Edit

Share via

iOS App Protection Policy Settings

This article describes the app protection policy settings for iOS/iPadOS devices. The policy settings that are described can be configured for an app protection policy on the Settings pane in the portal when you make a new policy.

There are three categories of policy settings: Data relocationAccess requirementsand Conditional launch. In this articlethe term policy-managed apps refers to apps that are configured with app protection policies.

Data protection

Data Transfer

Setting How to use Default value
Backup Org data to iTunes and iCloud backups Select Block to prevent this app from backing up work or school data to iTunes and iCloud. Select Allow to allow this app to back up of work or school data to iTunes and iCloud. Allow
Send Org data to other apps Specify what apps can receive data from this app:
  • All Apps: Allow transfer to any app. The receiving app has the ability to read and edit the data.
  • None: Don't allow data transfer to any appincluding other policy-managed apps. If the user performs a managed open-in function and transfers a documentthe data is encrypted and unreadable.
  • Policy managed apps: Allow transfer only to other policy-managed apps.

    Note: Users might be able to transfer content via Open-in or Share extensions to unmanaged apps on unenrolled devices or enrolled devices that allow sharing to unmanaged apps. Intune encrypts the transferred dataso unmanaged apps can't read it.

  • Policy managed apps with OS sharing: Only allow data transfer to other policy managed appsand file transfers to other MDM managed apps on enrolled devices.

    Note: The Policy managed apps with OS sharing value is applicable to MDM enrolled devices only. If this setting is targeted to a user on an unenrolled devicethe behavior of the Policy managed apps value applies.On unenrolled deviceswhen the Policy managed apps value is in effectOpen-in/Share filtering ensures that only other policy managed apps can accept data transfer. If a user attempts to transfer content to an unmanaged app (for examplevia a custom share extension)the data is encrypted by Intune and unreadable unless the receiving app supports Intune's private data type. Users are able to transfer unencrypted content via Open-in or Share extensions to any application allowed by the iOS MDM allowOpenFromManagedtoUnmanaged settingassuming the sending app has the IntuneMAMUPN and IntuneMAMOID configured; for more informationsee How to manage data transfer between iOS apps in Microsoft Intune. See https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf for more information on this iOS/iPadOS MDM setting.

  • Policy managed apps with Open-In/Share filtering: Allow transfer only to other policy managed appsand filter OS Open-in/Share dialogs to only display policy managed apps. To configure the filtering of the Open-In/Share dialogit requires both the app(s) acting as the file/document source and the app(s) that can open this file/document to have the Intune SDK for iOS version 8.1.1 or above.

    Note: Users might be able to transfer content using Open-in or Share extensions to unmanaged apps if the app supports the Intune private data type. Intune encrypts the transferred dataso unmanaged apps can't read it.


Spotlight search (enables searching data within apps) and Siri shortcuts are blocked unless set to All Apps.

This policy can also apply to iOS/iPadOS Universal Links.

There are some exempt apps and services to which Intune might allow data transfer by default. In additionyou can create your own exemptions if you need to allow data to transfer to an app that doesn't support Intune APP. See data transfer exemptions for more information.

 All Apps
    Select apps to exempt
 This option is available when you select Policy managed apps for the previous option.
    Select universal links to exempt
 Specify which iOS/iPadOS Universal Links should open in the specified unmanaged application instead of the protected browser specified by the Restrict web content transfer with other apps setting. You must contact the application developer to determine the correct universal link format for each application.
    Select managed universal links
 Specify which iOS/iPadOS Universal Links should open in the specified managed application instead of the protected browser specified by the Restrict web content transfer with other apps setting. You must contact the application developer to determine the correct universal link format for each application.
    Save copies of org data
 Choose Block to disable the use of the Save As option in this app. Choose Allow if you want to allow the use of Save As. When set to Blockyou can configure the setting Allow user to save copies to selected services.

