protect company data on mobile devices through application ... · pdf fileprotect company data...
Post on 30-Jan-2018
218 Views
Preview:
TRANSCRIPT
Protect company data on mobile devices through application
management policies
Protecting your company's data is vitally important, and is an increasingly challenging task as more
employees are using their mobile devices to access company resources, including email and email
attachments. As an IT administrator, you want to make sure that company data is protected even when
those mobile devices are not within the company’s physical location.
This guide will focus on enablement of managed applications as it applies to two Intune MDM
deployments:
As a cloud management solution using Intune
As an integrated service with Configuration Manager
This allows you to create and deploy apps with mobile app management (MAM) policies to best protect
your company data.
This document focusses on creation of these MAM based policies when the end-user device is enrolled
in Intune for MDM. See Protect line of business apps and data on devices not enrolled in Microsoft
Intune for information about configuring these MAM policies when the device itself is not enrolled in
Intune for MDM.
Introduction Managed apps are apps that have mobile app management (MAM) policies applied to them that make
them compliant with your company’s security requirements. You have two options for managing mobile
apps:
The default capability, such as Apple Managed Open In, which protects corporate data by
controlling the apps that are allowed to open certain documents and email attachments.
The Intune App SDK, which lets you limit the functionality and restrict sharing of data for any
apps that have the Intune App SDK enabled. Some of the main features of the Intune App SDK is
that it allows you to:
o Manage the save-as function
o Prevent cut, copy, paste
o Require authentication when an app is accessed
o Wipe corporate data from an Intune-managed app
See Intune App SDK Overview for a description of all SDK features.
Before you begin Learn about deploying apps using Microsoft Intune
Learn the basics about Intune app deployment.
Evaluate your desired implementation
With all of the different design and configuration options for managing mobile devices, it’s
difficult to determine which combination will best meet the needs of your company. The Mobile
Device Management Design Considerations Guide helps you understand mobile device
management design requirements and details a series of steps and tasks that you can follow to
design a solution that best fits the business and technology needs for your company.
Understand the high level end-user experience
After the solution is implemented, you will be able to protect data on devices whether or not
your company manages them. By simply implementing app-level policies, you can restrict access
to company resources and keep data within the purview of your IT department.
Note
The end-user experience of this solution is described in more details in the End-user Experience
section, later in this topic.
Understand the app lifecycle
Just like with the management of your devices, apps have a lifecycle that takes you from
preparation, to deployment, monitoring, updating, and retiring. Intune can help you at all stages
of this lifecycle. For detailed information about the app lifecycle, see Overview of the app
lifecycle.
Learn about the Microsoft apps you can use with MAM policies
The Microsoft Intune application partner’s page contains the latest information about apps from
Microsoft and other companies that you can use with MAM policies.
You can use the Microsoft Intune App Wrapping Tool to modify the behavior of your in-house
apps to let you configure features of the app without modifying the code of the app itself. See
the following topics for more specific information:
Prepare iOS apps for mobile application management with the Microsoft Intune App
Wrapping Tool
Prepare Android apps for mobile application management with the Microsoft Intune App
Wrapping Tool
Understand how policy conflicts are resolved
When there is a MAM policy conflict on the first deployment to the user or device, the specific
setting value in conflict will be removed from the policy deployed to the app, and the app will
use a built-in conflict value (most restrictive is the default).
When there is a mobile app management policy conflict on later deployments to the app or
user, the specific setting value in conflict will not be updated on the mobile app management
policy deployed to the app, and the app will use the existing value for that setting.
In cases where the device or user receives two conflicting policies, the following behavior
applies:
If a policy has already been deployed to the device, the existing policy settings are not
overwritten.
If no policy has already been deployed to the device, and two conflicting settings are
deployed, the default setting built into the device is used.
Now that you are familiar with the overall process for MAM, you are ready to use mobile app
management policies in Intune or use mobile app management policies in Configuration Manager.
Using Mobile App Management Policies in Intune One of the primary reasons many companies use Microsoft Intune is to deploy apps that users need to
get their work done. Before you deploy apps, you'll need to get your devices managed.
For example, if your company uses Microsoft Word, there are versions available for Windows, iOS,
Android and more. The challenge you, as an IT admin, face is to manage the multitude of apps available,
on many different device and computer platforms, with the aim of allowing users to do their work while
still ensuring the security of your company data.
