13.4 Editing the App Protection Policy Settings

Based on the security level selected while creating the iOS Intune App Protection Policy, the settings that are predefined by ZENworks can be viewed or edited by performing the steps elaborated in this section. As this policy, does not support creation of a Sandbox version, when you edit any of the settings within this policy, the policy needs to be published as a new version. For more information, see Publishing the App Protection Policy.

13.4.1 Procedure

  1. In ZENworks Control Center, navigate to the Policies section.

  2. Click the iOS App Protection Policy for which the content needs to be configured.

  3. Click the Details tab and edit the settings.

    NOTE:If you had selected Define Additional Properties while creating this policy, after clicking the Finish button you will be directly navigated to the Details tab.

    Apps

    You can edit the list of apps that you had selected in the policy. You can also click Add to include custom apps to this list.

    Settings

    There are two categories of iOS Intune App Protection Policy settings: Data Relocation settings and App Access settings.

    Data Relocation

    Setting Name

    Description

    Prevent iTunes and iCloud backups

    If you select Yes app data will not be backed up to iCloud or iTunes.

    Allow app to receive data from other apps

    Select one of the following options to specify from which app, data can be received:

    • All apps: Allow data to be received from all apps.

    • Policy managed apps: Allow data to be received from other policy-managed apps.

    • None: Do not allow data to be received from any app.

    Allow app to transfer data to other apps

    Select one of the following options to specify to which app, data can be transferred.

    • All apps: Allow data to be transferred to all apps.

    • Policy managed apps: Allow data to be transferred to other policy-managed apps.

    • None: Do not allow data to be transferred to any app.

    Prevent "Save As"

    If you select Yes the Save As option on the app will be disabled.

    Select the storage services to which the corporate data can be saved

    This field will be enabled if the Prevent “Save As” option is enabled. You can select specific storage services to which the app data can be saved, such as Sharepoint, Onedrive or the local storage. Use CTRL + Click to select multiple values in the field.

    Restrict cut, copy, and paste with other apps:

    Select from any one of the following options to restrict or allow cut, copy, or paste operations:

    • Any app: Allow cut, copy, and paste actions between this app and any app.

    • Policy managed apps: Allow cut, copy, and paste actions between this app and any other policy-managed app.

    • Policy managed with paste in: Allow cut, copy, and paste actions between this app and any other policy-managed app. Allow data from any app to be pasted into this app.

    • Blocked: Do not allow cut, copy, and paste actions between this app and any other app.

    Restrict web content to display in the Managed Browser

    Select Yes to restrict the opening of web links displayed in the app to the Managed Browser app.

    Encrypt app data

    Select from one of the following options to decide when the app data should be encrypted:

    • Use device settings: App data is encrypted based on the default settings on the device.

    • After device restart App data is encrypted when the device is restarted, until the device is unlocked for the first time.

    • When device is locked and there are open files: App data is encrypted while the device is locked, except for data in the files that are currently open in the app.

    • When device is locked: App data is encrypted when the device is locked.

    When a PIN is required, the data is encrypted according to the settings in this policy. If a device PIN is not set and if these encryption settings are enabled, then the user will be prompted to set a PIN.

    Disable contact sync

    Select Yes to prevent the app from saving data to the native Contacts app on the device.

    Disable printing

    Select Yes to prevent the app from printing protected data.

    App Access

    Setting Name

    Description

    Require PIN for access

    Select Yes to create a PIN for this app. The user will be prompted to setup a PIN the first time they run the app. The following fields will also be enabled:

    • PIN Type

    • Number of attempts before PIN reset

    • Allow simple PIN

    • PIN length

    • Allow fingerprint instead of PIN

    • Allow facial recognition instead of PIN

    • Disable app PIN when device PIN is managed

    PIN Type

    Select the type of PIN to be set, that is, a numeric PIN or a passcode type PIN.

    Number of attempts before PIN reset

    Specify the number of times the users can attempt to enter the PIN before they must reset it. You can specify only a positive whole number.

    Allow simple PIN

    Select Yes to allow users to specify a simple PIN sequence such as 1111 and 1234.

    NOTE:If a Passcode type PIN is configured, and Allow simple PIN is set to Yes, you need to specify at least 1 letter or at least 1 special character. If Passcode type PIN is configured, and Allow simple PIN is set to No, you need to specify at least 1 number, 1 letter and 1 special character.

    PIN length

    Specify the number of digits in the PIN sequence. You can only specify a positive whole number.

    Allow fingerprint instead of PIN

    Select Yes to allow the user to use fingerprint identifications instead of a PIN to access the app. This is applicable only on iOS 8.0 or newer versions.

    Allow facial recognition instead of PIN

    Select Yes to allow the user to use facial recognition instead of a PIN to access the app. This is applicable only on iOS 11.0 or newer versions.

    Disable app PIN when device PIN is managed

    Select Yes to disable the app PIN when a device lock is detected on an enrolled device.

    Require corporate credentials for access

    Select Yes to require the user to use their corporate credentials instead of entering a PIN for app access.

    Block managed apps from running on jailbroken or rooted devices

    Select Yes to prevent this app from running on jailbroken or rooted devices.

    Offline interval before app data is wiped (days)

    If a device is running offline, specify the number of days after which the app will require the user to connect to the network and re-authenticate. If the user successfully authenticates, they can continue to access their data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users account and data.

    Recheck the access requirements after timeout (minutes)

    Specify the time (in minutes) after which the access requirements are rechecked.

    Recheck the access requirements after offline grace period (minutes)

    Specify the time (in minutes) that the app can run offline, after which the access requirements are rechecked.

    Require minimum iOS operating system

    Select Yes if a minimum iOS operating system is required to use the app. The user’s access to the app will be blocked if the minimum OS requirement is not met. You can specify the value in the iOS operating system field.

    Require minimum iOS operating system (Warning only)

    Select Yes if a minimum iOS operating system is required to use the app. The user will receive a notification if the minimum OS requirement is not met, which can be dismissed. You can specify the value in the iOS operating system field.

    Require minimum app version

    Select Yes if a minimum app version is required to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. You can specify the value in the App version field.

    Require minimum app version (Warning only)

    Select Yes if a minimum app version is required to use the app. The user will receive a notification if the minimum app version requirement is not met, which can be dismissed. You can specify the value in the app version field.

    Require minimum Intune app protection policy SDK version

    Select Yes if a minimum Intune app protection policy SDK version is required to access the app. The user is blocked from access if the app’s Intune app protection policy SDK version does not meet the requirement.

  4. Click Publish to display the Publish Option page. In this page you can publish the modified policy as a new version of the same policy or as a new policy.

13.4.2 Publishing the App Protection Policy

Unlike other policies in ZCC, you cannot create a Sandbox version of the iOS Intune App Protection policy. When you edit the settings of the latest version of the policy, you can only publish the policy as a new version. To edit the older version of a policy:

  1. Click Policies in the left hand pane in ZCC.

  2. Click an iOS App Protection Policy.

  3. From the Displayed Version drop-down menu select a version of the policy that you want to edit.

  4. Click Publish and publish the policy to its latest version.

  5. Edit the settings of the policy and click Publish to apply the latest changes.

Consider a scenario, where version 0 is selected of the two published versions (version 0 and version 1) of the policy. After selecting version 0, click Publish to publish the policy to its latest version, that is Version 2. You can now edit the settings of the policy and publish the policy again as Version 3.