Note:
  • This setting is supported for Microsoft ExcelOneNoteOutlookPowerPointWordand Microsoft Edge. Non-Microsoft and line-of-business (LOB) apps can also support it.
  • This setting is only configurable when the setting Send org data to other apps is set to Policy managed appsPolicy managed apps with OS sharing or Policy managed apps with Open-In/Share filtering.
  • This setting is "Allow" when the setting Send org data to other apps is set to All Apps.
  • This setting is "Block" with no allowed service locations when the setting Send org data to other apps is set to None.
Allow
      Allow user to save copies to selected services
 Users can save files to the selected services: Microsoft OneDriveSharePointBoxPhoto LibraryiManageEgnyteand local storage. All other services are blocked. OneDrive for work or school: You can save files to OneDrive for work or school and SharePoint. SharePoint: you can save files to on-premises SharePoint. Photo Library: You can save files to photo library locally. Local Storage: managed apps can save copies of org data locally. This does NOT include saving files to the local unmanaged locations such as the Files app on the device. 0 selected
    Transfer telecommunication data to
 Typicallywhen a user selects a hyperlinked phone number in an appa dialer app opens with the phone number prepopulated and ready to call. For this settingchoose how to handle this type of content transfer when it's initiated from a policy-managed app:
  • Nonedo not transfer this data between apps: Don't transfer communication data when a phone number is detected.
  • A specific dialer app: Allow a specific managed dialer app to initiate contact when a phone number is detected.
  • Any dialer app: Allow any managed dialer app to be used to initiate contact when a phone number is detected.

Note: This setting requires Intune SDK 12.7.0 and later. If your apps rely on dialer functionality and aren't using the correct Intune SDK versionas a workaroundconsider adding "tel;telprompt" as a data transfer exemption. Once the apps support the correct Intune SDK versionthe exemption can be removed.

 Any dialer app
      Dialer App URL Scheme
 When a specific dialer app is selectedyou must provide the dialer app URL scheme that is used to launch the dialer app on iOS devices. For more informationsee Apple's documentation about Phone Links. Blank
    Transfer messaging data to
 Typicallywhen a user selects a hyperlinked messaging link in an appa messaging app opens with the phone number prepopulated and ready to send. For this settingchoose how to handle this type of content transfer when it's initiated from a policy-managed app. Extra steps might be necessary in order for this setting to take effect. Firstverify that sms is removed from the Select apps to exempt list. Thenensure the application is using a newer version of Intune SDK (Version > 19.0.0). For this settingchoose how to handle this type of content transfer when it's initiated from a policy-managed app:
  • Nonedo not transfer this data between apps: Don't transfer communication data when a phone number is detected.
  • A specific messaging app: Allow a specific managed messaging app to initiate contact when a phone number is detected.
  • Any messaging app: Allow any managed messaging app to be used to initiate contact when a phone number is detected.

Note: This setting requires Intune SDK 19.0.0 and later.

 Any messaging app
      Messaging App URL Scheme
 When a specific messaging app has been selectedyou must provide the messaging app URL scheme that is used to launch the messaging app on iOS devices. For more informationsee Apple's documentation about Phone Links. Blank
Receive data from other apps Specify what apps can transfer data to this app:
  • All Apps: Allow data transfer from any app.
  • None: Don't allow data transfer from any appincluding other policy-managed apps.
  • Policy managed apps: Allow transfer only from other policy-managed apps.
  • All apps with incoming Org data: Allow data transfer from any app. Treat all incoming data without a user identity as data from your organization. The data is marked with the MDM enrolled user's identity as defined by the IntuneMAMUPN setting.

    Note: The All apps with incoming Org data value is applicable to MDM enrolled devices only. If this setting is targeted to a user on an unenrolled devicethe behavior of the Any apps value applies.

Multi-identity MAM enabled applications attempt to switch to an unmanaged account when receiving unmanaged data if this setting is configured to None or Policy managed apps. If there's no unmanaged account signed into the app or the app is unable to switchthe incoming data is blocked.

 All Apps
    Open data into Org documents
 Select Block to disable the use of the Open option or other options to share data between accounts in this app. Select Allow if you want to allow the use of Open.

When set to Block you can configure the Allow user to open data from selected services to specify which services are allowed for Org data locations.

