Help Center

What does App Protection (MAM): Devicie - Android Enterprise Basic Data Protection offer?

Overview

This knowledge base article explains what does App Protection (MAM): Devicie - Android Enterprise Basic Data Protection offer and breakdown on the recommended values.

This will be broken down into three categories:

Android Data Protection
- Android Data Protection: Data Transfer
- Android Data Protection: Encryption
- Android Data Protection: Functionality
Android Access requirements
Android Conditional launch
- Android Conditional Launch App conditions
- Android Conditional Launch Device condition

Android Data Protection: Data Transfer

Setting	Description	Default value
Backup org data to Android backup services	Select "Block" to prevent this app from backing up work or school data to the Android Backup Service. Select "Allow" to allow this app to back up work or school data.	Allow
Send Org data to other apps	Policy managed apps: Allow transfer only to other policy-managed apps. All apps: Allow transfer to any app. None: Don't allow data transfer to any app, including other policy-managed apps.	All Apps
Select apps to exempt	This option is available when you select Policy managed apps for the previous option.	N/A
Save copies of org data	Choose "Block" to disable the use of the Save As option in this app. Choose "Allow" if you want to allow the use of Save As. When set to Block, you can configure the setting Allow user to save copies to selected services.	Allow
Allow user to save copies to selected services	Users can save to the selected services: OneDrive for Business SharePoint Photo Library Box Local Storage All other services not listed will be blocked.	0 selected
Transfer telecommunication data to	When a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it is initiated from a policy-managed app: None, do not transfer this data between apps: Don't transfer communication data when a phone number is detected. A specific dialer app: Allow a specific dialer app to initiate contact when a phone number is detected. Any policy-managed dialer app: Allow any policy managed dialer app to initiate contact when a phone number is detected. Any dialer app: Allow any dialer app to be used to initiate contact when a phone number is detected.	Any dialer app
Dialer App Package ID	When a specific dialer app has been selected, you must provide the app package ID.	Blank
Dialer App Name	When a specific dialer app has been selected, you must provide the name of the dialer app.	Blank
Transfer messaging data to	When a user selects a hyperlinked messaging link in an app, a messaging app will open with the phone number prepopulated and ready to send. Select the following type of content transfer from a policy-managed app: None, do not transfer this data between apps: Don't transfer communication data when a phone number is detected. A specific messaging app: Allow a specific messaging app to be used to initiate contact when a phone number is detected. Any policy-managed messaging app: Allow any policy-managed messaging app to be used to initiate contact when a phone number is detected. Any messaging app: Allow any messaging app to be used to initiate contact when a phone number is detected.	Any messaging app
Messaging App Package ID	When a specific messaging app has been selected, you must provide the app package ID.	Blank
Messaging App Name	When a specific messaging app has been selected, you must provide the name of the messaging app.	Blank
Receive data from other apps	Specify what apps can transfer data to this app: Policy managed apps: Allow transfer only from other policy-managed apps. All apps: Allow data transfer from any app. None: Don't allow data transfer from any app, including other policy-managed apps.	All apps
Open data into Org documents	Select "Block" to disable the use of the Open option or other options to share data between accounts in this app. Select "Allow" if you want to allow the use of Open. When set to Block you can configure the Allow user to open data from selected services to specify which services are allowed for Org data locations. This setting is only configurable when the setting Receive data from other apps is set to Policy managed apps. This setting will be "Allow" when the setting Receive data from other apps is set to All apps. This setting will be "Block" with no allowed service locations when the setting Receive data from other apps is set to None. The following apps support this setting: OneDrive 11.45.3 or later. Outlook for iOS 4.60.0 or later. Teams for iOS 3.17.0 or later.	Allow
Allow users to open data from selected services	Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data from external locations. The following apps support this setting: OneDrive for Business SharePoint Online Camera Photo Library	All selected
Restrict cut, copy and paste between other apps	Select the following: Blocked: Don't allow cut, copy, and paste actions between this app and any other app. Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps. Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app. Any app: No restrictions for cut, copy, and paste to and from this app.	Any app
Cut and copy character limit for any app	Enter the number of characters that to cut or copy from Org data and accounts. Note: Requires Intune Company Portal version 5.0.4364.0 or later	0
Screen capture and Google Assistant	Select "Block" to block screen capture and block Google Assistant accessing org data on the device when using this app. Selecting Block will also blur the App-switcher preview image when using this app with a work or school account. Note: Google Assistant may be accessible to users for scenarios that don't access org data.	Allow
Approved keyboards	Select Require and then specify a list of approved keyboards for this policy. Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. Note: This setting requires the app to have the Intune SDK for Android version 6.2.0 or later.	Not required
Select keyboards to approve	This option is available when you select Require for the previous option. Choose Select to manage the list of keyboards and input methods that can be used with apps protected by this policy. You can add additional keyboards to the list, and remove any of the default options. You must have at least one approved keyboard to save the setting. Over time, Microsoft may add additional keyboards to the list for new App Protection Policies, which will require administrators to review and update existing policies as needed. To add a keyboard, specify: Name: A friendly name that that identifies the keyboard, and is visible to the user. Package ID: The Package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is https://play.google.com/store/details?id=com.contoskeyboard.android.prod, then the Package ID is com.contosokeyboard.android.prod. This package ID is presented to the user as a simple link to download the keyboard from Google Play.	Not selected

