Restricting and managing apps on user devices
Now that we have devices set up in Intune and secure how do we start deploying, managing, and securing apps? Let's start by deploying an app to an Android device.
How to deploy an app to an Android device
1. Go to Microsoft Endpoint Manager admin center > Apps > Android > Add. Set App type to Manage Google Play app. Click Select.
2. Search for the app you want to deploy, for example, Outlook. Click on the app icon.
3. Click Approve > Approve > Done > Sync.
4. Wait 15 minutes then go to Apps > Android. (If the app still isn't there click Add > Set App type to Manage Google Play app. Click Select. Search and click on the app
5. Click Add all users (or click Add group and add the group you want to deploy the app to) located under Required. Click Review + save.
6. Click Save.
Now when the users' Android device checks in they'll receive the new app.
Did you notice you could add your groups to three different sections under Assignments: Required, Available for enrolled devices, and Available with or without enrollment. Let's discuss those three sections
Required will automatically download the app to the users' devices. They won't need to download, install, or do anything. The app will automatically be downloaded and installed on the users' devices.
Available for enrolled devices
Available for enrolled devices will make the app available in the managed play store. In short, a user can go and download/install the app onto their device but it won't happen automatically.
Available with or without enrollment
Available with or without enrollment will make the app available even if the user doesn't complete the enrollment process. In short, a user can install the Intune app on their device, sign in with their credentials and then not complete the enrollment process but the app would still be available to the user.
Configuring apps with the App configuration policies
Some apps can even be configured through Intune. For example, in the last section, we installed Outlook on every user's device. Now that the app is installed the user would need to set up their mailbox in Outlook manually or we can create an app configuration policy to configure the app for us.
1. Go to Microsoft Endpoint Manager admin center > Apps > App configuration policy > Add > Managed devices.
2. Set the name to Setup Outlook. Set Platform to Android Enterprise. Profile Type: All Profile Types. Click Select app. Click Microsoft Outlook. Click OK > Next.
3. Set the following options then click next.
Configuration settings format: Use configuration designer
Configure email account settings: Yes
Authentication type: Modern Authentication
Username attribute from AAD: User Principal Name
Email address attribute from AAD: Primary SMTP Address
4. Click Add all users or select the same group you set in the How to deploy an app to an Android device section. Click Next.
5. Click Create.
Now when an Android device syncs with Intune the user will automatically receive the Outlook app and the app will be configured for them.
How to protect apps and isolate data
Now that we have Outlook installed and configured on your user devices how do we isolate and protect the company data stored in Outlook that's cached and accessible on the user device? With app protection policies of course!
1. Go to Microsoft Endpoint Manager admin center > Apps > App protection policy > Create policy > Android.
2. Name the policy: "Protect Microsoft Apps". Click Next.
3. Set the Target policy to dropdown to All Microsoft Apps. Click Next.
4. Set the following options then click Next.
Backup org data to Android backup services: Block
Send org data to other apps: Policy managed apps
Click Select (next to select apps to exempt).
5. On the Access requirements page click Next.
6. On the Conditional launch page click Next.
7. On the Assignments page select your group. (you can't select all users on app protection policies. You can, however, create a dynamic group with all users). Click Next > Create.
NOTE: You can't apply app protection policies to devices. They must be assigned to users.
Now your users won't be able to send data to any app that isn't managed by the policy or Webex. The users will also be required to enter a pin to access their Microsoft apps.
One final note, App protection policies that apply to Microsoft 365 apps, for example, Power BI, will protect apps even if the user is on an unmanaged device.
Limit access to unmanaged devices
Now, let's say not everyone in your organization will receive Intune. But you don't want those devices doing everything in Exchange Online. Maybe you want them to read email on these devices but you don't want them to download attachments or enable offline mode. Let's set that up.
1. create a conditional access policy with the following settings:
Name: Unmanaged Devices
Users or workload identities: Set to the group that will use unmanaged devices.
Cloud apps: Office 365 Exchange Online
Session: Use app-enforced restrictions
2. Run the following in PowerShell:
Set-OwaMailboxPolicy LimitUnmanagedDevices -ConditionalAccessPolicy ReadOnly
3. Set the OWA mailbox policy on the mailboxes.
Go to Exchange admin center > Classic Exchange admin center > recipients > mailboxes. Select the mailbox > mailbox features > View details (under Outlook on the web). Click browse > select LimitUnmanagedDevices > OK > Save.
Windows information protection
Windows Information Protection (WIP), formally known as enterprise data protection (EDP), helps to protect against potential data leakage without interfering with the employee's work. In short, it prevents data from leaving apps protected by an app protection policy on Windows 10 devices. It works just like the App protection policy for Android we created above. It will prevent data from leaving the protected app. There are 4 settings:
- Block: Will completely block data from leaving the protected apps
- Allow Overrides: The user will receive a prompt will moving data from a protected to a non-protected app. If the user chooses to move the data regardless of the prompt the action will be logged.
- Silent: The user will be allowed to move data from the protected apps but it will be logged.
- Off: The user will be allowed to move data from the protected apps and the action will not be logged.
Just like app protection policies in Android in Windows you need to select which apps are protected. You can also exempt apps. For example, you can create a policy to protect Microsoft Teams, then you can exclude Office ProPlus. With this configuration, users won't be able to remove data from Microsoft Teams except to the Office suite.