MAM
      Back to home
      1. Help Center
      2. MAM

      What is the definition of each iOS App Protection policy setting

      Overview

      This knowledge base article describes the app protection policy settings for iOS/iPadOS devices.

      This will be broken down into three categories:

      • iOS Data Protection
        • iOS Data Protection: Data Transfer
        • iOS Data Protection: Encryption
        • iOS Data Protection: Functionality
      • iOS Access requirements
      • iOS Conditional launch:
        • iOS Conditional Launch App conditions
        • iOS Conditional Launch Device condition

      iOS Data Protection: Data Transfer

       
       
      Setting Description Default value
      Backup org data to iTunes and iCloud backups Select "Block" to prevent this app from backing up work or school data to iTunes and iCloud.

      If selecting "Allow" to allow this app to back up work or school data to iTunes and iCloud.      		 Allow
      Send Org data to other apps
      • All apps: Allow transfer to any app. The receiving app will have the ability to read and edit the data.
      • None: Don't allow data transfer to any app, including other policy-managed apps. If the user performs a managed open-in function and transfers a document, the data will be encrypted and unreadable.
      • Policy managed apps: Allow transfer only to other policy-managed apps.
      • Policy managed apps with OS sharing: Only allow data transfer to other policy managed apps, as well as file transfers to other MDM managed apps on enrolled devices.
      		 All Apps
      Select apps to exempt This option is available when you select Policy managed apps for the previous option. N/A
      Select universal links to exempt Specify which iOS/iPadOS Universal Links should open in the specified unmanaged application instead of the protected browser specified by the Restrict web content transfer with other apps setting N/A
      Select managed universal links Specify which iOS/iPadOS Universal Links should open in the specified managed application instead of the protected browser specified by the Restrict web content transfer with other apps setting. N/A
      Save copies of org data
      • Choose "Block" to disable the use of the Save As option in this app.
      • Choose "Allow" if you want to allow the use of Save As. When set to Block, you can configure the setting Allow user to save copies to selected services.
      		 Allow
      Allow user to save copies to selected services

      Users can save to the selected services:

      • OneDrive for Business
      • SharePoint
      • Photo Library
      • Local Storage

      OneDrive for Business: you can save files to OneDrive for Business and SharePoint Online.

      SharePoint: you can save files to on-premises SharePoint.

      Photo Library: You can save files to photo library locally.

      Local Storage: managed apps can save copies of org data locally.

      		 0 selected
      Transfer telecommunication data to

      When a user selects a hyperlinked phone number in an app, a dialer app will open with the phone number prepopulated and ready to call. For this setting, choose how to handle this type of content transfer when it is initiated from a policy-managed app:

      • None: do not transfer this data between apps: Don't transfer communication data when a phone number is detected.
      • A specific dialer app: Allow a specific managed dialer app to initiate contact when a phone number is detected.
      • Any dialer app: Allow any managed dialer app to be used to initiate contact when a phone number is detected.
      		 Any dialer app
      Dialer App URL Scheme When a specific dialer app has been selected, you must provide the dialer app URL scheme that is used to launch the dialer app on iOS devices. For more information, see Apple's documentation about Phone Links. Blank
      Transfer messaging data to

      When a user selects a hyperlinked messaging link in an app, a messaging app will open with the phone number prepopulated and ready to send. For this setting, choose how to handle this type of content transfer when it is initiated from a policy-managed app:

      • None: do not transfer this data between apps: Don't transfer communication data when a phone number is detected.
      • A specific messaging app: Allow a specific managed messaging app to initiate contact when a phone number is detected.
      • Any messaging app: Allow any managed messaging app to be used to initiate contact when a phone number is detected.
      		 Any messaging app
      Messaging App URL Scheme When a specific messaging app has been selected, you must provide the messaging app URL scheme that is used to launch the messaging app on iOS devices. Blank
      Receive data from other apps Specify what apps can transfer data to this app:
      • All apps: Allow data transfer from any app.
      • None: Don't allow data transfer from any app, including other policy-managed apps.
      • Policy managed apps: Allow transfer only from other policy-managed apps.
      • All apps with incoming Org data: Allow data transfer from any app. Treat all incoming data without a user identity as data from your organization. The data will be marked with the MDM enrolled user's identity as defined by the IntuneMAMUPN setting.
      		 All apps
      Open data into Org documents

      Select "Block" to disable the use of the Open option or other options to share data between accounts in this app. Select "Allow" if you want to allow the use of Open.

      When set to Block you can configure the Allow user to open data from selected services to specify which services are allowed for Org data locations.

      • This setting is only configurable when the setting Receive data from other apps is set to Policy managed apps.
      • This setting will be "Allow" when the setting Receive data from other apps is set to All apps or All apps with incoming Org data.
      • This setting will be "Block" with no allowed service locations when the setting Receive data from other apps is set to None.
      • The following apps support this setting:
        OneDrive 11.45.3 or later.
        Outlook for iOS 4.60.0 or later.
        Teams for iOS 3.17.0 or later.
      		 Allow
      Allow users to open data from selected services

      Select the application storage services that users can open data from. All other services are blocked.

