersion": "Minimum Warning Patch Version value",
  "exemptedAppPackages": [
    {
      "@odata.type": "microsoft.graph.keyValuePair",
      "name": "Name value",
      "value": "Value value"
    }
  ],
  "minimumWipePatchVersion": "Minimum Wipe Patch Version value",
  "allowedAndroidDeviceManufacturers": "Allowed Android Device Manufacturers value",
  "appActionIfAndroidDeviceManufacturerNotAllowed": "wipe",
  "requiredAndroidSafetyNetDeviceAttestationType": "basicIntegrity",
  "appActionIfAndroidSafetyNetDeviceAttestationFailed": "wipe",
  "requiredAndroidSafetyNetAppsVerificationType": "enabled",
  "appActionIfAndroidSafetyNetAppsVerificationFailed": "wipe",
  "customBrowserPackageId": "Custom Browser Package Id value",
  "customBrowserDisplayName": "Custom Browser Display Name value"
}