App Protection: Attack of the third-party apps

App Protection: Attack of the third-party apps

In one of my last blogs, I showed how you can set up multiple App protection profiles to make sure your managed and unmanaged IOS devices could receive the correct app protection policy.

In my opinion, you need to make sure you lower the security bar for the managed devices app protection policies. You really don’t want well-behaved employees who enrolled their own devices, become angry about the security barriers, and finding another way to share the data.

Here is a very good example of what happens when you did not lower the bar:

One of the employees has enrolled their ios mobile device into Intune and after some time received the app protection policies. After a few days, he receives an email to make a simple payment. He opens the link in edge to start making the payment. Normally the user could click on “Pay” to open the Rabobank app which was already installed on the device.

But now, after the device was enrolled and received the app protection policy, the pay now button was not opening the Rabobank app any longer.

This is all because you made sure it was not possible to send data tot other apps except policy managed apps.

When you configured this option, you can only send data to any other app which is protected by an app protection policy. This means this public app must be targeted by your app protection policy. You probably can guess it, the Rabobank app can not be targeted.

So what options do we have, are we going to exempt apps ?

Maybe changing the setting to all apps but changing it to all apps? Changing it to all apps is not secure at all!

Or should we choose a happy medium? With this option, we are going to make sure MDM enrolled devices can transfer data to managed apps and protected apps.

Policy Managed Apps with OS Sharing

Policy Managed apps with OS Sharing are designed to be used for managed/enrolled devices. It makes sure you can send corporate data to both protected apps and also allows file transfers to apps that are managed by Intune. When you add the IOS app and make sure the IOS app is assigned as required or made available, the app will be managed by Intune.

Please beware:

After some tests, we noticed when the App was already installed on the device sometimes the end-user needed to open the company portal and needed to click on “install” (we also configured the app as available)otherwise the app would not show up in the management profile and app protection would still block it.

You can check which apps are managed by Intune on a device by going to Settings > General > Device Management > Select Management Profile >  Apps.

As shown above, we made sure we installed the Rabobank app from the company portal and after a while, it shows up in the management profile and we could finally pay the bill. 


Breaking Down Barriers | CU Management

Lowering the security bar for your enrolled devices could create a better user experience and will make sure your users are happy and there will be no shadow it

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  25  =  30