      Selecting no services will prevent users from opening data from external locations.


      The following are supported services:

      • The following apps support this setting:
        • OneDrive for Business
        • SharePoint Online
        • Camera
        • Photo Library
      		 All selected
      Restrict cut, copy and paste between other apps

      Select the following:

      • Blocked: Don't allow cut, copy, and paste actions between this app and any other app.
      • Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
      • Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.
      • Any app: No restrictions for cut, copy, and paste to and from this app.
      		 Any app
      Cut and copy character limit for any app Enter the number of characters that may be cut or copied from Org data and accounts. This will allow sharing of the specified number of characters to any application, regardless of the Restrict cut, copy, and paste with other apps setting. 0
      Third party keyboards

      Choose "Block" to prevent the use of third-party keyboards in managed applications.

      When this setting is enabled, the user will receive a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applications, and all other keyboard options are disabled.

      		 Allow

      iOS Data Protection: Encryption

      Setting Description Default Value
      Encrypt Org data

      Choose "Require" to enable encryption of work or school data in this app.

      When you enable this setting, the user will require to set up and use a device PIN to access their device.

      If there's no device PIN and encryption is required, the user is prompted to set a PIN with the message "Your organization has required you to first enable a device PIN to access this app."

      		 Require

       

       

      iOS Data Protection: Functionality

       

       

      Setting Description Default value
      Sync policy managed app data with native apps or add-ins

      Select "Block" to prevent policy managed apps from saving data to the device's native apps (Contacts, Calendar and widgets) and to prevent the use of add-ins within the policy managed apps.

      If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.

      Note: When you perform a selective wipe to remove work, or school data from the app, data synced directly from the policy managed app to the native app is removed. Any data synced from the native app to another external source won't be wiped.

      		 Allow
      Printing Org data
      • Select "Block" to prevent the app from printing work or school data.
      • Select "Allow" users will be able to export and print all Org data.
      		 Allow
      Restrict web content transfer with other apps

      Select how web content (http/https links) is opened from policy-managed applications.

      • Any app: Allow web links in any app.
      • Intune Managed Browser: Allow web content to open only in the Intune Managed Browser. This browser is a policy-managed browser.
      • Microsoft Edge: Allow web content to open only in the Microsoft Edge. This browser is a policy-managed browser.
      • Unmanaged browser: Allow web content to open only in the unmanaged browser defined by Unmanaged browser protocol setting. The web content will be unmanaged in the target browser.
      		 Not configured
      Unmanaged Browser Protocol

      Enter the protocol for a single unmanaged browser. Web content (http/https links) from policy managed applications will open in any app that supports this protocol. The web content will be unmanaged in the target browser.

      Note: This feature should only be used if you want to share protected content with a specific browser that isn't enabled using Intune app protection policies.

      Examples to include only the protocol prefix are:

       

      		 Blank
      Org data notifications

      Specify how Org data is shared via OS notifications for Org accounts. This policy setting will impact the local device and any connected devices such as wearables and smart speakers.

      The following additional controls to customise behaviour:

        • Blocked: Don't share notifications.
          If not supported by the application, notifications will be allowed.
        • Block org Data: Don't share Org data in notifications, for example.
          "You have new mail"; "You have a meeting".
          If not supported by the application, notifications will be allowed.
        • Allow: Shares Org data in the notifications.

      Note: This setting requires the following app support:

      • Outlook for iOS 4.34.0 or later
      • Teams for iOS 2.0.22 or later
      • Microsoft 365 (Office) for iOS 2.72 or later

       

      		  Allow

       

      iOS Access Requirements

      Setting Description Default value
      PIN for access

      Select "Require" this will require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. The PIN is applied when working either online or offline.

      You can configure the PIN strength using the settings available under the PIN for access section.

      		 Require
      PIN type Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character. Numeric
      Simple PIN
      • Select "Allow" to allow users to use simple PIN sequences like 1234, 1111, abcd or aaaa.
      • Select "Block" to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. Examples PIN with 1235 or 1112 wouldn't be accepted as PIN set by the end user, but 1122 would be allowed.
      		 Allow
      Select minimum PIN length This setting specifies the minimum number of digits in a PIN sequence. 4
      Touch ID instead of PIN for access (iOS 8+) Select "Allow" to allow the user to use Touch ID instead of a PIN for app access. Allow
      Override Touch ID with PIN after timeout To use this setting, select "Require" and then configure an inactivity timeout. Require
      Timeout (minutes of inactivity)

      This setting specifies a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint or face as method of access.

      Note: The timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.

