Data protection framework using app protection policies
As more organizations implement mobile device strategies for accessing work or school data, protecting against data leakage becomes paramount. Intune's mobile application management solution for protecting against data leakage is App Protection Policies (APP). APP are rules that ensure an organization's data remains safe or contained in a managed app, regardless of whether the device is enrolled. For more information, see App protection policies overview.
When configuring App Protection Policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening endeavors, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and Intune is leveraging a similar taxonomy for its APP data protection framework for mobile app management.
The APP data protection configuration framework is organized into three distinct configuration scenarios:
Level 1 enterprise basic data protection – Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device.
Level 2 enterprise enhanced data protection – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration is applicable to most mobile users accessing work or school data. Some of the controls may impact user experience.
Level 3 enterprise high data protection – Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration.
APP Data Protection Framework deployment methodology
As with any deployment of new software, features or settings, Microsoft recommends investing in a ring methodology for testing validation prior to deploying the APP data protection framework. Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct.
Microsoft recommends the following deployment ring approach for the APP data protection framework:
Deployment ring | Tenant | Assessment teams | Output | Timeline |
---|---|---|---|---|
Quality Assurance | Preproduction tenant | Mobile capability owners, Security, Risk Assessment, Privacy, UX | Functional scenario validation, draft documentation | 0-30 days |
Preview | Production tenant | Mobile capability owners, UX | End-user scenario validation, user facing documentation | 7-14 days, post Quality Assurance |
Production | Production tenant | Mobile capability owners, IT help desk | N/A | 7 days to several weeks, post Preview |
As the above table indicates, all changes to the App Protection Policies should be first performed in a preproduction environment to understand the policy setting implications. Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Roll out to production may take a longer amount of time depending on the scale of impact regarding the change. If there's no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.
When testing changes to an APP, be aware of the delivery timing. The status of APP delivery for a given user can be monitored. For more information, see How to monitor app protection policies.
Individual APP settings for each app can be validated on devices using Microsoft Edge and the URL about:Intunehelp. For more information, see Review client app protection logs and Use Microsoft Edge for iOS and Android to access managed app logs.
APP Data Protection Framework settings
The following App Protection Policy settings should be enabled for the applicable apps and assigned to all mobile users. For more information on each policy setting, see iOS app protection policy settings and Android app protection policy settings.
Microsoft recommends reviewing and categorizing usage scenarios, and then configuring users using the prescriptive guidance for that level. As with any framework, settings within a corresponding level may need to be adjusted based on the needs of the organization as data protection must evaluate the threat environment, risk appetite, and impact to usability.
Administrators can incorporate the below configuration levels within their ring deployment methodology for testing and production use by importing the sample Intune App Protection Policy Configuration Framework JSON templates with Intune's PowerShell scripts.
Note
When using MAM for Windows, see App protection policy settings for Windows.
Conditional Access Policies
To ensure that only apps supporting App Protection Poliies access work or school account data, Microsoft Entra Conditional Access policies are required. These policies are described in Conditional Access: Require approved client apps or app protection policy.
See Require approved client apps or app protection policy with mobile devices in Conditional Access: Require approved client apps or app protection policy for steps to implement the specific policies. Finally, implement the steps in Block legacy authentication to block legacy authentication capable iOS and Android apps.
Note
These policies leverage the grant controls Require approved client app and Require app protection policy.
Apps to include in the App Protection Policies
For each App Protection Policy, the Core Microsoft Apps group is targeted, which includes the following apps:
- Microsoft Edge
- Excel
- Office
- OneDrive
- OneNote
- Outlook
- PowerPoint
- SharePoint
- Teams
- To Do
- Word
The policies should include other Microsoft apps based on business need, additional third-party public apps that have integrated the Intune SDK used within the organization, as well as line-of-business apps that have integrated the Intune SDK (or have been wrapped).
Level 1 enterprise basic data protection
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.
