Based on the security level selected while creating the Intune App Protection Policy, the settings that are predefined by ZENworks can be viewed or edited by performing the steps elaborated in this section. As this policy, does not support creation of a Sandbox version, when you edit any of the settings within this policy, the policy needs to be published as a new version. For more information, see Publishing the App Protection Policy.
In ZENworks Control Center, navigate to the Policies section.
Click the App Protection Policy for which the content needs to be configured.
Click the Details tab and edit the settings.
NOTE:If you had selected Define Additional Properties while creating this policy, after clicking the Finish button you will be directly navigated to the Details tab.
You can edit the list of apps that you had selected in the policy. You can also click Add to include custom apps to this list.
There are two categories of Intune App Protection Policy settings: Data Relocation settings and App Access settings.
Setting Name |
Supported Platforms |
Description |
---|---|---|
Prevent iTunes and iCloud backups |
iOS, |
Prevents the back up of data to iCloud or iTunes. |
Prevent Android backups |
Android |
Restricts backup of the app information. |
Allow app to transfer data to other apps |
iOS, and Android |
Enables the app to transfer the corporate data to selected apps. Following are the available options:
Select exempted apps: Click Add/Edit to include app that should be exempted from the data transfer. If you need to allow data to be transferred to specific apps that do not support Intune APP, you can add the apps in the exempted list. Exemptions allow applications managed by Intune to transfer data to unmanaged applications based on URL protocol (iOS) or package name (Android). By default, Intune adds vital native applications to this list of exceptions. |
Allow app to receive data from other apps |
iOS, and Android |
To specify from which app, data can be received:
|
Allow app to transfer data to other apps |
iOS, and Android |
To specify to which app, data can be transferred.
|
Prevent "Save As" |
iOS, and Android |
Disables the Save As option on the app. |
Select the storage services to which the corporate data can be saved |
iOS, and Android |
This field will be enabled if the Prevent “Save As” option is enabled. This field enables you to select the specific storage services to which the app data can be saved, such as Sharepoint, Onedrive or the local storage. Use CTRL + Click to select multiple values in the field. |
Restrict cut, copy, and paste with other apps: |
|
Restricts the cut, copy, and paste operations for the selected apps:
|
Restrict web content to display in the Managed Browser |
iOS, and Android |
Restricts the opening of web links displayed in the app to the Managed Browser app. |
Block screen capture and Android Assistant |
Android |
Disables both screen capture and Android Assistant app scanning capabilities. |
Encrypt app data |
iOS, |
Select if the app data should be encrypted. When a PIN is required, the data is encrypted according to the settings in this policy. If a device PIN is not set and if these encryption settings are enabled, then the user will be prompted to set a PIN. |
Encrypt app data |
Android |
Specify whether the app data should be encrypted. |
Disable app encryption when device encryption is enabled |
Android |
If the device encryption is enabled, then this option automatically disables the app encryption. If Encrypt app data is enabled only then this field can be modified. |
Disable contact sync |
iOS, and Android |
Prevents the app from saving data to the native Contacts app on the device. |
Disable printing |
iOS, and Android |
Prevents the app from printing protected data. |
Disable third-party Keyboards |
iOS, |
Disable the usage of third-party keyboards with the app. |
Setting Name |
Supported Platforms |
Description |
---|---|---|
Require PIN for access |
iOS, and Android |
Enforces the creation of a PIN for this app. The user will be prompted to setup a PIN the first time they run the app. The following fields will also be enabled:
|
PIN Type |
iOS, and Android |
Enforces the format of the PIN. For example: a numeric PIN or a passcode type PIN. |
Number of attempts before PIN reset |
iOS, and Android |
Defines the number of times the users can attempt to enter the PIN before they must reset it. Only a positive whole number can be specified. |
Allow simple PIN |
iOS, and Android |
Enables users to specify a simple PIN sequence such as 1111 and 1234. NOTE:If a Passcode type PIN is configured, and Allow simple PIN is set to Yes at least 1 letter or 1 special character must be specified. If Passcode type PIN is configured, and Allow simple PIN is set to No, at least 1 number, 1 letter and 1 special character must be specified. |
PIN length |
iOS, and Android |
Defines the required number of digits in the PIN. Only a positive whole number can be specified. |
Allow fingerprint instead of PIN |
iOS, and Android |
