Enforce compliance requirements for applications
Enforcing compliance for applications means applying policies that control how corporate data is accessed, used, and shared inside the apps your organization supports. In Microsoft Intune, this is usually done by combining app protection policies, Conditional Access, and, when needed, device compliance policies. Together, these controls help ensure that users can access work or school data only under the conditions your organization requires.
How app protection policies enforce requirements
App protection policies are Intune’s main tool for enforcing requirements inside apps. They protect organizational data at the app layer and can apply on both enrolled and unenrolled devices, which makes them especially useful for bring-your-own-device scenarios. Intune app protection policies work with supported apps that use the Intune App SDK or Intune App Wrapping Tool, and they help keep company data contained in those apps.
On iOS/iPadOS and Android, Intune organizes app protection settings into three main areas: data protection, access requirements, and conditional launch. These settings let administrators restrict data movement, require PIN or credential-based access, and take actions such as warning, blocking access, or wiping corporate data if the device no longer meets the required conditions.
Use of Conditional Access
App protection policies define the rules, but Conditional Access makes those rules enforceable at sign-in. Intune supports app-based Conditional Access, which works with Microsoft Entra Conditional Access to require an app protection policy before users can access selected cloud resources. That means an app can be installed on a device, but access to company data can still be blocked if the required protection is not in place. When you link an app protection policy to conditional access, Intune can block access to corporate resources unless the app is protected and the user device meets your rules.
A common enforcement flow is:
- User opens an app that accesses corporate data.
- App checks whether it has an applicable app protection policy.
- If the policy is present, the app applies the access controls.
- If the app or device fails a compliance check, access is blocked.
This means an app can be installed, but it cannot access company data if it does not meet compliance requirements.
Key compliance controls for managed apps
Intune app protection policies include several enforcement controls:
- Access requirements: require a PIN, biometric, or corporate credentials.
- Conditional launch: block access or wipe company data if the device is jailbroken or rooted, if the OS is out of date, or if device health checks fail.
- Data protection: restrict copy and paste, prevent save-as to personal locations, and limit offline access.
Use these controls together to create compliance rules that match your organization’s risk posture.
Create an app protection policy
A good example is Microsoft Outlook for iOS and Android. Outlook supports Intune app protection policies, and it is a common app to protect because it gives access to corporate email and attachments.
To create an app protection policy for Outlook:
In the Microsoft Intune admin center, in the navigation pane, select Apps.
Under Manage Apps select Protection.
Select + Create and select Android.
In the Basics pane, enter a name and add an optional description.
In the Apps pane, select + Select public apps, then search for and select Microsoft Outlook and then select Select. Then select Next.
In the Data protection pane, configure the following settings:
- Backup org data to Android backup services: Block
- Send org data to other apps: Policy managed apps.
- Restrict cut, copy, and paste between other apps: Policy managed apps with paste in
- Screen capture and Google Assistant: Block
- Encrypt org data: Require
- Encrypt org data on enrolled devices: Require
- Sync policy managed app data with native apps or add-ins: Block
Select Next.
In the Access requirements pane configure the following settings:
- PIN for access: Require
- PIN type: Numeric
- Simple PIN: Allow
- Select minimum PIN length: 4
- Biometrics instead of PIN for access: Allow
- Override biometrics with PIN after timeout: Not required
- App PIN when device PIN is set: not required
- Recheck the access requirements after (minutes of inactivity): 120
Select Next.
In the Conditional launch pane, configure the following settings for App conditions:
Setting Value Action Max PIN attempts 5 Reset PIN Offline grace period 1440 Block access (minutes) Offline grace period 90 Wipe data (days) Configure the following settings under Device conditions:
Setting Value Action Jailbroken/rooted devices Block access Samsung Knox device attestation Block access on supported devices Select Next.
Finish the configuration and if needed assign a scope tag and assign the policy to a group.
A common scenario is to create separate app protection policies for enrolled and unenrolled devices, assign them to user groups, and use managed-app filters to target the correct policy to each device state.
Example scenario: secure mobile productivity apps
Imagine a sales team that uses Outlook, OneDrive, and Teams on personal phones. You can enforce compliance by creating an app protection policy that:
- requires a PIN to access corporate content
- blocks saving company files to personal cloud storage
- prevents copy and paste to unmanaged apps
- blocks access on rooted or jailbroken devices
Then use conditional access to ensure these apps can only access email and files when the policy is active. If a phone fails the policy, the apps still work in personal mode, but corporate data remains protected.
This approach balances user productivity with the compliance requirements your organization needs to protect sensitive data.