Intune App Policies can be used to protect company data whether the mobile device is enrolled in Intune, or another MDM solution, or not enrolled at all. As long as the users have an Intune license and the App Policy is deployed to the user, the App Policies will work for managed apps. If you have an Intune license, you can login to the Azure Portal (portal.azure.com), click More Services, and search for Intune App Protection to start deploying App Policies.
From my testing, if a user does not have an Intune license, or the App Policy is not deployed to them, they can still use the app as normal without any protection using their work account. You can use the new Azure AD group-based license in portal.azure.com to license users with Intune (group), and deploy the Intune App Policies to the same group. More can be read here.
At the moment you can create App Policies for iOS and Android devices. If you have an Android you will need to install the Company Portal App, but you do not need to be enrolled or configure it.
When creating an App Policy you are able to select the following apps to protect:
Some of the settings you can configure on the apps include, preventing save as, encrypting app data, requiring PIN for access, preventing copy and paste from non-managed apps and so on. A full list of settings can be seen when you create the policy. In order to create the App Policies see Create and deploy app protection policies with Microsoft Intune. Don’t forget to deploy the policy once you have created it.
End User Experience:
The following screenshots will show the end user experience on an Android Device (with Company Portal installed but not configured or enrolled). iOS is very similar as well:
The policy I set included the Microsoft Word app. When opening it, it says that the organization now protects it, and I must set a 4 digit PIN. One thing to note is that these policies are only enforced when using apps in a Work context, not in a personal context.
Another setting I chose was to not allow cut/copy/paste outside of a managed app. When I try and copy out of Word (managed app) into the Android memo app (non managed app) and paste, I get the following:
You can also view the built-in dashboards in the Intune App Protection section in the Azure portal to view more information about your users. For example the dashboard below shows that I have checked in on my iPhone for Word and OneDrive but not others.