Last Updated on February 15, 2022 by rudyooms

Obviously, there is a need to use mobile devices to access company data. These devices and apps need to be secured. There are many articles written about when to use MDM and when to use MAM or combine them. This blog will be about troubleshooting App protection policies.

This week we were enrolling new surfaces and mobile devices into Microsoft 365. It can be a struggle when you don’t have a greenfield tenant and you need to make sure the existing tenant gets a structured design. Migrating large organizations can take some time. you really don’t want to transform an organization to Microsoft 365 by night.

I will divide this blog into multiple parts

1. Conditional Access and an Approved App Policy
2. Enrolling the Devices
3. The issue after the enrollment
4. Troubleshooting App protection Policies in Intune
5. Troubleshooting App protection Policies on the Device
6. Solving the problem

1.Conditional Access and an Approved App policy

We made sure group licensing is being applied. When a user is a member of this license group, they can enroll their devices into Microsoft 365, App protection will be applied and Conditional Access is applied to the same group. With a conditional access rule, you can require approved apps and require app protection policies.  

2. Enrolling the devices

This week we began to enrol the first batch of employees with their surfaces and mobile devices. To make sure they could still access their Teams Desktop app and their email on their iPhone before their devices are enrolled, we have created some conditional access exclusions groups. So after their devices are successfully enrolled we could remove the users from the exclusion groups.

So we did.  The first batch of devices was enrolled and we removed them from the exclusion groups. No problems at all, all devices were compliant!… that’s what we thought.

3. The issue after the enrollment

In the evening we received a new ticket with a screenshot (Sorry.. it’s in Dutch: Access Denied, the app needs to be protected). One of the users could not access OneDrive on their mobile devices.

That’s odd? as they were all compliant? Let’s dig in

4. Troubleshooting App Protection Policies in Intune

So let’s start troubleshooting. These are the steps we took, to troubleshoot this problem:

Step 1: Compliance State: Of course, the first thing we did checking if the mobile device is compliant and which IOS version is installed. As shown below, the device is compliant and up to date.

Step 2: Now we know, the device is compliant we need to check the Azure Ad sign-in log to look for problems. Again… No failures.

Step 3: So, the device is compliant and has no CA failures. The next thing we need to check would be the App protection policy. Because we need to make sure nothing is wrong with the policy and we need to confirm if OneDrive is targeted and if it’s assigned to the proper group.

Step 4: Now it’s time to check the app protection logs as the error really looks like a problem with App Protection. We downloaded the App protection Report: IOS, Android.

After reviewing the report, the problem user was not in this report. That makes sense, as the app Onedrive is not protected with an app protection policy. What to check next?

Step 5: In the same app protection status monitor, we selected the user status for the IOS report. Hopefully, it tells us a little bit more. And yes it does

A nice error popped up: Not checked in. On the next sync, this app will receive one or more policies…  That’s a little bit weird because the iPhone was enrolled in the afternoon and the company portal app was showing no errors. 

Step 6: To be sure we asked if the company app was still installed and if it was showing errors. But no errors were shown. Of course, on IOS devices the company app is not required to implement App protection policies in contrast to Android.

We made certain the device was rebooted, but that did not resolve the problem. Now we know what the problem is, how are we going to solve it.?

5. Troubleshooting App Protection on the Device

Instead of using Intune you could also get your hands on a Device to start troubleshooting. When you are at the customer and you want to determine which App Protection policies were applied on the device itself, you could do so by opening edge and type: about:intunehelp. It will give you a brief summary of all the Protection Policies applied to a specific app!

6. Solving the problem

Step 1: Let’s start with initiating a device sync from the Intune portal, hopefully, it works?

But unfortunately, that didn’t do anything and the OneDrive app was still not working

Step 2: Even checking the status within the company app portal on the device didn’t change anything.

Step 3: let’s check what Microsoft tells us about App protection

Typically 30 minutes…. I guess the word: typically says it all, you will need to have patience…a lot of patience. But that’s not helping a lot when you have the customer on the other side of the phone.

As mentioned at the beginning of this blog, you will need to have a structured design. We have created a group for each CA rule, with the same name. Security is key, but for now, we will add the user into the CA exclusion group so App protection is no longer required.  The customer is satisfied and can resume his work.

Please beware that just excluding the user from the CA policy is not your final solution! you will need to monitor if the App protection policy has been applied the next day, you NEED to remove the user from the exclusion group.

As shown above, the Microsoft OneDrive app on his device has finally received the app protection policy! Now we can be sure we can remove the user from the exclusion group

Conclusion:

This is the way. App protection is really great to make sure the data within apps is protected on managed and unmanaged devices but sometimes it can take a really long time before app protection policies are applied. In the meantime, you can exclude the users from the conditional access rule.

But please don’t forget to remove the user when the issue is resolved! You really don’t want to be “bombed” by your employee when the user decided to just copy all of the company data to his personal files before joining the competition!