Overview
This knowledge base article demonstrates how to manage the App Protection policies using Microsoft Intune Portal. App Protection data is retained for a minimum of 90 days.
Note: Any app instances that have checked in to the Intune service within the past 90 days is included in the app protection status report.
This article will cover:
-
Steps - App Protection Status Report
-
Steps - Wipe Corporate Data from Intune Managed Apps
-
Steps - Wipe Corporate Data from Device based wipe request
-
Steps - Wipe Corporate Data from User based wipe request
-
Steps - Review client app protection logs
Steps - App Protection Status Report
By navigating to Microsoft Intune Portal, select Apps then under Policy, select App protection policies.
Under App Protection policies, you would have a list of policies deployed by Devicie.
By clicking on Devicie - iOS/iPadOS Enterprise Basic Data Protection, you can see that 1 user has checked in which has been applied to com.microsoft.office.outlook (Microsoft Outlook) and Microsoft Teams.
To monitor the progress of the Intune App Protection policies applied, you can select Monitor.
To validate your app protection policy is correctly setup and working. Under Monitor, select App Protection status. From here you can see that
The breakdown of the App protection status report:
User: The name of the user.
Email: The email of the user.
App: The name of the app that is being protected.
App version: The version of the app.
Device Name: Names of any devices that are associated with the user's account.
App Instance ID: The string that identities a unique user + app + device that has checked-in with the Intune service.
Device type: The type of device or operating system of the device.
Microsoft Entra Device ID: The Microsoft Entra device ID is displayed if the device is Microsoft Entra joined.
Management type: The type of management on the device. For example, unmanaged, MDM, or Android Enterprise.
Platform: The operating system of the device.
Policy name: The name of the app protection policy targeted to the app for the user.
Last sync: The timestamp of the last sync of the app with Microsoft Intune.
Device Name: Names of any devices that are associated with the user's account.
Device manufacturer: The manufacturer of the Android device.
Device model: The Android device model.
Android patch version: The date of the last Android Security Patch received by the device.
MDM device ID: The MDM device ID is displayed if the device is enrolled with Microsoft Intune MDM.
Platform version: The operating system version. When Rapid Security Response version for iOS/iPadOS is applicable, a letter will appear after the software version number
App Protection Status: The app is considered protected if it is targeted with a MAM policy.
iOS SDK version: The current iOS MAM SDK version of the iOS app.
Compliance State: The app meets compliance if it is targeted with MAM policy.
Steps - Wipe Corporate Data from Intune Managed Apps
When a device is lost or stolen, or if employee leaves the company. To ensure company data is removed from the device, all personal data on the device will not be removed.
There are two ways to initiate a selective wipe. The selective wipe can be performed as part of the Conditional launch in the App protection policy or by manually initiating a wipe request (Device based wipe and User based wipe).
Note: Wipe requests (Device) is when a user has lost the device and has a new device in use. User-level wipe is when a user leaves the company.
In each App Configuration policy, there is a conditional launch where the default setting is "Offline grace period" is set to 90 days. After 90 days offline, the user will need to reconnect to the network and successfully authenticate. If the user successfully authenticates nothing will happen, but if the user fails, a selective wipe will be performed.
To selectively remove company app data, navigate to Microsoft Intune Portal, select Apps then under Other, select App selective wipe.
Steps - Wipe Corporate Data from Device based wipe request
1. Navigate to App select wipe in the portal, select Wipe requests select Create wipe request.
2. Click on Select user, this will populate the device type this user has logged into.
3. The wipe request will be sent to the device to remove corporate data from applications protected with an app protection policy.
4. After successfully performing a wipe, the device will be removed from the device overview that was displayed in step 2.
Important: The user must open the app for the wipe to occur, the wipe may take up to 30 minutes after the request has been made.
Steps - Wipe Corporate Data from User based wipe request
1. Navigate to App select wipe in the portal, select User-Level requests.
2. Select Add, enter the username. Now that the user has been added into the wipe requests, this will be sent to all the devices of the user. The user will continue to get wipe commands at every check-in from all devices.
3. To view the wipe actions, this can be monitored by going to Reports | User report. Click on Select user then enter the username of the user.
Important: The user must open the app for the wipe to occur, the wipe may take up to 30 minutes after the request has been made.
Steps - Review client app protection logs
To review the access managed app logs, you can access it for the following:
For Android - Use Microsoft Edge to collect logs, navigate to edge://intunehelp/
For iOS/iPadOS - Use Microsoft Edge to collect logs, navigate to edge://intunehelp/