If you are using Intune with Configuration Manager, see How to Control Apps Using Mobile
Application Management Policies in Configuration Manager.
MAM policies support:
Devices that run Android 4 and later.
Devices that run iOS 7 and later.
Note
MAM policies support devices that are enrolled with Intune.
If you are looking for information about how to create app management policies for devices that are not
managed by Intune, see Protect app data using mobile app management policies with Microsoft Intune.
Unlike other Intune policies, you do not deploy a MAM policy directly. Instead, you associate the policy
with the app that you want to restrict. When the app is deployed and installed on devices, the settings
you specify will take effect.
To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software
Development Kit (SDK). There are two methods of obtaining this type of app:
Use a policy managed app – Has the App SDK built-in. To add this type of app, you specify a link
to the app from an app store such as the iTunes store or Google Play. No further processing is
required for this type of app. To see the full list of supported Microsoft apps, go to Microsoft
Intune mobile application gallery on the Microsoft Intune application partners page. Choose an
app to see the supported scenarios, platforms and whether or not the app supports multi-
identity.
Use a ‘wrapped’ app - Apps that are repackaged to include the App SDK by using the Microsoft
Intune App Wrapping Tool. This tool is typically used to process company apps that were
created in-house. It cannot be used to process apps that were downloaded from the app store.
See:
o Prepare iOS apps for mobile application management with the Microsoft Intune App
Wrapping Tool
o Prepare Android apps for mobile application management with the Microsoft Intune
App Wrapping Tool
Some managed apps, like the Outlook app for iOS and Android, support multi-identity. This means that
Intune only applies management settings to corporate accounts or data in the app.
Tip
For example, using the Outlook app:
If the user configures a corporate, and a personal email account, Intune only applies
management settings to the corporate account and does not manage the personal account.
If the device is retired, or unenrolled, only the corporate Outlook data is removed from the
device.
The corporate account used must be the same account that was used to enroll the device with
Intune.
Word, Excel, and PowerPoint all support multi-identity as well, except the policy restrictions only apply
when managing and editing corporate-identifiable data from a service such as OneDrive or SharePoint.
Create and deploy an app with a mobile app management policy Step 1: Get the link to a policy managed app, or create a wrapped app.
Step 2: Publish the app to your cloud storage space.
Step 3: Create a MAM policy.
Step 4: Deploy the app, selecting the option to associate the app with a MAM policy.
Step 5: Monitor the app deployment.
Step 1: Obtain the link to a policy managed app, or create a wrapped app
To obtain a link to a policy managed app - From the app store, find, and note the URL of the
policy managed app you want to deploy.
For example, the URL of the Microsoft Word for iPad app is
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8
To create a wrapped app - Use the information in the topics Prepare iOS apps for mobile
application management with the Microsoft Intune App Wrapping Tool and Prepare Android
apps for mobile application management with the Microsoft Intune App Wrapping Tool to
create a wrapped app. The tool creates a processed app that you will use when you publish the
app to your cloud storage space.
Step 2: Upload the app to your cloud storage space When you publish a managed app, the procedures differ depending on whether you are publishing a
policy managed app, or an app that was processed using the Microsoft Intune App Wrapping Tool for
iOS.
1. In the Microsoft Intune administrator console, choose Apps > Add Apps to start the Intune
software publisher.
You might need to enter your Intune username and password before the publisher starts.
2. On the Software setup page of the software publisher, configure the following:
Select how this software is made available to devices
To publish an app that was processed using the Microsoft Intune App Wrapping Tool,
select Software installer, then specify:
Tip
Setting Details
Select the software
installer file type
This indicates the type of software you want to deploy. For
example, if you want to install an iOS app, choose App
Package for iOS (*.ipa file).
Specify the location of
the software setup files
Enter the location of the installation files or choose Browse
to select the location from a list.
Include additional files
and subfolders from the
same folder
For the Windows Installer file type only
Some software that uses Windows Installer requires
supporting files which are typically found in the same folder
as the installation files. Select this option if you also want to
deploy these files.
This installation type uses some of your cloud storage space.
To publish a policy managed app for Android, select External link, then specify:
Setting Details
Specify the URL Enter the app store URL of the app you want to deploy. For example,
if you want to deploy the Microsoft Remote Desktop app for Android,
specify
https://play.google.com/store/apps/details?id=com.microsoft.rdc
.android.
Tip
To find the URL of the app, use a search engine to find the
store page containing the app. For example, to find the
Remote Desktop app, you could search Microsoft Remote
Desktop Android.
