Last Updated on November 16, 2022 by rudyooms
This blog will be about the Managed and Unmanaged App Protection Policies and how you could make sure it also works like it should on IOS devices.
I will divide this blog into multiple parts
- Conditional Access
- App Protection Policies
- Android App Protection
- IOS App Protection
- IOS App Configurations
- Deploying them With PowerShell
When we want to protect the company data we have got multiple options to choose from.
Are you going to require compliant mobile IOS/Android devices, so each device needs to be enrolled (MDM)? Or do you have a lot of front-line workers and you only want the apps to be secured with an App Protection policy (MAM)? Or maybe a combination?
In this example, we did both. We wanted to make sure users who had a Microsoft 365 Business Premium license needed to have their mobile devices managed/enrolled and all the other users could access Office365 without their devices needing to be enrolled. Of course, we will need to apply App Protection for each option.
You have to choose which of the options is the best to protect the company data. Managed devices need to get the Managed devices App Protection policy and the unmanaged devices need to get their unmanaged devices App Protection Policy.
I have to add, we do loosen the screws a bit on the Managed App Protection policies because we do have more power over that device!
2. Conditional Access Rule
So let’s begin with locking down the environment with some
Firewall Conditional Access rules. Assuming you already have blocked legacy authentication, we are going to create 2 additional conditional access rules.
*The first CA rule will require ms365Business licensed users to have IOS/Android compliant devices.
*And a second CA rule to make sure approved apps are required when you want to access the Office365 data.
Please beware Teams and Require app protection may not go well together, so the best option you got is only requiring Approved apps (Microsoft Apps) to access office 365 data.
UPDATE: Please read my blog about the require app protection misunderstanding:
3. App Protection Policies
After the CA rules were created, we need to create the App protection policies. As shown below we created multiple App protection policies. One App protection policy for Managed devices and one for unmanaged devices
In my opinion, devices that are managed don’t need an additional password to open the app because you probably already made sure you have set up a compliance policy and a device configuration policy. As mentioned before, maybe you want to loosen the screws a bit on managed devices?
Another good example would be the possibility to let managed devices “send org data to other apps” but to block these actions on an unmanaged/personal device. I have created a blog about which option you could choose and how it works in detail.
4. Android Apps
When only working with Android devices, this setup is good enough. You only need to make sure your users will have the Company Portal app installed. You only need to install it, there is no need for any configuration as it functions as the broker on android devices.
But when you have users with IOS mobile devices (I bet you do) you will need some additional configuration.
5. IOS Apps
Just like with an Android phone, App protection will require a Broker app. For IOS devices, the MFA Authenticator app needs to be installed. After we made sure all our IOS users have that app installed, we first need to make sure all the Applications which need the Managed App Protection policies are added to Intune. Because as mentioned earlier we need to define an App Configuration Policy for each app and how could we do this without any apps?
If you read my blogs often, you will probably know the whole setup can be scripted. When you need to do this manually, it will take some time so why not deploy it with PowerShell:
6. App Configuration
Now we have all the required Apps installed on the devices we still need to push an additional App Configuration, to make sure the IntuneMAMUPN is configured for each application. Please note: some apps do not support this config. Please visit this Microsoft Doc to check out all the Applications that do support it!
You will need to configure the IntuneMAMUPN for each app because this value is required for devices that are managed by Intune to identify the enrolled user account. This is very important because you really want to make sure the protected app has the correct app protection policy applied!
Let’s create a new Managed Device App Configuration Policy and select the Outlook app. Again, you will need to create an App configuration with the IntuneMAMUPN for each app. To do so you will need to select “Managed Devices” when adding a new App Configuration Policy.
After selecting the proper App Configuration it’s time to select IOS/IPadOS and select the “Targeted App”. In this example, I will select Microsoft Outlook.
The possibility to add the required “IntuneMAMUPN” key can be found under “Additional Configuration”. Please beware the App configuration keys are case sensitive. Use the proper casing to ensure the configuration takes effect.
And a quick summary on how and where to configure the IntuneMAMUPN keuy
|Microsoft Intue>Client Apps>App Configuration
7. Deploying them With PowerShell
Of course, you can do this all manually for each IOS Managed app but why not automate the deployment of app configuration policies. As always you can Automate it with the use of PowerShell and Graph. Take a look at my Github Page if you want to know how
After a while and I mean really a while (could take up to 8 hours? read this blog below), it will start working. I have created a blog on how to troubleshoot App Protection policies. Please read if you want to more about troubleshooting those app protection policies.
In the link above, I also showed you how to monitor/troubleshoot the app protection policies. So let’s take a look at which apps understood the IntuneMAMUPN configuration.
When taking a look at the Microsoft Edge app configuration, you can check if the configuration did apply successfully.
As shown above, it is telling us it’s “Not Applicable“, I guess Edge does not respond to the configuration policy but Teams/Onedrive and Outlook did.
Please Note: If the app assignment was configured as available instead of required. You will need to reinstall the already installed app from the Company Portal
When you are at the customer and you want to determine which App Protection policies were applied, you could do so by opening edge and type: about:intunehelp. It will give you a brief summary of all the Protection Policies applied to a specific app!
You will need to find the golden middle when securing your office 365 data, otherwise, lines will be drawn in the sand. On your left, there is data to protect, and on your right side, there are users who need to get their job done. You really need to let the end-users understand why it’s important.