Conditional access – Require app protection policy

Microsoft recently added “Require app protection policy (Preview)” to conditional access. App Protection Policies in Intune are a great way to secure the apps on either a managed device or an unmanaged device.

Suggested Reading – https://docs.microsoft.com/en-us/intune/app-protection-policy

This blogpost will show creating an example Conditional Access policy leveraging the “Require an app protection policy (Preview)” control, targeting Exchange Online, and the user experience for a device that does not have any App Protection Policies assigned.

In devicemanagement.microsoft.com go to Conditional Access, and create the new policy.

01

Give the policy a name, and in my policy I am testing out this policy, so I have only targeted one user.

02

I will be testing this policy only for Exchange Online.

03

I will only be using iOS and Android for this policy.

04

I have configured the conditions for all apps.

05

I have selected the control to require app protection policy.

06

The policy has now been created and enabled.

07

Below is the user experience when trying to add an email account targeted by the CA policy to the native mail app on an iOS device. You can see that it is blocked (similar to what happens if you require an approved client app in the CA policy)

08

Now If I try and setup the account in Outlook, I get the error saying that no application protection policies have been assigned.

09

 

 

 

 

 

 

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s