Overview
This knowledge base article describes what to expect when your Android is managed by app protection policy settings.
Requirements
- Microsoft Intune tenant with MDM Authority set to Intune
- Minimum Android 9.0 and later
- Unmanaged Microsoft Company Portal (broker app)
- Conditional Access Policy
- Microsoft Entra ID P1 (part of E3/E5 bundle)
Configuration
Devicie offers the following App Protection policies:
| Policy Name | Description |
| Devicie - Android Enterprise Basic Data Protection | This app protection policy ensures that apps with work or school account data are protected with a PIN, encrypted, validates Android device attestation, and enables selective wipe operations. |
| Devicie - Android Enterprise Enhanced Data Protection | This app protection policy introduces data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data. |
| Devicie - Android Enterprise High Data Protection | This app protection policy is for devices used by specific users or groups who are uniquely high risk (for example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). |
Apps
For each Devicie App Protection Policy, the Apps customised settings show the following:
- Target to apps on all device types: Yes
- Device types: 0 selected
- Target policy to: Core Microsoft Apps
Conditional Access policy
This conditional access policy requires the mobile devices is registered in Entra ID via a broker app. The broker app uses the Microsoft Company Portal for Android, if the broker app is not available on a device, the user will be asked to download it during the sign-in process into one of the protected apps).
Create conditional access policy under Remote work: Require approved client apps and app protection
Target resources: All cloud apps
Device platforms: Android and iOS
Grant access controls: Require approved client app or Require app protection policy
For multiple controls: Require one of the selected controls
User Experience - Microsoft Outlook
Users downloads Microsoft Outlook on an unmanaged Android device then signs in with corporate credentials.
When setting up Outlook, the user will be get redirected to the Google store to install Microsoft Company Portal (broker app) when trying to authenticate for the first time.
Note: You do not need to sign into the Company Portal.
The broker app starts the Entra registration process which creates a device record in Entra ID (not Intune MDM), that record is necessary for the Conditional Access policies.
It will then apply the "App protection policy" as defined from Microsoft Intune onto the app. Select Continue.
As per policy requirements, a user will need to setup a PIN for the app access on the Android that is shared between other apps.
User will be prompted to re-enter the PIN
As an example, if the user has not accessed the Outlook App on the mobile phone for more than 30 minutes, the user will be prompted to enter the 4 digit PIN.
User Experience - Microsoft Teams
The same process applies with Microsoft Teams.
After logging into Microsoft Teams, it will use the Android Microsoft Company to authenticate which will apply the "App Protection policy" that is applied. Select Continue.
The user will be prompted to setup a 4 digit PIN.
You will then be prompted to reconfirm your PIN. This will then load into Microsoft teams.
Alternatively depending on the specifications of your mobile device, you will get prompted to use face recognition.
App Protection Policies - Differences
For Devicie - Android Enterprise Basic Data Protection and Devicie - Android Enterprise Enhanced Data Protection
- Simple PIN is set to Allow
- Select minimum PIN length is set to 4
- PIN reset after number of days is set to No
- Number of days is 0 (Not configured)
For Devicie - Android Enterprise High Data Protection
- Simple PIN is set to Block
- Select minimum PIN length is set to 6
- PIN reset after number of days is set to Yes
- Number of days is 365
