Prevent data leaks on non-managed devices using Microsoft Intune

If you allow access to company data hosted by Microsoft 365, you can control how users share and save data without risking intentional or accidental data leaks. Microsoft Intune provides app protection policies that you set to secure your company data on user-owned devices. The devices don't need to be enrolled in the Intune service.

App protection policies set up with Intune also work on devices managed with a non-Microsoft device management solution. The personal data on the devices isn't touched; only company data is managed by the IT department.

You can set app protection policies for Office mobile apps on devices running Windows, iOS/iPadOS, or Android to protect company data. These policies let you set policies such as app-based PIN or company data encryption, or more advanced settings to restrict how your cut, copy, paste, and save-as features are used by users between managed and unmanaged apps. You can also remotely wipe company data without requiring users enroll devices.

Intune app protection policies are independent of device management. App protection policies let you manage Office mobile apps on both unmanaged and Intune-managed devices, and device managed by non-Microsoft MDM solutions.

Before you begin

The following action plan can be used when you meet the following requirements:

  • Your company is ready to transition securely to the cloud.
  • Your company uses Microsoft 365 Exchange Online, SharePoint Online, OneDrive for Business, or Viva Engage.
  • Your company has licenses for Microsoft 365, Enterprise Mobility + Security (EMS), or Azure Information Protection.
  • Your company allows users to access company data from company-owned or personally-owned Windows, iOS/iPadOS, or Android devices.
  • Your company doesn't want to require enrollment of personally-owned devices in a device management service.

Action plan

For iOS/iPadOS and Android devices:

  1. Learn how app protection policies work.
  2. Learn how to create and deploy app protection policies for Office mobile apps.
  3. Monitor the app protection policies that you create and deploy.

For Windows 10/11 devices:

  1. Learn how Windows Information Protection (WIP) works.
  2. Get ready to configure app protection policies for Windows 10/11.
  3. Create and deploy WIP app protection policies with Intune.

What to tell employees and students

As appropriate, share the following links to provide additional information:

Next steps

Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least 150 licenses for Microsoft 365, Enterprise Mobility + Security, or Microsoft Entra ID P1 or P2, use your FastTrack benefits.