Data protection
Setting | Setting description | Value | Platform |
---|---|---|---|
Data Transfer | Back up org data to… | Allow | iOS/iPadOS, Android |
Data Transfer | Send org data to other apps | All apps | iOS/iPadOS, Android |
Data Transfer | Send org data to | All destinations | Windows |
Data Transfer | Receive data from other apps | All apps | iOS/iPadOS, Android |
Data Transfer | Receive data from | All sources | Windows |
Data Transfer | Restrict cut, copy, and paste between apps | Any app | iOS/iPadOS, Android |
Data Transfer | Allow cut, copy, and paste for | Any destination and any source | Windows |
Data Transfer | Third-party keyboards | Allow | iOS/iPadOS |
Data Transfer | Approved keyboards | Not required | Android |
Data Transfer | Screen capture and Google Assistant | Allow | Android |
Encryption | Encrypt org data | Require | iOS/iPadOS, Android |
Encryption | Encrypt org data on enrolled devices | Require | Android |
Functionality | Sync app with native contacts app | Allow | iOS/iPadOS, Android |
Functionality | Printing org data | Allow | iOS/iPadOS, Android, Windows |
Functionality | Restrict web content transfer with other apps | Any app | iOS/iPadOS, Android |
Functionality | Org data notifications | Allow | iOS/iPadOS, Android |
Access requirements
Setting | Value | Platform | Notes |
---|---|---|---|
PIN for access | Require | iOS/iPadOS, Android | |
PIN type | Numeric | iOS/iPadOS, Android | |
Simple PIN | Allow | iOS/iPadOS, Android | |
Select Minimum PIN length | 4 | iOS/iPadOS, Android | |
Touch ID instead of PIN for access (iOS 8+/iPadOS) | Allow | iOS/iPadOS | |
Override biometrics with PIN after timeout | Require | iOS/iPadOS, Android | |
Timeout (minutes of activity) | 1440 | iOS/iPadOS, Android | |
Face ID instead of PIN for access (iOS 11+/iPadOS) | Allow | iOS/iPadOS | |
Biometric instead of PIN for access | Allow | iOS/iPadOS, Android | |
PIN reset after number of days | No | iOS/iPadOS, Android | |
Select number of previous PIN values to maintain | 0 | Android | |
App PIN when device PIN is set | Require | iOS/iPadOS, Android | If the device is enrolled in Intune, administrators can consider setting this to "Not required" if they're enforcing a strong device PIN via a device compliance policy. |
Work or school account credentials for access | Not required | iOS/iPadOS, Android | |
Recheck the access requirements after (minutes of inactivity) | 30 | iOS/iPadOS, Android |
Conditional launch
Setting | Setting description | Value / Action | Platform | Notes |
---|---|---|---|---|
App conditions | Max PIN attempts | 5 / Reset PIN | iOS/iPadOS, Android | |
App conditions | Offline grace period | 10080 / Block access (minutes) | iOS/iPadOS, Android, Windows | |
App conditions | Offline grace period | 90 / Wipe data (days) | iOS/iPadOS, Android, Windows | |
Device conditions | Jailbroken/rooted devices | N/A / Block access | iOS/iPadOS, Android | |
Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android | This setting configures Google Play’s device integrity check on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check. |
Device conditions | Require threat scan on apps | N/A / Block access | Android | This setting ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end-user will be blocked from access until they turn on Google's app scanning on their Android device. |
Device conditions | Max allowed device threat level | Low / Block access | Windows | |
Device conditions | Require device lock | Low/Warn | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
Note
Windows conditional launch settings are labeled as Health Checks.
Level 2 enterprise enhanced data protection
Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. These recommendations don't assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and requiring a minimum operating system version.
Important
The policy settings enforced in level 2 include all the policy settings recommended for level 1. However, Level 2 only lists those settings that have been added or changed to implement more controls and a more sophisticated configuration than level 1. While these settings may have a slightly higher impact to users or to applications, they enforce a level of data protection more commensurate with the risks facing users with access to sensitive information on mobile devices.
