Define data protection, encryption, and app restriction settings

  • 6 minutes

When deploying Microsoft Intune, installing an app or enrolling a device is only the first step. The true security value comes from how you define the rules governing the data within those apps and devices. To build a Zero Trust endpoint strategy, administrators must focus on three core pillars: Data protection, Encryption, and App restrictions.

Here we explain how to configure these settings effectively across your environment.

Data protection: prevent data leaks

Data protection settings—primarily driven by Mobile Application Management (MAM)—dictate how corporate data can move between apps, storage locations, and the clipboard. Your goal is to sandbox the data so it cannot be intentionally or accidentally leaked.

When configuring an App Protection Policy, focus on these critical data relocation settings:

  • Send org data to other apps:
    • Recommendation: Set to Policy managed apps. This setting ensures a user can't open a corporate Word document and share it to their personal WhatsApp or personal Google Drive.
  • Save copies of org data:
    • Recommendation: Set to Block, but allow users to save to approved corporate locations like OneDrive for Business and SharePoint.
  • Restrict cut, copy, and paste between other apps:
    • Recommendation: Set to Policy managed apps with paste in. This option is a massive win for user experience. It allows a user to copy text from their personal Safari browser and paste it into a work email, but actively blocks them from copying confidential text out of an email and pasting it into a personal text message.
  • Sync policy managed app data with native apps:
    • Recommendation: Set to Block. This setting prevents corporate contacts from syncing down to the native iOS/Android contacts app, keeping corporate directories from mixing with personal address books.

Encryption: secure data at rest

Encryption ensures that if a physical device is lost, stolen, or compromised, the data stored on the disk remains unreadable to unauthorized parties. You have to approach encryption from both the device level (MDM) and the application level (APP).

Device-level encryption (MDM)

For corporate-owned devices, you enforce full-disk encryption using Device Configuration and Compliance Policies.

  • Windows: Deploy an Endpoint Security profile to enforce BitLocker silently in the background and escrow the recovery keys to Microsoft Entra ID.
  • macOS: Deploy a configuration profile to enforce FileVault and escrow the personal recovery key to Intune.
  • iOS / Android: Use compliance policies to require a device passcode, which natively triggers the hardware-level encryption built into modern mobile operating systems.

App-level encryption (MAM)

For BYOD devices where you cannot enforce full-disk encryption, you rely on App Protection Policies.

  • Encrypt org data: Set this to Require. When enabled, Intune leverages the mobile operating system's native cryptographic APIs to encrypt the specific sandbox where the corporate app stores its data. Even if the user connects the phone to a computer and attempts to extract the app's local files, the data remains encrypted and unreadable.

App restriction settings: control the app ecosystem

App restriction settings dictate how the managed application interacts with the host operating system's features and hardware. These settings mitigate risks from keyloggers, screen scraping, and unmanaged browsers.

Configure these settings within your App Protection Policies to tighten the security boundary:

  • Restrict web content transfer with other apps:
    • Recommendation: Set to Microsoft Edge. If a user clicks a web link inside a corporate email in Outlook, this setting forces the link to open in the managed Microsoft Edge app rather than the personal Safari or Chrome browser. This option ensures your data protection rules follow the user to the web.
  • Third-party keyboards (iOS/Android):
    • Recommendation: Set to Block. Third-party keyboards downloaded from app stores often request "full access" and can act as keyloggers, capturing sensitive corporate passwords or data. Blocking them forces the app to use the secure, native OS keyboard.
  • Screen capture and Google Assistant (Android):
    • Recommendation: Set to Block. This restriction prevents users from taking screenshots of highly confidential emails or documents on Android devices, and stops screen-recording apps from capturing the screen while a managed app is open. (Note: iOS architecture does not allow MDM/MAM to block screenshots directly via APP, but you can block it at the device level for fully managed iPhones).
  • Require minimum OS and App versions:
    • Recommendation: Configure conditional launch settings to block access if the user's OS or app version falls behind your security baseline, ensuring known vulnerabilities are patched before data is accessed.