Note:
  • This setting is only configurable when the setting Receive data from other apps is set to Policy managed apps.
  • This setting is "Allow" when the setting Receive data from other apps is set to All Apps or All apps with incoming Org data.
  • This setting is "Block" with no allowed service locations when the setting Receive data from other apps is set to None.
  • The following apps support this setting:
    • OneDrive 11.45.3 or later.
    • Outlook for iOS 4.60.0 or later.
    • Teams for iOS 3.17.0 or later.
 Allow
      Allow users to open data from selected services
 Select the application storage services that users can open data from. All other services are blocked. Selecting no services prevent users from opening data from external locations.
Note: This control is designed to work on data that is outside of the corporate container.

Supported services:
  • OneDrive
  • SharePoint
  • Camera
  • Photo Library
Note: Camera doesn't include Photos or Photo Gallery access. When selecting Photo Library in the Allow users to open data from selected services setting within Intuneyou can allow managed accounts to allow incoming data from their device's photo library to their managed apps.		 All selected
Restrict cutcopy and paste between other apps Specify when cutcopyand paste actions can be used with this app. Select from:
  • Blocked: Don't allow cutcopyand paste actions between this app and any other app.
  • Policy managed apps: Allow cutcopyand paste actions between this app and other policy-managed apps.
  • Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.
  • Any app: No restrictions for cutcopyand paste to and from this app.
 Any app
    Cut and copy character limit for any app
 Specify the number of characters that might be cut or copied from Org data and accounts. This allows sharing of the specified number of characters to any applicationincluding unmanaged appsregardless of the Restrict cutcopyand paste with other apps setting.

Default Value = 0

Note: Requires app to have Intune SDK version 9.0.14 or later.

 0
Third party keyboards Choose Block to prevent the use of third-party keyboards in managed applications.

When this setting is enabledthe user receives a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applicationsand all other keyboard options are disabled. This setting affects both the organization and personal accounts of multi-identity applications. This setting doesn't affect the use of third-party keyboards in unmanaged applications.

Note: This feature requires the app to use Intune SDK version 12.0.16 or later. Apps with SDK versions from 8.0.14 toand including12.0.15won't have this feature correctly apply for multi-identity apps. For more informationsee Known issue: Third party keyboards aren't blocked in iOS/iPadOS for personal accounts.

 Allow

Note

An app protection policy is required with IntuneMAMUPN for managed devices. This applies for any setting that requires enrolled devices as well.

Encryption

Setting How to use Default value
Encrypt Org data Choose Require to enable encryption of work or school data in this app. Intune enforces iOS/iPadOS device-level encryption to protect app data while the device is locked. In additionapplications might optionally encrypt app data using Intune APP SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply 256-bit AES encryption to app data.

When you enable this settingthe user could be required to set up and use a device PIN to access their device. If there's no device PIN and encryption is requiredthe user is prompted to set a PIN with the message "Your organization has required you to first enable a device PIN to access this app."

Go to the official Apple documentation to read more about their Data Protection Classesas part of their Apple Platform Security.		 Require

Functionality

Setting How to use Default value
Sync policy managed app data with native apps or add-ins Choose Block to prevent policy managed apps from saving data to the device's native apps (ContactsCalendar and widgets) and to prevent the use of add-ins within the policy managed apps. If not supported by the applicationsaving data to native apps and using add-ins will be allowed.

If you choose Allowthe policy managed app can save data to the native apps or use add-insif those features are supported and enabled within the policy managed app.

Applications might provide more controls to customize the data sync behavior to specific native apps or not honor this control.

Note: When you perform a selective wipe to remove workor school data from the appdata synced directly from the policy managed app to the native app is removed. Any data synced from the native app to another external source isn't wiped.

Note: The following apps support this feature: 		Allow
Printing Org data Select Block to prevent the app from printing work or school data. If you leave this setting to Allowthe default valueusers are able to export and print all Org data. Allow
Restrict web content transfer with other apps Specify how web content (http/https links) is opened from policy-managed applications. Choose from:
  • Any app: Allow web links in any app.
  • Microsoft Edge: Allow web content to open only in the Microsoft Edge. This browser is a policy-managed browser.
  • Unmanaged browser: Allow web content to open only in the unmanaged browser defined by Unmanaged browser protocol setting. The web content is unmanaged in the target browser.
    Note: Requires app to have Intune SDK version 11.0.9 or later.
If you're using Intune to manage your devicessee Manage Internet access using managed browser policies with Microsoft Intune.

