Intune’s APP (Application Protection Policy) for Windows enable IT administrators to enforce security measures directly on the apps used for work. This includes setting policies to control how data is accessed, used, and shared within these applications. By isolating corporate data from personal data, APPs help prevent data leaks and ensure compliance with corporate security standards.
The benefits of implementing Intune’s APP on Windows devices are manifold: from enhancing security and reducing risks of data breaches to improving overall compliance with regulatory requirements. Moreover, these policies offer flexibility, allowing organizations to tailor the security measures according to their specific needs and industry standards.
Table of Contents
What’s APP (Application Protection Policy) for Windows
As we’ve explained before Microsoft Intune provides a way to manage data loss prevention (DLP) via Application Protection Policies (APP). App Protection Policies are not only covering Android and iOS but also Windows. You can simply name it the future successive follower for Windows Information Protection (WIP). It’s still only allowed for Edge App now, but expectations are very high for more Apps to be included (Microsoft and Non-Microsoft Apps).
Requirement for Windows APP (Application Protection Policy)
1- Supported OS Windows 10, build 19045.3636 (KB5031445) or later and Windows 11 22H2 or Later, build 10.0.22621.2506 (KB5031455)
2- For Microsoft Defender Threat level: The Mobile Threat Defense (MTD) Connector for the Windows Security Center (WSC) component is only supported on Windows 11 version 22631 (23H2) or later.
3- Intune License for targeted users.
How to Configure APP (Application Protection Policy) for Windows
1- From Intune Portal > Apps > App protection policies > create policy and select Windows
For Apps you’ve only MS Edge
2- Data Protection: it’s showing very simple but powerful control for
“Receive Data from”
- All sources: Corporate Users can open data from any account, document, location, or application into the Organization Context.
- No sources: Corporate Users can’t open data from external accounts, documents, locations, or applications into the Organization Context.
“Send org data to”
- All destinations: Corporate Users can send organization data to any account, document, location, or application.
- No destinations: Corporate Users can’t send organization data to external accounts, documents, locations, or applications from the Organization Context.
“Allow cut, copy, and paste for”
- can be either protected to no destination or source or allowed everywhere.
“Print org data”
- Physical or Virtual Printers will be blocked or allowed.
3- Health Checks (Conditional Launch) is classified into 2 parts:
- App Conditions >> Edge App version, SDK, grace period.. Etc.
- Device Conditions >> Require minimum/Maximum OS version and protection level from MS Defender.
4- Assignment: is only restricted to USER GROUP with active Intune License.
What’s the End-User Experience?!!
1- User need to open Edge and click on Profile Icon to add a new Work-School Profile
2- After successful authentication, User must un-select Allow my organization to manage my device and click on OK
3- Device will be registered in Azure for Corporate resource access and conditional access evaluation (if used)
4-confirmation message that profile has been added normally
5- Now inside Windows settings, accounts, work/school you can see the new MSFT account added with no (Info. button) because there’s only MAM channel not MDM
6- The Same Account will appear in Edge Profiles
7- If you’re targeting user with Managed App -App Config Profile- on Edge as well you can confirm if App config is delivered as well to the profile via “edge://policy”
8- Test functionality can be performed as per configuration, for example try to copy and data from corporate profile if you’re blocking copy functionality..etc.
9- If you’re implementing multiple MAM Policies, you can confirm which one got applied to end-user from device itself “edge://edge-dlp-internals/”
What’s Multi-identity Application in Application Protection Policy World?
Edge App is multi-identity App which means it can have multiple profiles where only corporate profiles are controlled with Application Configuration (APC) and Application Protection (APP) while Personal Profiles remains untouched.
APP (Application Protection Policy) Monitoring?
Via Intune Portal, Apps, Monitor and App Protection Status
Can I ENFORCE Conditional Access 🛡️?
1- Open Azure Portal > Identity > Protection > Conditional Access, under “Assignments > Cloud apps or actions”, select “Office 365”.
2- For Device platforms”, select “Windows” (and only Windows).
3- Conditions, Client Apps MUST be set to “Browser” only.
4- For Access controls > Select Grant, check “Require app protection policy”.
5- Finally click on Enable policy > select “On” and “Create”
Windows APP (Application Protection Policy) Logs?
MAM Logs: “c:\users\”your user name goes here”\AppData\Local\Microsoft\Edge\User Data\MamLog.txt”
1- APP Service trying to confirm user is assigned to MAM Service or Policy.
2- User is confirmed to have MAM Policy assigned, Policy successfully allocated.
3- APP Service Enrollment completed successfully.
4- First check-in for APP Policy
5- Device Threat Level is requested (if configured in Conditional Launch)
6- MAM Policy downloaded and enforced successfully to the Edge Work Profile
Conclusion
In summary, Microsoft Intune’s Application Protection Policies for Windows provide a comprehensive solution for safeguarding corporate data at the application level, balancing security with user productivity. Whether you’re managing corporate-owned devices or supporting a BYOD environment, Intune APPs are crucial in maintaining a secure and compliant digital workspace.
Recommendations:
- Read Application Protection Policies for Android and for iOS
- Intune Bytes articles
Leave a Reply