This installation type does not use any of your cloud storage space.
To publish a policy managed app for iOS, select Managed iOS app from the app store,
then specify:
Setting Details
Specify the URL Enter the app store URL of the app you want to deploy. For
example, if you want to deploy the Microsoft Work Folders app for
iOS, specify https://itunes.apple.com/us/app/work-
folders/id950878067?mt=8.
This installation type does not use any of your cloud storage space.
3. On the Software description page, configure the following:
Depending on the installer type you are using, some of these values might have been
automatically entered, or might not appear.
Setting Details
Publisher Enter the name of the publisher of the app.
Name Enter the name of the app as it will be displayed in the
company portal.
Tip
Make sure all app names you use are unique. If the same app name exists twice, only one of the apps will be displayed to users in the company portal.
Description Enter a description for the app. This will be displayed to
users in the company portal.
URL for software information Available only if you selected Software installer.
(optional) Enter a URL to a website that contains
information about this app. The URL will be displayed to
users in the company portal.
Privacy URL Available only if you selected Software installer.
Tip
Setting Details
(optional) Enter a URL to a website that contains privacy
information for this app. The URL will be displayed to users
in the company portal.
Category (optional) Select one of the built-in app categories. This will
make it easier for users to find the app when they browse
the company portal.
Display this as a featured app
and highlight it in the company
portal
Display the app prominently on the main page of the
company portal when users browse for apps.
Icon (optional) Upload an icon that will be associated with the
app. This is the icon that will be displayed with the app
when users browse the company portal.
4. On the Requirements page, select the requirements that must be met before the app can start
to install on a device. For example, for an app package for iOS, you can select the minimum
version of iOS required, and the type of device it must be, like an iPhone, or an iPad.
The Requirements page is not displayed for all types of apps.
Tip
5. Further wizard pages are displayed if you choose the Windows Installer file type. This file type is
not used by mobile devices.
6. On the Summary page, review the information you specified. Once you are ready, choose
Upload.
7. Choose Close to finish.
The app is displayed on the Apps node of the Apps workspace.
Step 3: Create a MAM policy This step describes the process of creating a MAM policy in the Intune admin console. You can also
create a MAM policy by using the Azure portal.
1. In the Microsoft Intune administration console, choose Policy > Overview > Add Policy.
2. Choose Software to configure and deploy one of the following policies, depending on the device
type you want to configure apps for:
o Mobile Application Management Policy (Android 4 and later)
o Mobile Application Management Policy (iOS 7 and later)
You can use recommended settings or customize the settings. For details, see Manage settings
and features on your devices with Microsoft Intune policies.
3. Configure the following settings as required. The options might differ depending on the device
type for which you are configuring the policy.
Setting Details
Name Specify a name for this policy.
Description Optionally, specify a description for this policy.
Restrict web content
to display in a
corporate managed
browser
When this setting is enabled, any links in the app will be opened in the
Managed Browser. You must have deployed this app to devices in
order for this option to work.
Prevent Android
backups or Prevent
iTunes and iCloud
backups
Disables the backup of any information from the app.
Allow app to transfer
data to other apps
Specifies the apps that this app can send data to. You can choose to
not allow data transfer to any app, only allow transfer to other
managed apps, or to allow transfer to any app. This setting does not
control use of the Open In feature on mobile devices.
For example, when you do not allow data transfer, you restrict data
transfer to services like SMS messaging, assigning images to
contacts, and posting to Facebook or Twitter.
For iOS devices, to prevent document transfer between managed and
unmanaged apps, you must also configure and deploy a mobile device
security policy that disables the setting Allow managed documents
in other unmanaged apps. If you select to only allow transfer to other
Setting Details
managed apps, the Intune PDF and image viewers (if deployed) will be
used to open content of the respective types.
Additionally, if you set this option to Policy Managed Apps or None,
the iOS 9 feature that allows Spotlight Search to search data within
apps will be blocked.
Important
This setting does not control use of the Open In feature on mobile
devices. To manage Open In, go here.
Allow app to receive
data from other apps
Specifies the apps that this app can receive data from. You can
choose to:
not allow data transfer from any app
only allow transfer from other managed apps
allow transfer from any app
Note
For iOS apps that support multi-identity (where Intune only applies
management settings to corporate accounts or data in the app), the
following behavior applies:
On an enrolled device with a MAM policy applied, when a user
accesses data from an app that is not managed by a MAM
policy, the data will be treated as corporate data and protected
by the policy.
