Based on the security level selected while creating the Intune App Protection Policy, the settings that are predefined by ZENworks can be viewed or edited by performing the steps elaborated in this section. As this policy, does not support creation of a Sandbox version, when you edit any of the settings within this policy, the policy needs to be published as a new version. For more information, see Publishing the App Protection Policy.
In ZENworks Control Center, navigate to the Policies section.
Click the App Protection Policy for which the content needs to be configured.
Click the Details tab and edit the settings.
NOTE:If you had selected Define Additional Properties while creating this policy, after clicking the Finish button you will be directly navigated to the Details tab.
You can edit the list of apps that you had selected in the policy. You can also click Add to include custom apps to this list.
There are two categories of Intune App Protection Policy settings: Data Relocation settings and App Access settings.
|
Setting Name |
Supported Platforms |
Description |
|---|---|---|
|
Prevent iTunes and iCloud backups |
iOS |
If you select Yes app data will not be backed up to iCloud or iTunes. |
|
Prevent Android backups |
Android |
Restricts backup of the app information. |
|
Allow app to receive data from other apps |
iOS and Android |
Select one of the following options to specify from which app, data can be received:
|
|
Allow app to transfer data to other apps |
iOS and Android |
Select one of the following options to specify to which app, data can be transferred.
|
|
Prevent "Save As" |
iOS and Android |
If you select Yes the Save As option on the app will be disabled. |
|
Select the storage services to which the corporate data can be saved |
iOS and Android |
This field will be enabled if the Prevent “Save As” option is enabled. You can select specific storage services to which the app data can be saved, such as Sharepoint, Onedrive or the local storage. Use CTRL + Click to select multiple values in the field. |
|
Restrict cut, copy, and paste with other apps: |
iOS and Android |
Select from any one of the following options to restrict or allow cut, copy, or paste operations:
|
|
Restrict web content to display in the Managed Browser |
iOS and Android |
Select Yes to restrict the opening of web links displayed in the app to the Managed Browser app. |
|
Encrypt app data |
iOS |
Select from one of the following options to decide when the app data should be encrypted:
When a PIN is required, the data is encrypted according to the settings in this policy. If a device PIN is not set and if these encryption settings are enabled, then the user will be prompted to set a PIN. |
|
Encrypt app data |
Android |
Specify whether the app data should be encrypted. |
|
Disable app encryption when device encryption is enabled |
Android |
If the device encryption is enabled, then this option automatically disables the app encryption. If Encrypt app data is enabled only then this field can be modified. |
|
Disable contact sync |
iOS and Android |
Select Yes to prevent the app from saving data to the native Contacts app on the device. |
|
Disable printing |
iOS and Android |
Select Yes to prevent the app from printing protected data. |
|
Setting Name |
Supported platforms |
Description |
|---|---|---|
|
Require PIN for access |
iOS and Android |
Select Yes to create a PIN for this app. The user will be prompted to setup a PIN the first time they run the app. The following fields will also be enabled:
|
|
PIN Type |
iOS and Android |
Select the type of PIN to be set, that is, a numeric PIN or a passcode type PIN. |
|
Number of attempts before PIN reset |
iOS and Android |
Specify the number of times the users can attempt to enter the PIN before they must reset it. You can specify only a positive whole number. |
|
Allow simple PIN |
iOS and Android |
Select Yes to allow users to specify a simple PIN sequence such as 1111 and 1234. NOTE:If a Passcode type PIN is configured, and Allow simple PIN is set to Yes, you need to specify at least 1 letter or at least 1 special character. If Passcode type PIN is configured, and Allow simple PIN is set to No, you need to specify at least 1 number, 1 letter and 1 special character. |
|
PIN length |
iOS and Android |
Specify the number of digits in the PIN sequence. You can only specify a positive whole number. |
|
Allow fingerprint instead of PIN |
iOS and Android |
Select Yes to allow the user to use fingerprint identifications instead of a PIN to access the app. This is applicable only on iOS 8.0 or newer versions. |
|
Allow facial recognition instead of PIN |
iOS |
Select Yes to allow the user to use facial recognition instead of a PIN to access the app. This is applicable only on iOS 11.0 or newer versions. |
|
Disable app PIN when device PIN is managed |
