IntuneBytes-Windows-Application Protection Policy

Application Protection Policy (APP) for Windows Fully Explained!

Intune’s APP (Application Protection Policy) for Windows enable IT administrators to enforce security measures directly on the apps used for work. This includes setting policies to control how data is accessed, used, and shared within these applications. By isolating corporate data from personal data, APPs help prevent data leaks and ensure compliance with corporate security standards.

The benefits of implementing Intune’s APP on Windows devices are manifold: from enhancing security and reducing risks of data breaches to improving overall compliance with regulatory requirements. Moreover, these policies offer flexibility, allowing organizations to tailor the security measures according to their specific needs and industry standards.

What’s APP (Application Protection Policy) for Windows

As we’ve explained before Microsoft Intune provides a way to manage data loss prevention (DLP) via Application Protection Policies (APP). App Protection Policies are not only covering Android and iOS but also Windows. You can simply name it the future successive follower for Windows Information Protection (WIP). It’s still only allowed for Edge App now, but expectations are very high for more Apps to be included (Microsoft and Non-Microsoft Apps).

Requirement for Windows APP (Application Protection Policy)

1- Supported OS Windows 10, build 19045.3636 (KB5031445) or later and Windows 11 22H2 or Later, build 10.0.22621.2506 (KB5031455)

2- For Microsoft Defender Threat level: The Mobile Threat Defense (MTD) Connector for the Windows Security Center (WSC) component is only supported on Windows 11 version 22631 (23H2) or later.

3- Intune License for targeted users.

How to Configure APP (Application Protection Policy) for Windows

1- From Intune Portal > Apps > App protection policies > create policy and select Windows

For Apps you’ve only MS Edge

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

2- Data Protection: it’s showing very simple but powerful control for

“Receive Data from”

  • All sources: Corporate Users can open data from any account, document, location, or application into the Organization Context.
  • No sources: Corporate Users can’t open data from external accounts, documents, locations, or applications into the Organization Context.

“Send org data to”

  • All destinations: Corporate Users can send organization data to any account, document, location, or application.
  • No destinations: Corporate Users can’t send organization data to external accounts, documents, locations, or applications from the Organization Context.

“Allow cut, copy, and paste for”

  • can be either protected to no destination or source or allowed everywhere.

“Print org data”

  • Physical or Virtual Printers will be blocked or allowed.
Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

3- Health Checks (Conditional Launch) is classified into 2 parts:

  • App Conditions >> Edge App version, SDK, grace period.. Etc.
  • Device Conditions >> Require minimum/Maximum OS version and protection level from MS Defender.
Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

4- Assignment: is only restricted to USER GROUP with active Intune License.

What’s the End-User Experience?!!

1- User need to open Edge and click on Profile Icon to add a new Work-School Profile

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

2- After successful authentication, User must un-select Allow my organization to manage my device and click on OK

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

3- Device will be registered in Azure for Corporate resource access and conditional access evaluation (if used)

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

4-confirmation message that profile has been added normally

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

5- Now inside Windows settings, accounts, work/school you can see the new MSFT account added with no (Info. button) because there’s only MAM channel not MDM

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

6- The Same Account will appear in Edge Profiles

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

7- If you’re targeting user with Managed App -App Config Profile- on Edge as well you can confirm if App config is delivered as well to the profile via “edge://policy”

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

8- Test functionality can be performed as per configuration, for example try to copy and data from corporate profile if you’re blocking copy functionality..etc.

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

9- If you’re implementing multiple MAM Policies, you can confirm which one got applied to end-user from device itself “edge://edge-dlp-internals/”

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!
Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

What’s Multi-identity Application in Application Protection Policy World?

Edge App is multi-identity App which means it can have multiple profiles where only corporate profiles are controlled with Application Configuration (APC) and Application Protection (APP) while Personal Profiles remains untouched.

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

APP (Application Protection Policy) Monitoring?

Via Intune Portal, Apps, Monitor and App Protection Status

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

Can I ENFORCE Conditional Access 🛡️?

1- Open Azure Portal > Identity > Protection > Conditional Access, under “Assignments > Cloud apps or actions”, select “Office 365”.

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

2- For Device platforms”, select “Windows” (and only Windows).

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

3- Conditions, Client Apps MUST be set to “Browser” only.

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

4- For Access controls > Select Grant, check “Require app protection policy”.

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

5- Finally click on Enable policy > select “On” and “Create”

Windows APP (Application Protection Policy) Logs?

MAM Logs: “c:\users\”your user name goes here”\AppData\Local\Microsoft\Edge\User Data\MamLog.txt”

Application Protection Policy- Application Protection Policy (APP) for Windows Fully Explained!

1- APP Service trying to confirm user is assigned to MAM Service or Policy.

2- User is confirmed to have MAM Policy assigned, Policy successfully allocated.

3- APP Service Enrollment completed successfully.

4- First check-in for APP Policy

5- Device Threat Level is requested (if configured in Conditional Launch)

6- MAM Policy downloaded and enforced successfully to the Edge Work Profile

Conclusion

In summary, Microsoft Intune’s Application Protection Policies for Windows provide a comprehensive solution for safeguarding corporate data at the application level, balancing security with user productivity. Whether you’re managing corporate-owned devices or supporting a BYOD environment, Intune APPs are crucial in maintaining a secure and compliant digital workspace.

Recommendations:

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *