In this blog post I will go through the basics of App Protection Policies in Intune, the App Data Protection configuration framework and guide you in how to import related data-protection templates for Intune App Protection into your Intune tenant.
App Protection Policies
Configuring App Protection policies in Intune is important to protect data and prevent data leakage on both corporate and BYOD-devices within supported applications. Categories include Data Protection (Data-transfer, restrictions, encryption), Access Requirements (authentication access settings) and Conditional Launch (app and device conditions).
One requirement of using these policies is that the applications are integrated with Intune SDK or wrapped by the Intune App Wrapping Tool. The current list of supported Intune protected apps can be found here.
Require approved client app & require app protection policy
We want to make sure that we utilize a Conditional Access policy for granting the access to the applications by configuring approved client apps and app protection policy as required controls. You should also require multi-factor authentication if it’s not required in any other Conditional Access policy, but I would recommend using a separate policy for that.
App Data Protection Configuration Framework
The App Data protection configuration framework includes guidance on what Intune App Protection settings to configure, corresponding to different security levels aswell as a methodology for implementing them. The framework is divided into three different levels, each level representing Microsoft’s enterprise recommendations for protection. The framework also comes with a methodology for testing new settings in pre-production and the methodology explains how the rollout of your settings could be targeted at different rings at different phases (which to my mind is common sense when it comes to deployment). The security levels for the framework each has it’s own set of recommended configuration. Remember that these are general guidelines which should be tested before implementation and they can always be adjusted to your specific needs.
Level 1 – Minimum data protection configuration
Basic protection. Replaces the need for Exchange Online device access policies. I would recommend starting with level 2 which will enforce requirements on iOS and Androids major versions to match the supported version for Microsoft Apps.
Level 2 – Enterprise enhanced data protection
Recommended where users access access sensitive or confidential information.
Level 3 – Enterprise high data protection
Increased security, could be targeted at specific users or groups where the members are high value targets.
Importing configurations into your tenant
Microsoft have provided JSON Templates which you can use for a effective import and configuration of the settings.
These policies will not be assigned and they can easily be adjusted after import.
To successfully import the templates you will need these pre-requisites:
- An intune tenant with a production or trial license and an account which have permissions to administer the Intune Service. The built-in role Intune Administrator will suffice.
- Powershell v.5.0 on Windows 10 x64 .
- The Graph APIs are used to configure the controls, and running these scripts for the first time requires you as an Global Admin to consent to the permissions of the application in your tenant.
- AzureAD or AzureADPreview-module for Powershell. Run the following in a elevated Powershell prompt: Install-Module –Name AzureAD -Force
Run Powershell as Admin and navigate to the folder where the content reside.
Run the script .\ManagedAppPolicy_Import_FromJSON.ps1 and specify your UPN for authentication:
If the AzureAD Module is not found, remember to install it: Install-Module –Name AzureAD -Force
Once authenticated (and when the consent for the application permissions is done for the first time), you are asked to specify the full path to one of the JSON template files you want to import. In my example I imported this one: : “C:\IntuneAppProtectionFramework\level-2-enterprise-enhanced-data-protection-iOS.json” Once provided, press enter and you will see the policy version, name, description and that is has been imported.
Navigate to App Protection Policies in Intune. There we can verify that the policy has successfully been created.
And if needed, it can also be modified:
Next step is to assign the policy to a user or a user group and test the settings. Remember that this policy could be applicable to both corporate and BYOD devices. If you want to split this however, you can edit the policy and change that the Policy should only target unmanaged devices. One could also create a restrictive policy for the unmanaged devices, and a lighter one for the managed devices (which we will presume are MDM-enrolled).