Android Data Protection: Encryption

Setting	Description	Default Value
Encrypt Org data	Select "Require", to enable encryption of work or school data in this app. Note: Android uses 256-bit AES encryption scheme securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted and can only be opened by apps that support Intune's app protection policies and have policy assigned. New files will be encrypted with 256-bit keys. Any existing 128-bit encrypted files will undergo a migration attempt to 256-bit keys, but the process is not guaranteed. Files encrypted with 128-bit keys will remain readable.	Require
Encrypt org data on enrolled devices	Select "Require" to enforce encrypting org data with Intune app layer encryption on all devices. Select "Not required" to not enforce encrypting org data with Intune app layer encryption on enrolled devices.	Require

Android Data Protection: Functionality

Setting	Description	Default value
Sync policy managed app data with native apps or add-ins	Select "Block" to prevent policy managed apps from saving data to the device's native apps (Contacts, Calendar and widgets) and to prevent the use of add-ins within the policy managed apps. If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app. Note: When you perform a selective wipe to remove work, or school data from the app, data synced directly from the policy managed app to the native app is removed. Any data synced from the native app to another external source won't be wiped.	Allow
Printing Org data	Select "Block" to prevent the app from printing work or school data. Select "Allow" users will be able to export and print all Org data.	Allow
Restrict web content transfer with other apps	Select how web content (http/https links) is opened from policy-managed applications. Any app: Allow web links in any app. Intune Managed Browser: Allow web content to open only in the Intune Managed Browser. This browser is a policy-managed browser. Microsoft Edge: Allow web content to open only in the Microsoft Edge. This browser is a policy-managed browser. Unmanaged browser: Allow web content to open only in the unmanaged browser defined by Unmanaged browser protocol setting. The web content will be unmanaged in the target browser. Note: Requires Intune Company Portal version 5.0.4415.0 or later. For Policy-managed browsers: On Android, your end users can choose from other policy-managed apps that support http/https links if neither Intune Managed Browser nor Microsoft Edge is installed. If a policy-managed browser is required but not installed, your end users will be prompted to install the Microsoft Edge. If a policy-managed browser is required, Android App Links are managed by the Allow app to transfer data to other apps policy setting. For Policy-managed Microsoft Edge: The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. Users who sign in with their corporate Microsoft Entra accounts in the Microsoft Edge browser application will be protected by Intune. The Microsoft Edge browser integrates the APP SDK and supports all of its data protection policies, with the exception of preventing: Save-as: The Microsoft Edge browser doesn't allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive). Contact sync: The Microsoft Edge browser doesn't save to native contact lists.	Any app
Unmanaged Browser ID	Enter the application ID for a single browser. Web content (http/https links) from policy managed applications will open in the specified browser. The web content will be unmanaged in the target browser.	Blank
Unmanaged Browser Name	Enter the application name for browser associated with the Unmanaged Browser ID. This name will be displayed to users if the specified browser is not installed.	Blank
Org data notifications	Specify how Org data is shared via OS notifications for Org accounts. This policy setting will impact the local device and any connected devices such as wearables and smart speakers. The following additional controls to customise behaviour: Blocked: Don't share notifications. If not supported by the application, notifications will be allowed. Block org Data: Don't share Org data in notifications, for example. "You have new mail"; "You have a meeting". If not supported by the application, notifications will be allowed. Allow: Shares Org data in the notifications. Note: This setting requires the following app support: Outlook for Android 4.0.95 or later Teams for Android 1416/1.0.0.2020092202 or later	Allow
Start Microsoft Tunnel connection on app-launch	Allow connection to VPN when app is launch	No

