Step 1. Apply enterprise basic data protection
Once you have followed the prerequisites, determined which platforms you must support at your organization, understood the different app data protection categories available for each support platform, and completed the steps needed before applying the app protection framework, you're ready to add app protection policies.
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.
Recommended app protection settings
Use the following recommended app protection settings when creating and applying Intune app protection for Level 1 enterprise basic data protection.
Level 1 enterprise basic data protection
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.
Data protection
| Setting | Setting description | Value | Platform |
|---|---|---|---|
| Data Transfer | Back up org data to… | Allow | iOS/iPadOS, Android |
| Data Transfer | Send org data to other apps | All apps | iOS/iPadOS, Android |
| Data Transfer | Send org data to | All destinations | Windows |
| Data Transfer | Receive data from other apps | All apps | iOS/iPadOS, Android |
| Data Transfer | Receive data from | All sources | Windows |
| Data Transfer | Restrict cut, copy, and paste between apps | Any app | iOS/iPadOS, Android |
| Data Transfer | Allow cut, copy, and paste for | Any destination and any source | Windows |
| Data Transfer | Third-party keyboards | Allow | iOS/iPadOS |
| Data Transfer | Approved keyboards | Not required | Android |
| Data Transfer | Screen capture and Google Assistant | Allow | Android |
| Encryption | Encrypt org data | Require | iOS/iPadOS, Android |
| Encryption | Encrypt org data on enrolled devices | Require | Android |
| Functionality | Sync app with native contacts app | Allow | iOS/iPadOS, Android |
| Functionality | Printing org data | Allow | iOS/iPadOS, Android, Windows |
| Functionality | Restrict web content transfer with other apps | Any app | iOS/iPadOS, Android |
| Functionality | Org data notifications | Allow | iOS/iPadOS, Android |
Access requirements
| Setting | Value | Platform | Notes |
|---|---|---|---|
| PIN for access | Require | iOS/iPadOS, Android | |
| PIN type | Numeric | iOS/iPadOS, Android | |
| Simple PIN | Allow | iOS/iPadOS, Android | |
| Select Minimum PIN length | 4 | iOS/iPadOS, Android | |
| Touch ID instead of PIN for access (iOS 8+/iPadOS) | Allow | iOS/iPadOS | |
| Override biometrics with PIN after timeout | Require | iOS/iPadOS, Android | |
| Timeout (minutes of activity) | 1440 | iOS/iPadOS, Android | |
| Face ID instead of PIN for access (iOS 11+/iPadOS) | Allow | iOS/iPadOS | |
| Biometric instead of PIN for access | Allow | iOS/iPadOS, Android | |
| PIN reset after number of days | No | iOS/iPadOS, Android | |
| Select number of previous PIN values to maintain | 0 | Android | |
| App PIN when device PIN is set | Require | iOS/iPadOS, Android | If the device is enrolled in Intune, administrators can consider setting this to "Not required" if they're enforcing a strong device PIN via a device compliance policy. |
| Work or school account credentials for access | Not required | iOS/iPadOS, Android | |
| Recheck the access requirements after (minutes of inactivity) | 30 | iOS/iPadOS, Android |
Conditional launch
| Setting | Setting description | Value / Action | Platform | Notes |
|---|---|---|---|---|
| App conditions | Max PIN attempts | 5 / Reset PIN | iOS/iPadOS, Android | |
| App conditions | Offline grace period | 1440 / Block access (minutes) | iOS/iPadOS, Android, Windows | |
| App conditions | Offline grace period | 90 / Wipe data (days) | iOS/iPadOS, Android, Windows | |
| Device conditions | Jailbroken/rooted devices | N/A / Block access | iOS/iPadOS, Android | |
| Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android | This setting configures Google Play’s device integrity check on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check. |
| Device conditions | Require threat scan on apps | N/A / Block access | Android | This setting ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end-user will be blocked from access until they turn on Google's app scanning on their Android device. |
| Device conditions | Max allowed device threat level | Low / Block access | Windows | |
| Device conditions | Require device lock | Low/Warn | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
Note
Windows conditional launch settings are labeled as Health Checks.
Next step
Continue with Step 2 to apply enhanced data protection in Microsoft Intune.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for