      		 30
      Face ID instead of PIN for access (iOS 11+) Select "Allow" to allow the user to use facial recognition technology to authenticate users on iOS/iPadOS devices. If allowed, Face ID must be used to access the app on a Face ID capable device. Allow
      PIN reset after number of days

      Select "Yes" to require users to change their app PIN after a set period of time, in days.

      If "Yes" is selected, then configure the number of days before the PIN reset is required.

      		 No
      Number of days This setting is to configure the number of days before the PIN reset is required. 90
      App PIN when device PIN is set

      Select "Disable" to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.

      Note: Requires app to have Intune SDK version 7.0.1 or above. The IntuneMAMUPN setting must be configured for applications to detect the enrollment state.

      		 Enable
      Work or school account credentials for access Select "Require" to require the user to sign in with their work or school account instead of entering a PIN for app access. If you set this to Require, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown. Not required
      Recheck the access requirements after (minutes of inactivity) Configure the number of minutes of inactivity that must pass before the app requires the user to again specify the access requirements. 30

       

      iOS Conditional launch: App conditions

      Setting Description
      Max PIN attempts

      This setting specifies the number of tries the user has to successfully enter their PIN before the configured action is taken. If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must reset their pin after successfully logging into their account and completing a multi-factor authentication (MFA) challenge if required. 

      The following actions include:

      • Reset PIN: The user must reset their PIN.
      • Wipe data: The user account that is associated with the application is wiped from the device.
      • Note: The default value is 5.
      Offline grace period

      This setting specifies the time (in minutes) before the access requirements for the app are rechecked.

      The following actions include:

      • Block access (minutes): The number of minutes that policy-managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. 
        • Note: The default value is 1440 minutes (24 hours)

      • Wipe data (days): The number of days of running offline, the app will require the user to connect to the network and reauthenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users' account and data. 
        • Note: The default value is 90 days
      Min app version

      This setting specifies a value for the minimum application version value.

      The following actions include:

      • Warn: The user sees a notification if the app version on the device doesn't meet the requirement. This notification can be dismissed.
      • Block access: The user is blocked from access if the app version on the device doesn't meet the requirement.
      • Wipe data: The user account that is associated with the application is wiped from the device.
      Min SDK version

      This setting specifies a minimum value for the Intune SDK version.

      The following actions include:

      • Block access: The user is blocked from access if the app's Intune app protection policy SDK version doesn't meet the requirement.
      • Wipe data: The user account that is associated with the application is wiped from the device.
      • Warn: The user will see a notification if the iOS/iPadOS SDK version for the app doesn't meet the minimum SDK requirement. The user will be instructed to upgrade to the latest version of the app. This notification can be dismissed.
      Disabled version

      There is no value to set for this setting.

      The following actions include:

      Block access: When we have confirmed the user has been disabled in Microsoft Entra ID, the app blocks access to work or school data.
      Wipe data: When we have confirmed the user has been disabled in Microsoft Entra ID, the app will perform a selective wipe of the users' account and data

      iOS Conditional launch: Device conditions

       

       

      Setting Description
      Min OS version

      This setting specifies the minimum iOS/iPadOS operating system to use this app.

      Select the following actions:

      • Warn: The user will see a notification if the iOS/iPadOS version on the device doesn't meet the requirement. This notification can be dismissed.
      • Block access: The user will be blocked from access if the iOS/iPadOS version on the device doesn't meet this requirement.
      • Wipe data: The user account that is associated with the application is wiped from the device.
      Max OS version

      This setting specifies the maximum iOS/iPadOS operating system to use this app.

      Select the following actions:

      • Warn: The user will see a notification if the iOS/iPadOS version on the device doesn't meet the requirement. This notification can be dismissed.
      • Block access: The user will be blocked from access if the iOS/iPadOS version on the device doesn't meet this requirement.
      • Wipe data: The user account that is associated with the application is wiped from the device.
      Device model(s)

      This setting specifies semi-colon separated list of model identifier(s). 

      Select the following actions:

      • Allow specified (Block non-specified): Only devices that match the specified device model can use the app. All other device models are blocked.
      • Allow specified (Wipe non-specified): The user account that is associated with the application is wiped from the device.
      Max allowed device threat level

      This setting specifies a maximum threat level acceptable to use this app. Threats are determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device.

      Select the following options: Secured, Low, Medium, or High.

      Secured requires no threats on the device and is the most restrictive configurable value, while High essentially requires an active Intune-to-MTD connection.

      Actions include:

      • Block access: The user will be blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.
      • Wipe data: The user account that is associated with the application is wiped from the device.
      Primary MTD service

      If you have configured multiple Intune-MTD connectors, specify the primary MTD vendor app that should be used on the end user device.

      The following values include:

      • Microsoft Defender for Endpoint: if the MTD connector is configured, specify Microsoft Defender for Endpoint will provide the device threat level information.
      • Mobile Threat Defense (Non-Microsoft): if the MTD connector is configured, specify the non-Microsoft MTD will provide the device threat level information.