If a policy-managed browser is required but isn't installeda prompt appears for users to install Microsoft Edge.

If a policy-managed browser is requirediOS/iPadOS Universal Links are managed by the Send Org data to other apps policy setting.

Intune device enrollment
If you're using Intune to manage your devicessee Manage Internet access using managed browser policies with Microsoft Intune.

Policy-managed Microsoft Edge
The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. Users who sign in with their corporate Microsoft Entra accounts in the Microsoft Edge browser application is protected by Intune. The Microsoft Edge browser integrates the Intune SDK and supports all of its data protection policiesexcept for preventing:

  • Save-as: The Microsoft Edge browser doesn't allow a user to add directin-app connections to cloud storage providers (such as OneDrive).
  • Contact sync: The Microsoft Edge browser doesn't save to native contact lists.

Note: The Intune SDK can't determine if a target app is a browser. On iOS/iPadOS devicesno other managed browser apps are allowed.		 Not configured
    Unmanaged Browser Protocol
 Enter the protocol for a single unmanaged browser. Web content (http/https links) from policy managed applications open in any app that supports this protocol. The web content is unmanaged in the target browser.

Use this feature only when you need to share protected content with a specific browser that Intune app protection policies don't enable. You must contact your browser vendor to determine the protocol supported by your desired browser.

Note: Include only the protocol prefix. If your browser requires links of the form mybrowser://www.microsoft.comenter mybrowser.
Links are translated as:
  • http://www.microsoft.com > mybrowser://www.microsoft.com
  • https://www.microsoft.com > mybrowsers://www.microsoft.com
 Blank
Org data notifications Specify how Org data is shared via OS notifications for Org accounts. This policy setting impacts the local device and any connected devices such as wearables and smart speakers. Apps might provide more controls to customize notification behavior or could choose to not honor all values. Select from:
  • Blocked: Don't share notifications.
    • If not supported by the applicationnotifications are allowed.
  • Block org Data: Don't share Org data in notificationsfor example.
    • "You have new mail"; "You have a meeting."
    • If not supported by the applicationnotifications are allowed.
  • Allow: Shares Org data in the notifications.

Note:
This setting requires the following app support:

  • Outlook for iOS 4.34.0 or later
  • Teams for iOS 2.0.22 or later
  • Microsoft 365 (Office) for iOS 2.72 or later
 Allow
Genmoji Choose Block to prevent use of Genmoji for work or school data. If you leave this setting as Allowthe default valueusers are able to share org data to the Genmoji generator.

Note: This setting requires v19.7.12 or later for Xcode 15 and v20.4.0 or later for Xcode 16 of the SDK.

 Allow
Screen capture Choose Block to prevent screen capture of work or school data. If you leave this setting as Allowthe default valueusers are able to screen capture all org data and share without restrictions. Screen capture block is applied for the following scenarios:
  • Screenshots
  • On-device screen recording
  • Screen sharing via on-device apps like Teams and Zoom mobile
  • Screen mirroring to another device via AirPlay
  • Screen mirroring or recording via QuickTime on a connected Mac

Note: This setting requires v19.7.12 or later for Xcode 15 and v20.4.0 or later for Xcode 16 of the SDK.

 Allow
Writing Tools Choose Block to prevent use of Writing Tools for work or school data. If you leave this setting as Allowthe default valueusers are able to share org data to Writing Tools.

Note: This setting requires v19.7.12 or later for Xcode 15 and v20.4.0 or later for Xcode 16 of the SDK.

 Allow

Note

None of the data protection settings control the Apple managed open-in feature on iOS/iPadOS devices. To use manage Apple open-insee Manage data transfer between iOS/iPadOS apps with Microsoft Intune.

Data transfer exemptions

There are some exempt apps and platform services that Intune app protection policy might allow data transfer to and from in certain scenarios. This list is subject to change and reflects the services and apps considered useful for secure productivity.

