Application Protection Policies (APPs) are essential security frameworks designed to safeguard sensitive data and ensure compliance within enterprise environments on iOS devices. These policies enforce specific controls on mobile applications (including Screen Capture), protecting organizational data from unauthorized access, leakage, or misuse, while maintaining a seamless user experience.
Screen Capture Control prevents users from taking screenshots or screen recordings of sensitive organizational data within protected applications, such as Microsoft Outlook or Teams. By enforcing this policy, businesses can reduce the risk of data leakage, ensuring sensitive information remains secure.
Screen Capture is always an available feature for Android devices over Application Level (Managed Application Management) but not on iOS.
Table of Contents
Heads-up in April 2024
Microsoft announced upcoming change in April 2024 (What’s new in Intune) Plan for releasing “iOS Screen Capture Control” capability over MAM (Managed Application Management) Channel.
For any Application got integrated with new SDK/wrapping tool capability will be in-place.
Intune Announcement
Change is recently published as well in Intune Message Center. you can check it from Intune Portal > Tenant Administration > Service Health and Message Center. and search for Message ID MC947829
Change is published in Microsoft Application Protection Policy Documentation for iOS Devices
Affect on User-Side
If end-user open Application Protected with Application Protection (v19.7.5+ for Xcode 15 and v20.2.0+ for Xcode 16) and tries to take a screen shot or record screen. ScreenShot or Recorded Video will not have any data and will be be black.
Mitigation
If Application Protection Policy settings “Send Org Data” is set to “All Apps”, Screen Capture will be Allowed. But if’s set to “None” or any type of “Policy Managed Apps” Screen Capture will be blocked.
So, if you would like to Disable built-in Screen Capture Control. You need to send Managed Application App Config Profile to override this Key.
As per below snapshot: Open Intune Portal > Apps > Application Configuration > Select Create Managed Apps
From Target Policy To select (All Apps, Microsoft Apps or Core Microsoft Apps) or Select All Applications needed manually then click next.
Under General Configuration Settings type in name “com.microsoft.intune.mam.screencapturecontrol” where value will be “Disabled”
Then Assign the Policy to Targeted User Group ONLY, and you still have the option to filter targeted users with Managed Application Filter.
Conclusion
Conclusion
Controlling screen capture for iOS devices within Microsoft Intune’s Application Protection Policy (APP) is crucial for safeguarding sensitive corporate data. By restricting screen capture capabilities, organizations can prevent unauthorized dissemination of confidential information, thus ensuring data integrity and compliance with security standards. This measure not only protects intellectual property and sensitive data but also enhances overall data security by mitigating the risks associated with inadvertent or malicious data exposure. Implementing such controls fosters a secure work environment where corporate data is consistently protected, reinforcing the trust and reliability essential for any organization’s digital operations.
This is a link for all our Articles about Application Protection Policies in Intune.
Leave a Reply