iOS and Android |
Select Yes to disable the app PIN when a device lock is detected on an enrolled device. |
|
Require corporate credentials for access |
iOS and Android |
Select Yes to require the user to use their corporate credentials instead of entering a PIN for app access. |
|
Block managed apps from running on jailbroken or rooted devices |
iOS and Android |
Select Yes to prevent this app from running on jailbroken or rooted devices. |
|
Offline interval before app data is wiped (days) |
iOS and Android |
If a device is running offline, specify the number of days after which the app will require the user to connect to the network and re-authenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users account and data. |
|
Recheck the access requirements after timeout (minutes) |
iOS and Android |
Specify the time (in minutes) after which the access requirements are rechecked. |
|
Recheck the access requirements after offline grace period (minutes) |
iOS and Android |
Specify the time (in minutes) that the app can run offline, after which the access requirements are rechecked. |
|
Require minimum iOS operating system |
iOS |
Select Yes if a minimum iOS operating system is required to use the app. The user’s access to the app will be blocked if the minimum OS requirement is not met. You can specify the value in the iOS operating system field. |
|
Require minimum iOS operating system (Warning only) |
iOS |
Select Yes if a minimum iOS operating system is required to use the app. The user will receive a notification if the minimum OS requirement is not met, which can be dismissed. You can specify the value in the iOS operating system field. |
|
Require minimum app version |
iOS |
Select Yes if a minimum app version is required to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. You can specify the value in the App version field. |
|
Require minimum app version (Warning only) |
iOS |
Select Yes if a minimum app version is required to use the app. The user will receive a notification if the minimum app version requirement is not met, which can be dismissed. You can specify the value in the app version field. |
|
Require minimum Intune app protection policy SDK version |
iOS |
Select Yes if a minimum Intune app protection policy SDK version is required to access the app. The user is blocked from access if the app’s Intune app protection policy SDK version does not meet the requirement. |
|
Require minimum Android version |
Android |
Restricts app access to the specified minimum Android version. The value should be specified in the Android version field. |
|
Require minimum Android version (Warning only) |
Android |
Sends a notification to the user if the specified minimum Android version needed to use the app are not met. The notification can be dismissed. The value should be specified in the Android version field. |
|
Require minimum app version |
Android |
Enforces the requirement for a minimum app version to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. The value should be specified in the App version field. |
|
Require minimum app version (Warning only) |
Android |
Sends a notification to the user if the specified minimum app version requirement is not met. The notification can be dismissed. The value should be specified in the app version field. |
|
Require minimum Android patch version |
Android |
Enforces the requirement for a minimum Android security patch level to securely access the app. The value should be specified in the Patch version field. |
|
Require minimum Android patch version (Warning only) |
Android |
Sends a notification to the user if the specified minimum patch version requirement is not met. The notification can be dismissed. The value should be specified in the Patch version field. |
Click Publish to display the Publish Option page. In this page you can publish the modified policy as a new version of the same policy or as a new policy.
Unlike other policies in ZCC, you cannot create a Sandbox version of the iOS Intune App Protection policy. When you edit the settings of the latest version of the policy, you can only publish the policy as a new version. To edit the older version of a policy:
Click Policies in the left hand pane in ZCC.
Click an Intune App Protection Policy.
From the Displayed Version drop-down menu select a version of the policy that you want to edit.
Click Publish and publish the policy to its latest version.
Edit the settings of the policy and click Publish to apply the latest changes.
Consider a scenario, where version 0 is selected of the two published versions (version 0 and version 1) of the policy. After selecting version 0, click Publish to publish the policy to its latest version, that is Version 2. You can now edit the settings of the policy and publish the policy again as Version 3.