You can add non-Microsoft unmanaged apps to the exemptions list to allow data transfer exceptions. For more informationsee How to create exceptions to the Intune App Protection Policy (APP) data transfer policy. The exempt unmanaged app must be invoked based on iOS URL protocol. For examplewhen data transfer exemption is added for an unmanaged appit would still prevent users from cutcopyand paste operationsif restricted by policy. This type of exemption would also still prevent users from using Open-in action within a managed app to share or save data to exempt app since it isn't based on iOS URL protocol. For more information about Open-insee Use app protection with iOS apps.

App/service name(s) Description
skype Skype
app-settings Device settings
itms; itmss; itms-apps; itms-appss; itms-services App Store
calshow Native Calendar

Important

App Protection policies created before June 152020 include tel and telprompt URL scheme as part of the default data transfer exemptions. These URL schemes allow managed apps to initiate the dialer. The App Protection policy setting Transfer telecommunication data to replaced this functionality. Administrators should remove tel;telprompt; from the data transfer exemptions and rely on the App Protection policy settingprovided the managed apps that initiate dialer functionality include the Intune SDK 12.7.0 or later.

Important

In Intune SDK 14.5.0 or laterincluding sms and mailto URL schemes in the data transfer exemptions allow sharing of Org data to the MFMessageCompose (for sms) and MFMailCompose (for mailto) view controllers within policy managed applications.

Universal links allow the user to directly launch an application associated with the link instead of a protected browser specified by the Restrict web content transfer with other apps setting. You must contact the application developer to determine correct universal link format for each application.

The universal link policy also manages default App Clip links.

By adding Universal Links to unmanaged appsyou can launch the specified application. To add the appyou must add the link to the exemption list.

Caution

The target applications for these Universal Links are unmanaged and adding an exemption could result in data security leaks.

The default app Universal Link exemptions include the following apps:

App Universal Link Description
http://maps.apple.com; https://maps.apple.com Maps App
http://facetime.apple.com; https://facetime.apple.com FaceTime App

If you don't want to allow the default Universal Link exemptionsyou can delete them. You can also add Universal Links for non-Microsoft or line-of-business (LOB) apps. The exempted universal links allow for wildcards such as http://*.sharepoint-df.com/*.

By adding Universal Links to managed appsyou can launch the specified application securely. To add the appyou must add the app's universal link to the managed list. If the target application supports Intune App Protection policyselecting the link attempts to launch the app. If the app isn't able to openthe link is opened in the protected browser. If the target application doesn't integrate the Intune SDKselecting the link launches the protected browser.

The default managed Universal Links are the following:

Managed App Universal Link Description
http://*.onedrive.com/*; https://*.onedrive.com/*; OneDrive
http://*.appsplatform.us/*; http://*.powerapps.cn/*; http://*.powerapps.com/*; http://*.powerapps.us/*; https://*.powerbi.com/*; https://app.powerbi.cn/*; https://app.powerbigov.us/*; https://app.powerbi.de/*; PowerApps
http://*.powerbi.com/*; http://app.powerbi.cn/*; http://app.powerbigov.us/*; http://app.powerbi.de/*; https://*.appsplatform.us/*; https://*.powerapps.cn/*; https://*.powerapps.com/*; https://*.powerapps.us/*; Power BI
http://*.service-now.com/*; https://*.service-now.com/*; ServiceNow
http://*.sharepoint.com/*; http://*.sharepoint-df.com/*; https://*.sharepoint.com/*; https://*.sharepoint-df.com/*; SharePoint
http://web.microsoftstream.com/video/*; http://msit.microsoftstream.com/video/*; https://web.microsoftstream.com/video/*; https://msit.microsoftstream.com/video/*; Stream
http://*teams.microsoft.com/l/*; http://*devspaces.skype.com/l/*; http://*teams.live.com/l/*; http://*collab.apps.mil/l/*; http://*teams.microsoft.us/l/*; http://*teams-fl.microsoft.com/l/*; https://*teams.microsoft.com/l/*; https://*devspaces.skype.com/l/*; https://*teams.live.com/l/*; https://*collab.apps.mil/l/*; https://*teams.microsoft.us/l/*; https://*teams-fl.microsoft.com/l/*; Teams
http://tasks.office.com/*; https://tasks.office.com/*; http://to-do.microsoft.com/sharing*; https://to-do.microsoft.com/sharing*; ToDo
http://*.yammer.com/*; https://*.yammer.com/*; Viva Engage
http://*.zoom.us/*; https://*.zoom.us/*; Zoom

If you don't want to allow the default Universal Link exemptionsyou can delete them. You can also add Universal Links for non-Microsoft or LOB apps.

