App Compliance for Mobile Devices in Configuration Manager
Updated: December 14, 2016
Applies To: System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager SP1
Use Configuration Manager app compliance policies to help you ensure that apps installed on Microsoft Intune managed mobile devices are compliant in your organization. These policies provide the following capabilities:
For Android and iOS – You can configure a list of compliant or noncompliant apps and then use reports that inform you about noncompliant apps and users in your organization.
For Windows Phone 8.1 – – You can configure a list of allowed or blocked apps. If you specify a blocked apps list, users cannot install these apps. If you specify an allowed list, users can install only those apps.
These policies are created as part of a Configuration Manager mobile device configuration item. After you create the configuration item, it must be added to a configuration baseline and then deployed to a collection of users. For more information, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.
Compliant and Noncompliant Apps (iOS)
Let’s you specify a list of iOS apps that are compliant, or not compliant in your company. You can then use reports to display devices that have noncompliant apps installed, and the associated user.
You cannot specify both compliant and noncompliant apps in the same configuration item.
To specify the compliant or noncompliant apps list
-
On the Compliant and Noncompliant Apps (iOS) page, specify the following information:
Setting
More information
Noncompliant apps list
Select this option if you want to specify a list of apps that will be reported as noncompliant if installed by users.
Compliant apps list
Select this option if you want to specify a list of apps that users are allowed to install. Any other installed apps will be reported as noncompliant.
Add
Adds an app to the selected list. Specify a name of your choice, optionally the app publisher, and the URL to the app in the app store.
To specify the URL, from the iTunes App Store, search for the app you want to use.
Open the app’s page, and copy the URL to the clipboard. You can now use this as the URL in either the compliant or noncompliant apps list.
Example: Search the store for the Microsoft Word for iPad app. The URL you use will be https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8.
Edit
Let’s you edit the name, publisher and URL of the selected app.
Remove
Deletes the selected app from the list.
Import
Imports a list of apps you have specified in a comma-separated values file. Use the format, application name, publisher, app URL in the file.
-
When you are finished, click Next.
Compliant and Noncompliant Apps (Android)
Let’s you specify a list of Android apps that are compliant, or not compliant in your company. You can then use reports to display devices that have noncompliant apps installed, and the associated user.
You cannot specify both compliant and noncompliant apps in the same configuration item.
To specify the compliant or noncompliant apps list
-
On the Compliant and Noncompliant Apps (Android) page, specify the following information:
Setting
More information
Noncompliant apps list
Select this option if you want to specify a list of apps that will be reported as noncompliant if installed by users.
Compliant apps list
Select this option if you want to specify a list of apps that users are allowed to install. Any other installed apps will be reported as noncompliant.
Add
Adds an app to the selected list. Specify a name of your choice, optionally the app publisher, and the URL to the app in the app store.
To specify the URL, from the apps section of Google Play, search for the app you want to use.
Open the app’s page, and copy the URL to the clipboard. You can now use this as the URL in either the compliant or noncompliant apps list.
Example: Search Google Play for Microsoft Office Mobile. The URL you use will be https://play.google.com/store/apps/details?id=com.microsoft.office.officehub.
Edit
Let’s you edit the name, publisher and URL of the selected app.
Remove
Deletes the selected app from the list.
Import
Imports a list of apps you have specified in a comma-separated values file. Use the format, application name, publisher, app URL in the file.
-
When you are finished, click Next.
Allowed and Blocked Apps list (Windows Phone 8.1)
Let’s you specify a list of Windows Phone apps that are compliant, or not compliant in your company. Apps that you specify as blocked cannot be installed by users. If you specify a list of allowed apps, users can only install apps in the list.
You cannot specify both allowed and blocked apps in the same configuration item.
Important
If you specify a list of allowed apps, you must ensure that the company portal app, and any apps you have deployed to Windows Phone 8.1 devices are in the Allowed apps list.
To specify an allowed or blocked apps list
-
On the Allowed and Blocked Apps list (Windows Phone 8.1) page, specify the following information:
Setting
More information
Blocked apps list
Select this option if you want to specify a list of apps that users will not be allowed to install.
Allowed apps list
Select this option if you want to specify a list of apps that users are allowed to install.
Add
Adds an app to the selected list. Specify a name of your choice, optionally the app publisher, and the URL to the app in the app store.
To specify the URL, from the Windows Phone Apps+Games page, search for the app you want to use.
Open the app’s page, and copy the URL to the clipboard. You can now use this as the URL in either the allowed or blocked apps list.
Example: Search the store for the Skype app. The URL you use will be https://www.windowsphone.com/en-us/store/app/skype/c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51.
Note
For the company portal app, or line of business apps, you do not have to specify a full URL, only the app GUID.
Edit
Let’s you edit the name, publisher and URL of the selected app.
Remove
Deletes the selected app from the list.
Import
Imports a list of apps you have specified in a comma-separated values file. Use the format, application name, publisher, app URL in the file.
-
When you are finished, click Next.
-
Complete the Create Configuration Item Wizard with any other settings you require.
Use Reports to Monitor App Compliance Policies
After you have deployed a configuration baseline containing an app compliance policy, you can use one of the following reports (for iOS and Android devices only) to monitor devices where noncompliant apps have been installed, and the users who installed them.
List of noncompliant Apps and Devices for a specified user - Displays information about users and devices that have apps installed that are not compliant with a policy you specified.
Summary of Users who have Noncompliant Apps - Displays information about users that have apps installed that are not compliant with a policy you specified.
For more information about how to use reports in Configuration Manager, see Reporting in Configuration Manager.
Next Steps
Once you are done, use the information in How to Create Configuration Baselines for Compliance Settings in Configuration Manager to add the configuration item to a configuration baseline.
Then, deploy the configuration baseline to the required devices. For details, see How to Deploy Configuration Baselines in Configuration Manager.
Finally, you can monitor the success of the configuration baseline by using the information in How to Monitor for Compliance Settings in Configuration Manager.