30.5 Editing the App Protection Policy Settings

Based on the security level selected while creating the Intune App Protection Policy, the settings that are predefined by ZENworks can be viewed or edited by performing the steps elaborated in this section. As this policy, does not support creation of a Sandbox version, when you edit any of the settings within this policy, the policy needs to be published as a new version. For more information, see Publishing the App Protection Policy.

30.5.1 Procedure

In ZENworks Control Center, navigate to the Policies section.
Click the App Protection Policy for which the content needs to be configured.

Click the Details tab and edit the settings.

NOTE:If you had selected Define Additional Properties while creating this policy, after clicking the Finish button you will be directly navigated to the Details tab.

Apps

You can edit the list of apps that you had selected in the policy. You can also click Add to include custom apps to this list.

Settings

There are two categories of Intune App Protection Policy settings: Data Relocation settings and App Access settings.

Data Relocation

Setting Name	Supported Platforms	Description
Prevent iTunes and iCloud backups	iOS, iPadOS	Prevents the back up of data to iCloud or iTunes.
Prevent Android backups	Android	Restricts backup of the app information.
Allow app to transfer data to other apps	iOS, iPadOS and Android	Enables the app to transfer the corporate data to selected apps. Following are the available options: All Apps: Sends the corporate data to any apps. Policy Managed apps Sends the data only to the managed apps. None Restricts sending data to other apps. (Only iOS/iPadOS) Policy Managed apps with OS sharing: Sends the data to other policy managed apps and sends documents to other MDM managed apps on enrolled devices. This setting is applicable only for iOS and iPadOS devices. (Only iOS/iPadOS) Policy Managed apps with Open-In/Share filtering: Sends data to other policy managed apps and filter OS open-in or share dialogs to only display policy managed apps. This setting is applicable only for iOS and iPadOS devices. Select exempted apps: Click Add/Edit to include app that should be exempted from the data transfer. If you need to allow data to be transferred to specific apps that do not support Intune APP, you can add the apps in the exempted list. Exemptions allow applications managed by Intune to transfer data to unmanaged applications based on URL protocol (iOS/iPadOS) or package name (Android). By default, Intune adds vital native applications to this list of exceptions.
Allow app to receive data from other apps	iOS, iPadOS and Android	To specify from which app, data can be received: All apps: Allow data to be received from all apps. Policy Managed apps: Allow data to be received from other policy-managed apps. None: Do not allow data to be received from any app.
Allow app to transfer data to other apps	iOS, iPadOS and Android	To specify to which app, data can be transferred. All apps: Allow data to be transferred to all apps. Policy Managed apps: Allow data to be transferred to other policy-managed apps. None: Do not allow data to be transferred to any app.
Prevent "Save As"	iOS, iPadOS and Android	Disables the Save As option on the app.
Select the storage services to which the corporate data can be saved	iOS, iPadOS and Android	This field will be enabled if the Prevent “Save As” option is enabled. This field enables you to select the specific storage services to which the app data can be saved, such as Sharepoint, Onedrive or the local storage. Use CTRL + Click to select multiple values in the field.
Restrict cut, copy, and paste with other apps:	iOS, iPadOS and Android	Restricts the cut, copy, and paste operations for the selected apps: Any apps: Allow cut, copy, and paste actions between this app and any app. Policy managed apps: Allow cut, copy, and paste actions only between this app and any other policy-managed app. Policy managed with paste in: Allow cut, copy, and paste actions between this app and any other policy-managed app. Allow data from any app to be pasted into this app. Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
Restrict web content to display in the Managed Browser	iOS, iPadOS and Android	Restricts the opening of web links displayed in the app to the Managed Browser app.
Block screen capture and Android Assistant	Android	Disables both screen capture and Android Assistant app scanning capabilities.
Encrypt app data	iOS, iPadOS	Select if the app data should be encrypted. When a PIN is required, the data is encrypted according to the settings in this policy. If a device PIN is not set and if these encryption settings are enabled, then the user will be prompted to set a PIN.
Encrypt app data	Android	Specify whether the app data should be encrypted.
Disable app encryption when device encryption is enabled	Android	If the device encryption is enabled, then this option automatically disables the app encryption. If Encrypt app data is enabled only then this field can be modified.
Disable contact sync	iOS, iPadOS and Android	Prevents the app from saving data to the native Contacts app on the device.
Disable printing	iOS, iPadOS and Android	Prevents the app from printing protected data.
Disable third-party Keyboards	iOS, iPadOS	Disable the usage of third-party keyboards with the app.