Access requirements

Setting How to use Default value
PIN for access Select Require to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. The PIN is applied when working either online or offline.

You can configure the PIN strength using the settings available under the PIN for access section.

Note: End-users that are allowed to access the app can reset the app PIN. This setting might not be visible in some cases on iOS devices. iOS devices have a maximum limitation of four available shortcuts. In order to view the reset APP PIN shortcutthe end user might need to access the shortcut from a different managed app.		 Require
    PIN type
 Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numberswhile a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.

Note: To configure passcode typeit requires app to have Intune SDK version 7.1.12 or above. Numeric type has no Intune SDK version restriction. Special characters allowed include the special characters and symbols on the iOS/iPadOS English language keyboard.		 Numeric
    Simple PIN
 Select Allow to allow users to use simple PIN sequences like 12341111abcd or aaaa. Select Block to prevent them from using simple sequences. Simple sequences are checked in three character sliding windows. If Block is configured1235 or 1112 wouldn't be accepted as PIN set by the end userbut 1122 would be allowed.

Note: If Passcode type PIN is configuredand Allow simple PIN is set to Yesthe user needs at least 1 letter or at least 1 special character in their PIN. If Passcode type PIN is configuredand Allow simple PIN is set to Nothe user needs at least 1 number and 1 letter and at least 1 special character in their PIN.		 Allow
    Select minimum PIN length
 Specify the minimum number of digits in a PIN sequence. 4
    Touch ID instead of PIN for access (iOS 8+)
 Select Allow to allow the user to use Touch ID instead of a PIN for app access. Allow
      Override Touch ID with PIN after timeout
 To use this settingselect Require and then configure an inactivity timeout. Require
        Timeout (minutes of inactivity)
 Specify a time in minutes after which either a passcode or numeric (as configured) PIN overrides the use of a fingerprint or face as method of access. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'. 30
      Face ID instead of PIN for access (iOS 11+)
 Select Allow to allow the user to use facial recognition technology to authenticate users on iOS/iPadOS devices. If allowedFace ID must be used to access the app on a Face ID capable device. Allow
    PIN reset after number of days
 Select Yes to require users to change their app PIN after a set period of timein days.

When set to Yesyou then configure the number of days before the PIN reset is required.		 No
      Number of days
 Configure the number of days before the PIN reset is required. 90
    App PIN when device PIN is set
 Select Disable to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.

Note: Requires app to have Intune SDK version 7.0.1 or above. The IntuneMAMUPN setting must be configured for applications to detect the enrollment state.

On iOS/iPadOS devicesyou can let the user prove their identity by using Touch ID or Face ID instead of a PIN. Intune uses the LocalAuthentication API to authenticate users using Touch ID and Face ID. To learn more about Touch ID and Face IDsee the iOS Security Guide.

When the user tries to use this app with their work or school accountthey're prompted to provide their fingerprint identity or face identity instead of entering a PIN. When this setting is enabledthe App-switcher preview image is blurred while using a work or school account. If there's any change to the device's biometric databaseIntune prompts the user for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint or face for authentication. If the Intune user doesn't have a PIN setthey're led to set up an Intune PIN.		 Enable
Work or school account credentials for access Select Require to make the user sign in with their work or school account instead of using a PIN to access the app. If you set this to Require and PIN or biometric prompts are turned onthe user sees both the corporate credentials prompt and the PIN or biometric prompt. Not required
Recheck the access requirements after (minutes of inactivity) Configure the number of minutes of inactivity that must pass before the app requires the user to again specify the access requirements.