Data protection
Setting | Setting description | Value | Platform | Notes |
---|---|---|---|---|
Data Transfer | Back up org data to… | Block | iOS/iPadOS, Android | |
Data Transfer | Send org data to other apps | Policy managed apps | iOS/iPadOS, Android | With iOS/iPadOS, administrators can configure this value to be "Policy managed apps", "Policy managed apps with OS sharing", or "Policy managed apps with Open-In/Share filtering". Policy managed apps with OS sharing is available when the device is also enrolled with Intune. This setting allows data transfer to other policy managed apps, and file transfers to other apps that are managed by Intune. Policy managed apps with Open-In/Share filtering filters the OS Open-in/Share dialogs to only display policy managed apps. For more information, see iOS app protection policy settings. |
Data Transfer | Send or data to | No destinations | Windows | |
Data Transfer | Receive data from | No sources | Windows | |
Data Transfer | Select apps to exempt | Default / skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services; | iOS/iPadOS | |
Data Transfer | Save copies of org data | Block | iOS/iPadOS, Android | |
Data Transfer | Allow users to save copies to selected services | OneDrive for Business, SharePoint Online, Photo Library | iOS/iPadOS, Android | |
Data Transfer | Transfer telecommunication data to | Any dialer app | iOS/iPadOS, Android | |
Data Transfer | Restrict cut, copy, and paste between apps | Policy managed apps with paste in | iOS/iPadOS, Android | |
Data Transfer | Allow cut, copy, and paste for | No destination or source | Windows | |
Data Transfer | Screen capture and Google Assistant | Block | Android | |
Functionality | Restrict web content transfer with other apps | Microsoft Edge | iOS/iPadOS, Android | |
Functionality | Org data notifications | Block Org Data | iOS/iPadOS, Android | For a list of apps that support this setting, see iOS app protection policy settings and Android app protection policy settings. |
Conditional launch
Setting | Setting description | Value / Action | Platform | Notes |
---|---|---|---|---|
App conditions | Disabled account | N/A / Block access | iOS/iPadOS, Android, Windows | |
Device conditions | Min OS version | Format: Major.Minor.Build Example: 14.8 / Block access |
iOS/iPadOS | Microsoft recommends configuring the minimum iOS major version to match the supported iOS versions for Microsoft apps. Microsoft apps support an N-1 approach where N is the current iOS major release version. For minor and build version values, Microsoft recommends ensuring devices are up to date with the respective security updates. See Apple security updates for Apple's latest recommendations |
Device conditions | Min OS version | Format: Major.Minor Example: 9.0 / Block access |
Android | Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. Currently, Android recommends Android 9.0 and later for knowledge workers. See Android Enterprise Recommended requirements for Android's latest recommendations |
Device conditions | Min OS version | Format: Build Example: 10.0.22621.2506 / Block access |
Windows | Microsoft recommends configuring the minimum Windows build to match the supported Windows versions for Microsoft apps. Currently, Microsoft recommends the following:
|
Device conditions | Min patch version | Format: YYYY-MM-DD Example: 2020-01-01 / Block access |
Android | Android devices can receive monthly security patches, but the release is dependent on OEMs and/or carriers. Organizations should ensure that deployed Android devices do receive security updates before implementing this setting. See Android Security Bulletins for the latest patch releases. |
Device conditions | Required SafetyNet evaluation type | Hardware-backed key | Android | Hardware backed attestation enhances the existing Google's Play Integrity service check by applying a new evaluation type called Hardware Backed, providing a more robust root detection in response to newer types of rooting tools and methods that can't always be reliably detected by a software only solution. As its name implies, hardware backed attestation uses a hardware-based component, which shipped with devices installed with Android 8.1 and later. Devices that were upgraded from an older version of Android to Android 8.1 are unlikely to have the hardware-based components necessary for hardware backed attestation. While this setting should be widely supported starting with devices that shipped with Android 8.1, Microsoft strongly recommends testing devices individually before enabling this policy setting broadly. |
Device conditions | Require device lock | Medium/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
Device conditions | Samsung Knox device attestation | Block Access | Android | Microsoft recommends configuring the Samsung Knox device attestation setting to Block access to ensure the user account is blocked from access if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device. This setting applies to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune. |
App conditions | Offline grace period | 30 / Wipe data (days) | iOS/iPadOS, Android, Windows |
Note
Windows conditional launch settings are labeled as Health Checks.
Level 3 enterprise high data protection
Level 3 is the data protection configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described. This configuration expands upon the configuration in Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and adding mobile threat detection.
Important
The policy settings enforced in level 3 include all the policy settings recommended for level 2 but only lists those settings below that have been added or changed to implement more controls and a more sophisticated configuration than level 2. These policy settings can have a potentially significant impact to users or to applications, enforcing a level of security commensurate with the risks facing targeted organizations.