Prevent “Save As” Disables use of the Save As option to save data to personal cloud
storage locations (such as OneDrive Personal or Dropbox) in any app
that uses this policy.
Restrict cut, copy
and paste with other
apps
Specifies how cut, copy, and paste operations can be used with the
app. Choose from:
Blocked – Do not allow cut, copy, and paste operations
between this app and other apps.
Policy Managed Apps – Only allow cut, copy, and paste
operations between this app and other managed apps.
Policy Managed Apps with Paste In – Allow data cut or
copied from this app only to be pasted into other managed
apps. Allow data cut or copied from any app to be pasted into
this app.
Any App – No restrictions to cut, copy, and paste operations
to, or from this app.
To copy and paste data between managed apps, both apps must have
either the Policy Managed Apps or Policy Managed Apps with
Paste In settings configured.
Require simple PIN
for access
Requires the user to enter a PIN number which they specify to use this
app. The user will be asked to set this up the first time they run the
app.
Number of attempts
before PIN reset
Specify the number of PIN entry attempts which can be made before
the user must reset the PIN.
Setting Details
Require corporate
credentials for
access
Requires that the user must enter their corporate logon information
before they can access the app.
Require device
compliance with
corporate policy for
access
Only allows the app to be used when the device is not jailbroken or
rooted.
Recheck the access
requirements after
(minutes)
In the Timeout field, specify the time period before the access
requirements for the app are rechecked after the app is launched.
Offline grace period If the device is offline, specify the time period before the access
requirements for the app are rechecked.
Encrypt app data Specifies that all data associated with this app will be encrypted,
including data stored externally, such as SD cards.
Encryption for iOS
For apps that are associated with an Intune mobile app management
policy, data is encrypted at rest using device level encryption provided
by the OS. This is enabled through device PIN policy that must be set
by the IT admin. When a PIN is required, the data will be encrypted per
the settings in the MAM policy. As stated in Apple documentation, the
modules used by iOS 7 are FIPS 140-2 certified.
Encryption for Android
For apps that are associated with an Intune mobile app management
policy, encryption is provided by Microsoft. Data is encrypted
synchronously during file I/O operations according to the setting in the
MAM policy. Managed apps on Android use AES-128 encryption in
CBC mode utilizing the platform cryptography libraries. The encryption
method is not FIPS 140-2 certified. Content on the device storage will
always be encrypted.
Block screen
capture (Android
devices only)
Specifies that the screen capture capabilities of the device are blocked
when using this app.
4. When you are finished, choose Save Policy.
The new policy displays in the Configuration Policies node of the Policy workspace.
Step 4: Associate the app with a MAM policy, then deploy the app. Deploy the app, ensuring that you select the MAM policy on the Mobile App Management page to
associate the policy with the app. For details about some of the concepts you need to understand
before you start deploying apps with Microsoft Intune, see Deploy apps in Microsoft Intune.
1. In the Microsoft Intune administrator console, choose Apps > Apps to view the list of apps you
manage.
2. Select the app you want to deploy, and then choose Manage Deployment.
3. In the <app name>dialog box on the Select Groups page, choose the user or device groups to
which you want to deploy the app.
4. In the dialog box on the Mobile App Management page, select the App Management Policy you
want to associate with the app.
Other pages let you configure other deployment options. For details, go here.
For devices that run operating systems earlier than iOS 7.1, associated policies will not be removed
when the app is uninstalled.
If the device is unenrolled from Intune, polices are not removed from the apps; any apps that had
policies applied will retain the policy settings even after the app is uninstalled and reinstalled.
What to do when an app is already deployed on devices
There might be situations where you deploy an app and one of the targeted users or devices already has
an unmanaged version of the app installed, for example, the user installed Microsoft Word from the app
store.
In this case, you must ask the user to manually uninstall the unmanaged version so that the managed
version you configured can be installed.
However, for devices that run iOS 9 and later, Intune will automatically ask the user for permission to
take over management of the existing app. If they agree, then the app will become managed by Intune
and any MAM policies you associated with the app will also be applied.
If the device is in supervised mode, Intune will take over management of the existing app without
asking the users permission.
Step 5: Monitor the app deployment with MAM policy. Once you have created and deployed an app associated with a MAM policy, use the following
procedures to monitor the app and resolve any policy conflicts.