For examplean admin turns on PIN and Blocks rooted devices in the policya user opens an Intune-managed appmust enter a PINand must be using the app on a nonrooted device. When you use this settingthe user doesn't need to enter a PIN or complete another root-detection check on any Intune-managed app for the time period you configure.

Note: On iOS/iPadOSthe PIN is shared among all Intune-managed apps of the same publisher. The PIN timer for a specific PIN is reset once the app leaves the foreground on the device. The user wouldn't have to enter a PIN on any Intune-managed app that shares its PIN during the timeout defined in this setting. This policy setting format supports a positive whole number.		 30

Note

To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on iOS/iPadOSsee Intune MAM frequently asked questions and Selectively wipe data using app protection policy access actions in Intune.

Conditional launch

Configure conditional launch settings to set sign-in security requirements for your access protection policy.

By defaultseveral settings are provided with pre-configured values and actions. You can delete some of these valueslike the Min OS version. You can also select other settings from the Select one dropdown.

Setting How to use
Max OS version Specify the maximum iOS or iPadOS operating system version allowed to use this app.

Actions include:

  • Warn - The user sees a notification if the iOS/iPadOS version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user is blocked from access if the iOS/iPadOS version on the device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.

This entry can appear multiple timeswith each instance supporting a different action.

This policy setting format supports either major.minormajor.minor.buildmajor.minor.build.revision.

Note: Requires app to have Intune SDK version 14.4.0 or above.
Min OS version Specify a minimum iOS/iPadOS operating system to use this app.

Actions include:

  • Warn - The user sees a notification if the iOS/iPadOS version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user is blocked from access if the iOS/iPadOS version on the device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
This entry can appear multiple timeswith each instance supporting a different action.

This policy setting format supports either major.minormajor.minor.buildmajor.minor.build.revision.

Note: Requires app to have Intune SDK version 7.0.1 or above.
Max PIN attempts Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. If the user fails to successfully enter their PIN after the maximum PIN attemptsthe user must reset their pin after successfully logging into their account and completing a multifactor authentication (MFA) challenge if necessary. This policy setting format supports a positive whole number.

Actions include:

  • Reset PIN - The user must reset their PIN.
  • Wipe data - The user account that is associated with the application is wiped from the device.
Default value = 5
Offline grace period The number of minutes that policy-managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked.

Actions include:

  • Block access (minutes) - The number of minutes that policy-managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. After the configured period expiresthe app blocks access to work or school data until network access is available. The Offline grace period timer for blocking data access is calculated individually for each app based on last check-in with the Intune service. This policy-setting format supports a positive whole number.

    Default value = 1440 minutes (24 hours)

    Note: Configuring the Offline grace period timer for blocking access to be less than the default value could result in more frequent user interruptions as policy is refreshed. Choosing a value of less than 30 mins isn't recommended as it could result in user interruptions at each application launch or resume.

    Note: Stopping the Offline grace period policy refreshincluding closing or suspending the applicationwill result in user interruption at the next app launch or resume.

  • Wipe data (days) - After this many days (defined by the admin) of running offlinethe app will require the user to connect to the network and reauthenticate. If the user successfully authenticatesthey can continue to access their dataand the offline interval will reset. If the user fails to authenticatethe app performs a selective wipe of the users' account and data. For more information on what data is removed with a selective wipesee How to wipe only corporate data from Intune-managed apps. The Offline grace period timer for wiping data is calculated individually for each app based on last check-in with the Intune service. This policy setting format supports a positive whole number.

    Default value = 90 days
This entry can appear multiple timeswith each instance supporting a different action.
Jailbroken/rooted devices There's no value to set for this setting.

Actions include:

  • Block access - Prevent this app from running on jailbroken or rooted devices. The user continues to be able to use this app for personal tasksbut must use a different device to access work or school data in this app.
  • Wipe data - The user account that is associated with the application is wiped from the device.
Disabled account There's no value to set for this setting.

Actions include:

  • Block access - When we have confirmed the user has been disabled in Microsoft Entra IDthe app blocks access to work or school data.
  • Wipe data - When we have confirmed the user has been disabled in Microsoft Entra IDthe app performs a selective wipe of the users' account and data.
Min app version Specify a value for the minimum application version value.

