Sign Up

Restricting and managing apps on user devices

Now that we have devices set up in Intune and secure how do we start deploying, managing, and securing apps? Let's start by deploying an app to an Android device.

How to deploy an app to an Android device

1. Go to Microsoft Endpoint Manager admin center > Apps > Android > Add. Set App type to Manage Google Play app. Click Select.

Add an Android app to Intune

2. Search for the app you want to deploy, for example, Outlook. Click on the app icon.

Select outlook in the app selection

3. Click Approve > Approve > Done > Sync.

Approve the app

4. Wait 15 minutes then go to Apps > Android. (If the app still isn't there click Add > Set App type to Manage Google Play app. Click Select. Search and click on the app 

Assign the app

5. Click Add all users (or click Add group and add the group you want to deploy the app to) located under Required. Click Review + save.

Assign to all users

6. Click Save.

Now when the users' Android device checks in they'll receive the new app.

Understanding assignments

Did you notice you could add your groups to three different sections under Assignments: Required, Available for enrolled devices, and Available with or without enrollment. Let's discuss those three sections


Required will automatically download the app to the users' devices. They won't need to download, install, or do anything. The app will automatically be downloaded and installed on the users' devices.

Available for enrolled devices

Available for enrolled devices will make the app available in the managed play store. In short, a user can go and download/install the app onto their device but it won't happen automatically.

Available with or without enrollment

Available with or without enrollment will make the app available even if the user doesn't complete the enrollment process. In short, a user can install the Intune app on their device, sign in with their credentials and then not complete the enrollment process but the app would still be available to the user.

Configuring apps with the App configuration policies

Some apps can even be configured through Intune. For example, in the last section, we installed Outlook on every user's device. Now that the app is installed the user would need to set up their mailbox in Outlook manually or we can create an app configuration policy to configure the app for us.

1. Go to Microsoft Endpoint Manager admin center > Apps > App configuration policy > Add > Managed devices.

Create an app configuration policy

2. Set the name to Setup Outlook. Set Platform to Android Enterprise. Profile Type: All Profile Types. Click Select app. Click Microsoft Outlook. Click OK > Next.

Set up App Configuration policy Basics

3. Set the following options then click next.

Configuration settings format: Use configuration designer

Configure email account settings: Yes

Authentication type: Modern Authentication

Username attribute from AAD: User Principal Name

Email address attribute from AAD: Primary SMTP Address

Create app configuration policy - Settings

4. Click Add all users or select the same group you set in the How to deploy an app to an Android device section. Click Next.

5. Click Create.

Now when an Android device syncs with Intune the user will automatically receive the Outlook app and the app will be configured for them.

How to protect apps and isolate data

Now that we have Outlook installed and configured on your user devices how do we isolate and protect the company data stored in Outlook that's cached and accessible on the user device? With app protection policies of course!

1. Go to Microsoft Endpoint Manager admin center > Apps > App protection policy > Create policy > Android.

Create an app protection policy

2. Name the policy: "Protect Microsoft Apps". Click Next.

3. Set the Target policy to dropdown to All Microsoft Apps. Click Next.

Create App protection policy - Apps

4. Set the following options then click Next.

Backup org data to Android backup services: Block

Send org data to other apps: Policy managed apps

Click Select (next to select apps to exempt).

Name: Webex


App protection policy - Data protection

5. On the Access requirements page click Next.

6. On the Conditional launch page click Next.

7. On the Assignments page select your group. (you can't select all users on app protection policies. You can, however, create a dynamic group with all users). Click Next > Create.

NOTE: You can't apply app protection policies to devices. They must be assigned to users.

Now your users won't be able to send data to any app that isn't managed by the policy or Webex. The users will also be required to enter a pin to access their Microsoft apps.

One final note, App protection policies that apply to Microsoft 365 apps, for example, Power BI, will protect apps even if the user is on an unmanaged device.

Limit access to unmanaged devices

Now, let's say not everyone in your organization will receive Intune. But you don't want those devices doing everything in Exchange Online. Maybe you want them to read email on these devices but you don't want them to download attachments or enable offline mode. Let's set that up.

1. create a conditional access policy with the following settings:

Name: Unmanaged Devices

Users or workload identities: Set to the group that will use unmanaged devices.

Cloud apps: Office 365 Exchange Online

Session: Use app-enforced restrictions

Conditional access policy

2. Run the following in PowerShell:

New-OwaMailboxPolicy LimitUnmanagedDevices
Set-OwaMailboxPolicy LimitUnmanagedDevices -ConditionalAccessPolicy ReadOnly

3. Set the OWA mailbox policy on the mailboxes.

Go to Exchange admin center > Classic Exchange admin center > recipients > mailboxes. Select the mailbox > mailbox features > View details (under Outlook on the web). Click browse > select LimitUnmanagedDevices > OK > Save.

Set OWA Mailbox policy

Windows information protection

Windows Information Protection (WIP), formally known as enterprise data protection (EDP), helps to protect against potential data leakage without interfering with the employee's work. In short, it prevents data from leaving apps protected by an app protection policy on Windows 10 devices. It works just like the App protection policy for Android we created above. It will prevent data from leaving the protected app. There are 4 settings:

  • Block: Will completely block data from leaving the protected apps
  • Allow Overrides: The user will receive a prompt will moving data from a protected to a non-protected app. If the user chooses to move the data regardless of the prompt the action will be logged.
  • Silent: The user will be allowed to move data from the protected apps but it will be logged.
  • Off: The user will be allowed to move data from the protected apps and the action will not be logged.

Just like app protection policies in Android in Windows you need to select which apps are protected. You can also exempt apps. For example, you can create a policy to protect Microsoft Teams, then you can exclude Office ProPlus. With this configuration, users won't be able to remove data from Microsoft Teams except to the Office suite.

Did you like the site?