Note
For general information about monitoring app deployment, see Monitor app deployments in Microsoft
Intune.
To view the status of the deployment 1. In the Microsoft Intune administration console, choose Groups.
2. Perform one of the following steps:
o Choose All Users, then double-click on the user whose devices you want to examine. On
the User Properties page, choose Devices, then double-click the device you want to
examine.
o Choose All Devices > All Mobile Devices. On the Device Group Properties page, choose
Devices, then double-click the device you want to examine.
3. From the Mobile Device Properties page, choose Policy to see a list of the MAM policies that
have been deployed to the device.
Important
Tip
4. Select the MAM policy whose status you want to view. You can view details of the policy in the
bottom pane and expand its node to display its settings.
5. Under the Status column of each of the MAM policies, Conforms, Conforms (Pending), or Error
will be displayed. If the selected policy has one or more settings in conflict, Error will be
displayed in this field.
6. Once you have identified a conflict, you can revise conflicting policy settings to use the same
setting, or deploy only one policy to the app and user.
Using Mobile App Management policies in Configuration Manager Beginning with System Center 2012 Configuration Manager SP2, app management policies let you
modify the functionality of apps that you deploy to help bring them into line with your company
compliance and security policies. For example, you can restrict cut, copy and paste operations within a
restricted app, or configure an app to open all web links inside a managed browser. App management
policies support:
Devices that run Android 4 and later.
Devices that run iOS 7 and later.
In addition to managed devices, mobile app management policies can be used to protect apps
on devices that are not managed by Intune. Using this new capability, you can apply mobile app
management policies for apps connecting to Office 365 services. This is not supported for apps
connecting to on-premises Exchange or SharePoint.
To use this new capability, you must use the Azure preview portal. The following topics can help
you get started:
Get ready to configure mobile app management policies with Microsoft Intune
Monitor mobile app management policies with Microsoft Intune
Unlike configuration items and baselines in Configuration Manager, you do not deploy an application
management policy directly. Instead, you associate the policy with the app deployment type (DT) that
Tip
you want to restrict. When the app DT is deployed and installed on devices, the settings you specify will
take effect.
To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software
Development Kit (SDK). There are two methods of obtaining this type of app:
Use a policy managed app (Android and iOS): Has the App SDK built-in. To add this type of app,
you specify a link to the app from an app store such as the iTunes store or Google Play. No
further processing is required for this type of app. For a list of the policy managed apps that are
available for iOS and Android devices, see Microsoft Intune mobile application gallery.
Use a ‘wrapped’ app – (Android and iOS): Apps that are repackaged to include the App SDK by
using the Microsoft Intune App Wrapping Tool. This tool is typically used to process company
apps that were created in-house. It cannot be used to process apps that were downloaded from
the app store. See Prepare iOS apps for mobile application management with the Microsoft
Intune App Wrapping Tool and Prepare Android apps for mobile application management with
the Microsoft Intune App Wrapping Tool.
Create and deploy an app with a MAM policy
Step 1: Obtain the link to a policy managed app, or create a wrapped app. To obtain a link to a policy managed app (iOS and Android) - From the app store, find, and note
the URL of the policy managed app you want to deploy.
For example, the URL of the Microsoft Word for iPad app is
https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8
To create a wrapped app (iOS and Android) - Use the information in the topics Prepare iOS apps
for mobile application management with the Microsoft Intune App Wrapping Tool and Prepare
Android apps for mobile application management with the Microsoft Intune App Wrapping Tool
to create a wrapped app. The tool creates a processed app and an associated manifest file. You
will use these files when you create a Configuration Manager application containing the app.
Step 2: Create a Configuration Manager application that contains an app. The procedure to create the Configuration Manager application differs depending on whether you are
using a policy managed app (external link), or an app that was created by using the Microsoft Intune App
Wrapping Tool for iOS (App package for iOS). Use one of the following procedures to create the
Configuration Manager application.
To create an application for an App Wrapping Tool for iOS app
1. In the Configuration Manager console, choose Software Library.
2. In the Software Library workspace, expand Application Management, and then choose
Applications.
3. In the Home tab, in the Create group, choose Create Application to open the Create Application
Wizard. Or, you can go to Software Library > Overview > Application Management >
Applications and then choose Create Application.
4. On the General page, select Automatically detect information about this application from
installation files.