Actions include:

  • Warn - The user sees a notification if the app version on the device doesn't meet the requirement. This notification can be dismissed.
  • Block access - The user is blocked from access if the app version on the device doesn't meet the requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
As apps often have distinct versioning schemes between themcreate a policy with one minimum app version targeting one app (for exampleOutlook version policy).

This entry can appear multiple timeswith each instance supporting a different action.

This policy setting supports matching iOS app bundle version formats (major.minor or major.minor.patch).

Note: Requires app to have Intune SDK version 7.0.1 or above.

Additionallyyou can configure where your end users can get an updated version of a line-of-business (LOB) app. End users see this in the min app version conditional launch dialogwhich will prompt end users to update to a minimum version of the LOB app. On iOS/iPadOSthis feature requires the app to be integrated (or wrapped using the wrapping tool) with the Intune SDK for iOS v. 10.0.7 or later. To configure where an end user should update a LOB appthe app needs a managed app configuration policy sent to it with the keycom.microsoft.intune.myappstore. The value sent defines which store the end user downloads the app from. If the app is deployed via the Company Portalthe value must be CompanyPortal. For any other storeyou must enter a complete URL.
Min SDK version Specify a minimum value for the Intune SDK version.

Actions include:

  • Block access - The user is blocked from access if the app's Intune app protection policy SDK version doesn't meet the requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
  • Warn - The user sees a notification if the iOS/iPadOS SDK version for the app doesn't meet the minimum SDK requirement. The user is instructed to upgrade to the latest version of the app. This notification can be dismissed.
To learn more about the Intune app protection policy SDKsee Intune App SDK overview. As apps often have distinct Intune SDK version between themcreate a policy with one-min Intune SDK version targeting one app (for exampleIntune SDK version policy for Outlook).

This entry can appear multiple timeswith each instance supporting a different action.
Device model(s) Specify a semi-colon separated list of model identifiers. These values aren't case sensitive.

Actions include:

  • Allow specified (Block non-specified) - Only devices that match the specified device model can use the app. All other device models are blocked.
  • Allow specified (Wipe non-specified) - The user account that is associated with the application is wiped from the device.
For more information on using this settingsee Conditional Launch actions.
Max allowed device threat level App protection policies can take advantage of the Intune-MTD connector. Specify a maximum threat level acceptable to use this app. The Mobile Threat Defense (MTD) app you choose determines threats on the user's device. Specify either SecuredLowMediumor High. Secured requires no threats on the device and is the most restrictive configurable valuewhile High essentially requires an active Intune-to-MTD connection.

Actions include:

  • Block access - The user is blocked from access if the threat level determined by your chosen Mobile Threat Defense (MTD) vendor app on the end user device doesn't meet this requirement.
  • Wipe data - The user account that is associated with the application is wiped from the device.
Note: Requires app to have Intune SDK version 12.0.15 or above.

For more information on using this settingsee Enable MTD for unenrolled devices.
Primary MTD service If you configured multiple Intune-MTD connectorsspecify the primary MTD vendor app that should be used on the end user device.

Values include:

  • Microsoft Defender for Endpoint - if the MTD connector is configuredspecify Microsoft Defender for Endpoint provides the device threat level information.
  • Mobile Threat Defense (Non-Microsoft) - if the MTD connector is configuredspecify the non-Microsoft MTD provides the device threat level information.

You must configure the setting "Max allowed device threat level" to use this setting.

There are no Actions for this setting.
Non-working time There's no value to set for this setting.

Actions include:

  • Block access - The user is blocked from access because the user account that is associated with the application is in nonworking time.
  • Warn - The user sees a notification if the user account that is associated with the application is in nonworking time. The notification can be dismissed.
Note: This setting must only be configured if the tenant is integrated with the Working Time API. For more information about integrating this setting with the Working Time APIsee Limit access to Microsoft Teams when frontline workers are off shift. If you configure this setting without integrating it with the Working Time APIthe account linked to the app could be blocked because of a missing working time status.

The following apps support this feature:

  • Teams for iOS v6.9.2 or later
  • Microsoft Edge for iOS v126.2592.56 or later

Learn more

  • Last updated on