The sum of all App protection policies

The sum of all App protection policies

Obviously, there is a need to use mobile devices to access company data. These devices and apps need to be secured. There are many articles written about when to use MDM and when to use MAM or combining them. This blog will be about troubleshooting App protection policies.

This week we were enrolling new surfaces and mobile devices into Microsoft 365. It can be a struggle when you don’t have a greenfield tenant and you need to make sure the existing tenant gets a structured design. Migrating large organizations can take some time. you really don’t want to transform an organization to Microsoft 365 by night.

We made sure group licensing is being applied. When a user is a member of this license group, they can enroll their devices into Microsoft 365, App protection will be applied and Conditional Access is applied on the same group. With a conditional access rule, you can require approved apps and require app protection policies.  

This week we began to enroll the first batch of employees with their surfaces and mobile devices. To make sure they could still access their Teams Desktop app and their email on their iPhone before their devices are enrolled, we have created some conditional access exclusions groups. So after their devices are successfully enrolled we could remove the users from the exclusion groups.

So we did.  The first batch of devices were enrolled and we removed them from the exclusion groups. No problems at all, all devices were compliant!… that’s what we thought.

In the evening we received a new ticket with a screenshot (Sorry.. it’s in Dutch: Access denied, the app needs to be protected). One of the users could not access OneDrive on their mobile device.

So let’s start troubleshooting. These are the steps we took, to troubleshoot this problem:

Step 1: Compliance State: Of course, the first thing we did checking if the mobile device is compliant and which IOS version is installed. As shown below, the device is compliant and up to date.

Step 2: Now we know, the device is compliant we need to check the Azure Ad sign-in log to look for problems. Again… No failures.

Step 3: So, the device is compliant and no CA failures. The next thing we need to check, is the App protection policy to make sure nothing is wrong with the policy and we need to confirm if OneDrive is targeted and it’s assigned to the proper group.

Step 4: Now it’s time to check the app protection logs as the error really looks like a problem with app protection. We downloaded the App protection Report: IOS, Android.

After reviewing the report, the problem user was not in this report. That makes sense, as the app Onedrive is not protected with an app protection policy. What to check next?

Step 5: In the same app protection status monitor, we selected the user status for the IOS report. Hopefully, it tells us a little bit more. And yes it does

Not checked in. On next sync, this app will receive one or more policies…  That’s a little bit weird because the iPhone was enrolled in the afternoon and the company portal app was showing no errors. 

Step 6: Also we asked if the company app was installed and if it was showing errors. But no errors were shown. Of course,  on IOS devices the company app is not required to implement App protection policies in contrast to Android. We made certain the device was rebooted, but that did not resolve the problem.  

Now we know what the problem is, how are we going to solve it.?

Step 1: Let’s start with initiating a sync from the Intune portal, hopefully it works.

But unfortunately that didn’t do anything.

Step 2: Even checking the status within the company app portal on the device didn’t changed anything.

Step 3: let’s check what Microsoft tells us about App protection

Typically 30 minutes. I guess the word: typically says it all, you will need to have patience…a lot of patience. But that’s not helping a lot when you have the customer on the other side of the phone.

Like mentioned at the beginning of this blog, you will need to have a structured design. We have created a group for each CA rule, with the same name. Security is key, but for now, we will add the user into the CA exclusion group so App protection is no longer required.  The customer is satisfied and can resume his work.

Please beware you will need to monitor if the App protection policy has been applied the next day, so you can remove the user from the exclusion group.


This is the way. App protection is really great to make sure the data within apps is protected on managed and unmanaged devices but sometimes it can take a really long time before app protection policies are applied. In the meantime, you can exclude the users from the conditional access rule.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  26  =  30