5. In the Type drop-down list, select App package for iOS (*.ipa file).
6. Choose Browse to select the app package you want to import, and then choose Next.
7. On the General Information page, enter the descriptive text and category information that you
want users to see in the company portal.
8. Complete the wizard.
The new application is displayed in the Applications node of the Software Library workspace.
To create an application containing a link to a policy managed app
1. In the Configuration Manager console, choose Software Library.
2. In the Software Library workspace, expand Application Management, and then choose
Applications.
3. In the Home tab, in the Create group, choose Create Application to open the Create Application
Wizard. Or, you can go to Software Library > Overview > Application Management >
Applications and then choose Create Application.
4. On the General page, select Automatically detect information about this application from
installation files.
5. In the Type drop-down, select one of the following:
o For iOS: App Package for iOS from App Store
o For Android: App Package for Android on Google Play
6. Enter the URL for the app (from step 1), and then choose Next.
7. On the General Information page, enter the descriptive text and category information that you
want users to see in the company portal.
8. Complete the wizard.
The new application is displayed in the Applications node of the Software Library workspace.
Step 3: Create a MAM policy. Next, you create an application management policy that you will associate with the application. You can
create a general or managed browser policy.
1. In the Configuration Manager console, choose Software Library.
2. In the Software Library workspace, expand Application Management, and then choose
Application Management Policies.
3. In the Home tab, in the Create group, choose Create Application Management Policy.
4. On the General page, enter the name and description for the policy, and then choose Next.
5. On the Policy Type page, select the platform (such as iOS Android) and the policy type for this
policy, and then choose Next. The following policy types are available:
o General: The General policy type lets you modify the functionality of apps that you
deploy to help bring them into line with your company compliance and security policies.
For example, you can restrict cut, copy and paste operations within a restricted app.
o Managed Browser: Configure whether to allow or block the managed browser from
opening a list of URLs. The Managed Browser policy type lets you modify the
functionality of the Intune Managed Browser app. This is a web browser that lets you
manage the actions that users can perform, including the sites they can visit, and how
links to content within the browser are opened. For more information about the Intune
Managed Browser app, see here for iOS and here for Android.
6. If you selected General on the Policy Type page, then on the iOS Policy or Android Policy page,
configure the following values as required, and then choose Next. The options might differ
depending on the device type for which you are configuring the policy.
Value More information
Restrict web content
to display in a
corporate managed
browser
When this setting is enabled, any links in the app will be opened in the
Managed Browser. You must have deployed this app to devices in
order for this option to work.
Prevent Android
backups or Prevent
iTunes and iCloud
backups
Disables the backup of any information from the app.
Allow app to transfer
data to other apps
Specifies the apps that this app can send data to. You can choose to
not allow data transfer to any app, only allow transfer to other
restricted apps, or to allow transfer to any app.
For iOS devices, to prevent document transfer between managed and
unmanaged apps, you must also configure and deploy a mobile
device security policy that disables the setting Allow managed
documents in other unmanaged apps.
Value More information
Note
If you select to only allow transfer to other restricted apps, the Intune
PDF and image viewers (if deployed) will be used to open content of
the respective types.
Allow app to receive
data from other apps
Specifies the apps that this app can receive data from. You can
choose to:
not allow data transfer from any app
only allow transfer from other restricted apps
allow transfer from any app
Prevent “Save As” Disables use of the Save As option in any app that uses this policy.
Restrict cut, copy
and paste with other
apps
Specifies how cut, copy, and paste operations can be used with the
app. Choose from:
Blocked – Do not allow cut, copy, and paste operations
between this app and other apps.
Policy Managed Apps – Only allow cut, copy, and paste
operations between this app and other restricted apps.
Policy Managed Apps with Paste In – Allow data cut or
copied from this app only to be pasted into other restricted
apps. Allow data cut or copied from any app to be pasted into
this app.
Any App – No restrictions to cut, copy, and paste operations
to, or from this app.
Require simple PIN
for access
Requires the user to enter a PIN number which they specify to use
this app. The user will be asked to set this up the first time they run
the app.
Number of attempts
before PIN reset
Specify the number of PIN entry attempts which can be made before
the user must reset the PIN.
Require corporate
credentials for
access
Requires that the user must enter their corporate logon information
before they can access the app.
Require device
compliance with
corporate policy for
access
Only allows the app to be used when the device is not jailbroken or
rooted.
Recheck the access
requirements after
(minutes)
In the Timeout field, specify the time period before the access
requirements for the app are rechecked after the app is launched.