Android Access Requirements

Setting	Description	Default value
PIN for access	Select "Require" this will require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. The PIN is applied when working either online or offline. You can configure the PIN strength using the settings available under the PIN for access section.	Require
PIN type	Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.	Numeric
Simple PIN	Select "Allow" to allow users to use simple PIN sequences like 1234, 1111, abcd or aaaa. Select "Block" to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. Examples PIN with 1235 or 1112 wouldn't be accepted as PIN set by the end user, but 1122 would be allowed.	Allow
Select minimum PIN length	This setting specifies the minimum number of digits in a PIN sequence.	4
Biometrics instead of PIN for access	Select "Allow" to allow the user to use biometrics to authenticate users on Android devices. If allowed, biometrics is used to access the app on Android 10 or higher devices.	Allow
Override biometric with PIN after timeout	Select "Require" and then configure an inactivity timeout.	Require
Timeout (minutes of inactivity)	Select in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint or face as method of access. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.	720
Class 3 biometrics (Android 9.0+)	Select "Allow" to allow the user to use facial recognition technology to authenticate users on iOS/iPadOS devices. If allowed, Face ID must be used to access the app on a Face ID capable device.	Not required
Override biometrics with PIN after biometric updates	Select "Require" to override the use of biometrics with PIN when a change in biometrics is detected.
PIN reset after number of days	Select "Yes" to require users to change their app PIN after a set period of time, in days. If "Yes" is selected, then configure the number of days before the PIN reset is required.	No
Number of days	Configure the number of days before the PIN reset is required.	30
Select number of previous PIN values to maintain	This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining.	0
App PIN when device PIN is set	Select "Not required" to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.	Require
Work or school account credentials for access	Select "Require", this will require the user to sign in with their work or school account instead of entering a PIN for app access. If you set this to Require, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.	Not required
Recheck the access requirements after (minutes of inactivity)	Configure the number of minutes of inactivity that must pass before the app requires the user to again specify the access requirements.	30

Android Conditional launch: App conditions

Setting	Description
Max PIN attempts	This setting specifies the number of tries the user has to successfully enter their PIN before the configured action is taken. The following actions include: Reset PIN: The user must reset their PIN. Wipe data: The user account that is associated with the application is wiped from the device. Note: The default value is 5.
Offline grace period	This setting specifies the time (in minutes) before the access requirements for the app are rechecked. The following actions include: Block access (minutes): The number of minutes that policy-managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. Note: The default value is 720 minutes (12 hours) Wipe data (days): The number of days of running offline, the app will require the user to connect to the network and reauthenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users' account and data. Note: The default value is 90 days
Min app version	This setting specifies a value for the minimum application version value. The following actions include: Warn: The user sees a notification if the app version on the device doesn't meet the requirement. This notification can be dismissed. Block access: The user is blocked from access if the app version on the device doesn't meet the requirement. Wipe data: The user account that is associated with the application is wiped from the device.
Disabled version	There is no value to set for this setting. The following actions include: Block access: When we have confirmed the user has been disabled in Microsoft Entra ID, the app blocks access to work or school data. Wipe data: When we have confirmed the user has been disabled in Microsoft Entra ID, the app will perform a selective wipe of the users' account and data

