We often use this capability during support sessions to allow engineers to see the screen of the mobile device. We only deploy this capability when the iOS devices serve a specialized function, like confidential devices for government officials. This often generates complaints from end-users as many want to use screenshots for communications. IOS does support blocking print screen, but it requires MDM support, and it blocks this functionality across the entire device. The settings are usually configured to allow sharing data across all Managed Apps (apps with Intune MAM support), so users can still share data across apps (i.e., share a file from OneDrive to Outlook and send it out as an attachment).įigure 7: Block app screenshots with Intune app protection policy. These settings control the ability of applications to share data (e.g., share Outlook attachments to WhatsApp) or receive data from other apps (e.g., share files from Google Drive to Outlook). You can configure a policy to control if mobile apps can receive data or send it (Figure 2). The configured policy applies to all the supported apps or those you assign within the device policy. I will highlight key settings in the policy to help you prevent users from sharing corporate data from Outlook. Why two? The application protection policy is configured per device type and hence you would have at least one for iOS and one for Android. To accomplish the goal, you need to create at least two application policies. The key objective of using Intune MAM is to control access to corporate data on the device. Read the eBook Useful Intune App Protection Policies to Protect Corporate Data in Outlook Top 10 Security Events to Monitor in Azure Active Directory and Office 365ĭiscover how native auditing tools can help - and how to overcome their shortcomings. This triggers the mobile app to enrol into Intune MAM. To apply Intune MAM to apps, you need a Conditional Access policy with the “require app protection policy” setting enabled (Figure 1). Therefore, you can have two MAM containers running at the same time. Android Enterprise with Work Profile is an exception as it supports two user profiles running side by side. Note that each device can only have one Intune MAM container, meaning that someone cannot have two Microsoft 365 accounts on their device if both tenants require Intune MAM. The container is protected and invisible to users via the Files app, for example. Intune MAM creates a container to store corporate data shared across all Intune MAM-supported apps. This article will give an overview of Intune app protection policy within MAM with specific policies I found particularly useful for protecting corporate data. The uptake of BYOD has also been a driving factor for the adoption of MAM. Managing applications rather than devices helps to reduce the chances of the kind of accident mentioned earlier. Nowadays, many organizations prefer to use Intune Mobile Application Management (MAM) to control supported mobile apps (i.e., Microsoft’s mobile apps). I have seen clients learn some hard lessons from the complexity of MDM, usually when someone accidentally wipes a C-level executive’s phone and all their family photos are gone. MDM works but can be overly complicated for administrators and end-users since it was not designed to manage apps but instead manage devices. Some years back, organizations usually opted to use a Mobile Device Management (MDM) solution to control mobile devices. Almost every Microsoft 365 implementation or migration project I have been involved in over the last few years has to consider the best way to manage mobile devices. Mobile devices play an important role in all Microsoft 365 deployments nowadays. Why Apply an Intune App Protection Policy Intune App Protection Policy within MAM is a Good Companion to Microsoft 365 Administrators.Bonus Track: Using Application Configuration Policy to Control Outlook Settings.Useful Intune App Protection Policies to Protect Corporate Data in Outlook.Why Apply an Intune App Protection Policy.
0 Comments
Leave a Reply. |