In the Offline grace period field, if the device is offline, specify the
time period before the access requirements for the app are
rechecked.
Encrypt app data Specifies that all data associated with this app will be encrypted,
including data stored externally, such as SD cards.
Value More information
Note
Encryption for iOS
For apps that are associated with a Configuration Manager mobile
application management policy, data is encrypted at rest using device
level encryption provided by the OS. This is enabled through device
PIN policy that must be set by the IT admin. When a PIN is required,
the data will be encrypted per the settings in the MAM policy. As
stated in Apple documentation, the modules used by iOS 7 are FIPS
140-2 certified
.
Encryption for Android
For apps that are associated with a Configuration Manager mobile
application management policy, encryption is provided by Microsoft.
Data is encrypted synchronously during file I/O operations according
to the setting in the MAM policy. Managed apps on Android use AES-
128 encryption in CBC mode utilizing the platform cryptography
libraries. The encryption method is not FIPS 140-2 certified. Content
on the device storage will always be encrypted.
Block screen
capture (Android
devices only)
Specifies that the screen capture capabilities of the device are
blocked when using this app.
7. If you selected Managed Browser on the Policy Type page, then on the Managed Browser page,
select whether the managed browser is allowed to open only URLs in the list or to block the
managed browser from opening the URLs in the list, manage the URLs in the list, and then
choose Next.
For more information, see Manage Internet access using managed browser policies with
Configuration Manager.
8. Complete the wizard.
The new policy is displayed in the Application Management Policies node of the Software Library
workspace.
Step 4: Associate the application management policy with a deployment type. When a deployment type is created for an app that requires an application management policy,
Configuration Manager will recognize that an app management policy must be linked to this deployment
type when the associated app gets deployed and prompt you to associate an app management policy.
For the Managed Browser, you will be required to associate both a General and Managed Browser
policy. For more information, see How to Create and Deploy Applications for Mobile Devices in
Configuration Manager.
For devices that run operating systems earlier than iOS 7.1, associated policies will not be
removed when the app is uninstalled.
If the device is unenrolled from Configuration Manager, polices are not removed from the apps.
Apps that had policies applied will retain the policy settings even after the app is uninstalled and
reinstalled.
Step 5: Monitor the app deployment. Once you have created and deployed an app associated with a MAM policy, you can monitor the app
and resolve any policy conflicts.
1. In the Configuration Manager console, choose Software Library.
Important
2. In the Monitoring workspace, expand Overview, and then choose Deployments.
3. Select the deployment and on the Home tab, choose Properties.
4. In the details pane for the deployment, choose Application Management Policies under Related
Objects.
For more information about monitoring applications, see How to Monitor Applications in Configuration
Manager.
End-user Experience MAM polices are applied only when apps are used in the work context. Read the following scenarios to
help you educate your users so that they understand how managed apps work.
This section provides examples of the following end-user experiences:
Scenario: Accessing OneDrive on an iOS device
Scenario: Accessing OneDrive on an Android device
For information on other specific end-user experiences, see the following articles:
Using apps with multi-identity support
Managing user accounts
Viewing media files with the Rights Management sharing app
Scenario: Accessing OneDrive on an iOS device 1. The user launches the OneDrive app to open the sign in page.
Note
On a personal device, typically the end user would download the app. If the device is managed
by a MDM solution, you can deploy the app to the device.
2. The user types their work account user name and is redirected to the O365 authentication page
to enter work credentials.
After the credentials are successfully authenticated by Azure AD, the MAM polices are applied.
3. The user is prompted to set a PIN for the app (if you configured the policy for this).
4. Once the PIN is set and confirmed, the user can access the files on their OneDrive for Business.
Note
When you change a deployed policy, the changes will be applied next time the app is opened.
Scenario: Accessing OneDrive on an Android device 1. The user launches the OneDrive app to open the sign in page.
Note
On a personal device, typically the end-user would download the app. If the device is managed
by a MDM solution, you can deploy the app to the device.
2. The user types their work account user name and is redirected to the O365 authentication page
to enter work credentials.
After the credentials are successfully authenticated by Azure AD, the MAM polices are applied.
3. The OneDrive app launches automatically and the user is prompted to set a PIN, provided the
policy settings are set to require a PIN to access the OneDrive app.
4. Once the PIN is set and confirmed, the user can continue using OneDrive, which is now
managed by app policies.
top related