App Access

Setting Name	Supported Platforms	Description
Require PIN for access	iOS, iPadOS and Android	Enforces the creation of a PIN for this app. The user will be prompted to setup a PIN the first time they run the app. The following fields will also be enabled: PIN Type Number of attempts before PIN reset Allow simple PIN PIN length Allow fingerprint instead of PIN Allow facial recognition instead of PIN Disable app PIN when device PIN is managed
PIN Type	iOS, iPadOS and Android	Enforces the format of the PIN. For example: a numeric PIN or a passcode type PIN.
Number of attempts before PIN reset	iOS, iPadOS and Android	Defines the number of times the users can attempt to enter the PIN before they must reset it. Only a positive whole number can be specified.
Allow simple PIN	iOS, iPadOS and Android	Enables users to specify a simple PIN sequence such as 1111 and 1234. NOTE:If a Passcode type PIN is configured, and Allow simple PIN is set to Yes at least 1 letter or 1 special character must be specified. If Passcode type PIN is configured, and Allow simple PIN is set to No, at least 1 number, 1 letter and 1 special character must be specified.
PIN length	iOS, iPadOS and Android	Defines the required number of digits in the PIN. Only a positive whole number can be specified.
Allow fingerprint instead of PIN	iOS, iPadOS and Android	Enables the user to use fingerprint identification instead of a PIN to access the app. This is applicable only on iOS 8.0 and newer versions.
Allow facial recognition instead of PIN	iOS, iPadOS	Enables the user to use facial recognition instead of a PIN to access the app. This is applicable only on iOS 11.0 and newer versions.
Disable app PIN when device PIN is managed	iOS, iPadOS and Android	Disables the app PIN when a device lock is detected on an enrolled device.
Require corporate credentials for access	iOS, iPadOS and Android	Enforces the users to use their corporate credentials instead of entering a PIN for app access.
Block managed apps from running on jailbroken or rooted devices	iOS, iPadOS and Android	Prevents this app from running on jailbroken or rooted devices.
Offline interval before app data is wiped (days)	iOS, iPadOS and Android	Defines the number of days after which the app that is running offline will require the user to connect to the network to re-authenticate. When the user successfully authenticates, the user will be able to continue to access data and the offline interval will reset. If the user fails to authenticate, the app will perform a selective wipe of the users account and data.
Recheck the access requirements after timeout (minutes)	iOS, iPadOS and Android	Defines the time (in minutes) after which the access requirements are rechecked.
Recheck the access requirements after offline grace period (minutes)	iOS, iPadOS and Android	Allows the app to run offline for the specified time, after which the access requirements are rechecked.
Require minimum iOS operating system	iOS, iPadOS	Enforces the requirement for a minimum iOS operating system to use the app. The user’s access to the app will be blocked if the minimum OS requirement is not met. The value should be specified in the iOS operating system field.
Require minimum iOS operating system (Warning only)	iOS, iPadOS	Sends a notification to the user if the specified minimum iOS operating system requirements needed to use the app are not met. The notification can be dismissed. The value should be specified in the iOS operating system field.
Require minimum app version	iOS, iPadOS	Enforces the requirement for a minimum app version to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. The value should be specified in the App version field.
Require minimum app version (Warning only)	iOS, iPadOS	Sends a notification to the user if the specified minimum app version requirement is not met. The notification can be dismissed. The value should be specified in the app version field.
Require minimum Intune app protection policy SDK version	iOS, iPadOS	Enforces the requirement for a minimum Intune app protection policy SDK version to access the app. The user is blocked from access if the SDK version does not meet the requirement.
Require minimum Android version	Android	Restricts app access to the specified minimum Android version. The value should be specified in the Android version field.
Require minimum Android version (Warning only)	Android	Sends a notification to the user if the specified minimum Android version needed to use the app are not met. The notification can be dismissed. The value should be specified in the Android version field.
Require minimum app version	Android	Enforces the requirement for a minimum app version to use the app. The user’s access to the app will be blocked if the minimum app version requirement is not met. The value should be specified in the App version field.
Require minimum app version (Warning only)	Android	Sends a notification to the user if the specified minimum app version requirement is not met. The notification can be dismissed. The value should be specified in the app version field.
Require minimum Android patch version	Android	Enforces the requirement for a minimum Android security patch level to securely access the app. The value should be specified in the Patch version field.
Require minimum Android patch version (Warning only)	Android	Sends a notification to the user if the specified minimum patch version requirement is not met. The notification can be dismissed. The value should be specified in the Patch version field.

Click Publish to display the Publish Option page. In this page you can publish the modified policy as a new version of the same policy or as a new policy.

30.5.2 Publishing the App Protection Policy

Unlike other policies in ZCC, you cannot create a Sandbox version of the Intune App Protection policy. When you edit the settings of the latest version of the policy, you can only publish the policy as a new version. To edit the older version of a policy:

Click Policies in the left hand pane in ZCC.
Click an Intune App Protection Policy.
From the Displayed Version drop-down menu select a version of the policy that you want to edit.
Click Publish and publish the policy to its latest version.
Edit the settings of the policy and click Publish to apply the latest changes.

Consider a scenario, where version 0 is selected of the two published versions (version 0 and version 1) of the policy. After selecting version 0, click Publish to publish the policy to its latest version, that is Version 2. You can now edit the settings of the policy and publish the policy again as Version 3.