Data protection
Setting | Setting description | Value | Platform | Notes |
---|---|---|---|---|
Data Transfer | Transfer telecommunication data to | Any policy-managed dialer app | Android | Administrators can also configure this setting to use a dialer app that doesn't support App Protection Policies by selecting A specific dialer app and providing the Dialer App Package ID and Dialer App Name values. |
Data Transfer | Transfer telecommunication data to | A specific dialer app | iOS/iPadOS | |
Data Transfer | Dialer App URL Scheme | replace_with_dialer_app_url_scheme | iOS/iPadOS | On iOS/iPadOS, this value must be replaced with the URL scheme for the custom dialer app being used. If the URL scheme isn't known, contact the app developer for more information. For more information on URL schemes, see Defining a Custom URL Scheme for Your App. |
Data transfer | Receive data from other apps | Policy managed apps | iOS/iPadOS, Android | |
Data transfer | Open data into Org documents | Block | iOS/iPadOS, Android | |
Data transfer | Allow users to open data from selected services | OneDrive for Business, SharePoint, Camera, Photo Library | iOS/iPadOS, Android | For related information, see Android app protection policy settings and iOS app protection policy settings. |
Data transfer | Third-party keyboards | Block | iOS/iPadOS | On iOS/iPadOS, this blocks all third-party keyboards from functioning within the app. |
Data transfer | Approved keyboards | Require | Android | |
Data transfer | Select keyboards to approve | add/remove keyboards | Android | With Android, keyboards must be selected in order to be used based on your deployed Android devices. |
Functionality | Print org data | Block | iOS/iPadOS, Android, Windows |
Access requirements
Setting | Value | Platform |
---|---|---|
Simple PIN | Block | iOS/iPadOS, Android |
Select Minimum PIN length | 6 | iOS/iPadOS, Android |
PIN reset after number of days | Yes | iOS/iPadOS, Android |
Number of days | 365 | iOS/iPadOS, Android |
Class 3 Biometrics (Android 9.0+) | Require | Android |
Override Biometrics with PIN after biometric updates | Require | Android |
Conditional launch
Setting | Setting description | Value / Action | Platform | Notes |
---|---|---|---|---|
Device conditions | Require device lock | High/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
Device conditions | Max allowed device threat level | Secured / Block access | Windows | |
Device conditions | Jailbroken/rooted devices | N/A / Wipe data | iOS/iPadOS, Android | |
Device conditions | Max allowed threat level | Secured / Block access | iOS/iPadOS, Android | Unenrolled devices can be inspected for threats using Mobile Threat Defense. For more information, see Mobile Threat Defense for unenrolled devices. If the device is enrolled, this setting can be skipped in favor of deploying Mobile Threat Defense for enrolled devices. For more information, see Mobile Threat Defense for enrolled devices. |
Device conditions | Max OS version | Format: Major.Minor Example: 11.0 / Block access |
Android | Microsoft recommends configuring the maximum Android major version to ensure beta or unsupported versions of the operating system aren't used. See Android Enterprise Recommended requirements for Android's latest recommendations |
Device conditions | Max OS version | Format: Major.Minor.Build Example: 15.0 / Block access |
iOS/iPadOS | Microsoft recommends configuring the maximum iOS/iPadOS major version to ensure beta or unsupported versions of the operating system aren't used. See Apple security updates for Apple's latest recommendations |
Device conditions | Max OS version | Format: Major.Minor Example: 22631. / Block access |
Windows | Microsoft recommends configuring the maximum Windows major version to ensure beta or unsupported versions of the operating system aren't used. |
Device conditions | Samsung Knox device attestation | Wipe data | Android | Microsoft recommends configuring the Samsung Knox device attestation setting to Wipe data to ensure the org data is removed if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device. This setting will apply to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune. |
App conditions | Offline grace period | 30 / Block access (days) | iOS/iPadOS, Android, Windows |
Next steps
Administrators can incorporate the above configuration levels within their ring deployment methodology for testing and production use by importing the sample Intune App Protection Policy Configuration Framework JSON templates with Intune's PowerShell scripts.