Enables the user to use fingerprint identification instead of a PIN to access the app. This is applicable only on iOS 8.0 and newer versions. |
Allow facial recognition instead of PIN |
iOS, |
Enables the user to use facial recognition instead of a PIN to access the app. This is applicable only on iOS 11.0 and newer versions. |
Disable app PIN when device PIN is managed |
iOS, and Android |
Disables the app PIN when a device lock is detected on an enrolled device. |
Require corporate credentials for access |
iOS, and Android |
Enforces the users to use their corporate credentials instead of entering a PIN for app access. |
Block managed apps from running on jailbroken or rooted devices |
iOS, and Android |
Prevents this app from running on jailbroken or rooted devices. |
Offline interval before app data is wiped (days) |
iOS, and Android |
Defines the number of days after which the app that is running offline will require the user to connect to the network to re-authenticate. When the user successfully authenticates, the user will be able to continue to access data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users account and data. |
Recheck the access requirements after timeout (minutes) |
iOS, and Android |
Defines the time (in minutes) after which the access requirements are rechecked. |
Recheck the access requirements after offline grace period (minutes) |
iOS, and Android |
Allows the app to run offline for the specified time, after which the access requirements are rechecked. |
Require minimum iOS operating system |
iOS, |
Enforces the requirement for a minimum iOS operating system to use the app. The user’s access to the app will be blocked if the minimum OS requirement is not met. The value should be specified in the iOS operating system field. |
Require minimum iOS operating system (Warning only) |
iOS, |
Sends a notification to the user if the specified minimum iOS operating system requirements needed to use the app are not met. The notification can be dismissed. The value should be specified in the iOS operating system field. |
Require minimum app version |
iOS, |
Enforces the requirement for a minimum app version to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. The value should be specified in the App version field. |
Require minimum app version (Warning only) |
iOS, |
Sends a notification to the user if the specified minimum app version requirement is not met. The notification can be dismissed. The value should be specified in the app version field. |
Require minimum Intune app protection policy SDK version |
iOS, |
Enforces the requirement for a minimum Intune app protection policy SDK version to access the app. The user is blocked from access if the SDK version does not meet the requirement. |
Require minimum Android version |
Android |
Restricts app access to the specified minimum Android version. The value should be specified in the Android version field. |
Require minimum Android version (Warning only) |
Android |
Sends a notification to the user if the specified minimum Android version needed to use the app are not met. The notification can be dismissed. The value should be specified in the Android version field. |
Require minimum app version |
Android |
Enforces the requirement for a minimum app version to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. The value should be specified in the App version field. |
Require minimum app version (Warning only) |
Android |
Sends a notification to the user if the specified minimum app version requirement is not met. The notification can be dismissed. The value should be specified in the app version field. |
Require minimum Android patch version |
Android |
Enforces the requirement for a minimum Android security patch level to securely access the app. The value should be specified in the Patch version field. |
Require minimum Android patch version (Warning only) |
Android |
Sends a notification to the user if the specified minimum patch version requirement is not met. The notification can be dismissed. The value should be specified in the Patch version field. |
Click Publish to display the Publish Option page. In this page you can publish the modified policy as a new version of the same policy or as a new policy.
Unlike other policies in ZCC, you cannot create a Sandbox version of the Intune App Protection policy. When you edit the settings of the latest version of the policy, you can only publish the policy as a new version. To edit the older version of a policy:
Click Policies in the left hand pane in ZCC.
Click an Intune App Protection Policy.
From the Displayed Version drop-down menu select a version of the policy that you want to edit.
Click Publish and publish the policy to its latest version.
Edit the settings of the policy and click Publish to apply the latest changes.
Consider a scenario, where version 0 is selected of the two published versions (version 0 and version 1) of the policy. After selecting version 0, click Publish to publish the policy to its latest version, that is Version 2. You can now edit the settings of the policy and publish the policy again as Version 3.