Android Conditional launch: Device conditions

Setting	Description
Jailbroken/rooted devices	This setting specifies whether to block access to the device or wipe the device data for jailbroken/rooted devices. The following actions include: Block access: Prevent this app from running on jailbroken or rooted devices. The user continues to be able to use this app for personal tasks, but will have to use a different device to access work or school data in this app. Wipe data: The user account that is associated with the application is wiped from the device. Note: The default value is set to Block Access
Min OS version	This setting specifies the minimum Android operating system to use this app. OS versions below the minimum OS version will trigger the actions. Select the following actions: Warn: The user will see a notification if the Android version on the device doesn't meet the requirement. This notification can be dismissed. Block access: The user will be blocked from access if the Android version on the device doesn't meet this requirement. Wipe data: The user account that is associated with the application is wiped from the device.
Max OS version	This setting specifies the maximum Android operating system to use this app. OS versions below the minimum OS version will trigger the actions. Select the following actions: Warn: The user will see a notification if the Android version on the device doesn't meet the requirement. This notification can be dismissed. Block access: The user will be blocked from access if the Android version on the device doesn't meet this requirement. Wipe data: The user account that is associated with the application is wiped from the device.
Min patch version	This requires devices have a minimum Android security patch released by Google. Select the following actions: Warn: The user will see a notification if the Android version on the device doesn't meet the requirement. This notification can be dismissed. Block access: The user will be blocked from access if the Android version on the device doesn't meet this requirement. Wipe data: The user account that is associated with the application is wiped from the device.
Device manufacturer(s)	This specifies a semicolon separated list of manufacturers. Select the following actions include: Allow specified (Block non-specified): Only devices that match the specified manufacturer can use the app. All other devices are blocked. Allow specified (Wipe non-specified): The user account that is associated with the application is wiped from the device.
Play integrity verdict	This setting in particular configures Google's Play Integrity check on end user devices to validate the integrity of those devices. Select the following integrity: Basic integrity: Informs about general integrity of the device: rooted devices, emulators, virtual devices and devices with signs of tampering fail basic integrity. Basic integrity and device integrity: Informs about the combability of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check. The following actions include: Warn: The user sees a notification if the device does not meet Google's device integrity check based on the value configured. This notification can be dismissed. Block access: The user is blocked from access if the device does not meet Google's device integrity check based on the value configured. Wipe data: The user account that is associated with the application is wiped from the device. Note: The default value is set to Block Access
Require threat scan on apps	This setting in particular ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end user will be blocked from access until they turn on Google's app scanning on their Android device. The following actions include: Warn: The user sees a notification if Google's Verify Apps scan on the device is not turned on. This notification can be dismissed. Block access: The user is blocked from access if Google's Verify Apps scan on the device is not turned on. Note: The default value is set to Block Access
Play Integrity verdict evaluation type	This setting checks the hardware backed attestation, which enhances the existing SafetyNet attestation service check. You can set the value to Hardware-backed key after setting SafetyNet device attestation.
Require device lock	This setting determines whether the Android device has a device PIN that meets the minimum password requirement. The App protection policy can take action if the device lock doesn’t meet the minimum password requirement. The following values include: Low Complexity Medium Complexity High Complexity Note: The Complexity value is targeted to Android 12+. For devices operating on Android 11 and earlier setting a complexity value of low, medium or high will default to the expected behaviour for Low Complexity. The following actions include: Warn: The user sees a notification if the device lock doesn’t meet the minimum password requirement. The notification can be dismissed. Block access: The user will be blocked from access if the device lock doesn’t meet the minimum password requirement. Wipe data: The user account that is associated with the application is wiped from the device if the device lock doesn’t meet the minimum password requirement.
Min Company Portal version	This setting specifies minimum defined version of the Company Portal is enforced on an end user device. This conditional launch setting allows you to set values to Block access, Wipe data and Warn.
Max Company Portal version age (days)	This settings sets a maximum number of days as the age of the Company portal version for Android devices. The value must be between 0 and 365 days. When the setting for the devices is not met, the action for this setting is triggered which includes: Block access Wipe data Warn Note: The age of the Company Portal build is determined by Google Play on the end user device.
Samsung Knox device attestation	This setting specifies the Samsung Know device attestation check is required. View the list of supported Samsung devices. The following actions include: Warn: The user sees a notification if the device doesn't meet Samsung Knox device attestation check. This notification can be dismissed. Block access: The user account is blocked from access if the device doesn't meet Samsung's Knox device attestation check. Wipe data: The user account that is associated with the application is wiped from the device.
Max allowed device threat level	This setting specifies a maximum threat level acceptable to use this app. Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device. Select the following options: Secured, Low, Medium, or High. Secured requires no threats on the device and is the most restrictive configurable value, while High essentially requires an active Intune-to-MTD connection. Actions include: Block access: The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement. Wipe data: The user account that is associated with the application is wiped from the device.
Primary MTD service	If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device. The following values include: Microsoft Defender for Endpoint: if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information. Mobile Threat Defense (Non-Microsoft): if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.