30.4 Creating the App Protection Policy

The Intune App Protection policy lets you apply protection settings on apps that are installed on iOS, iPadOS and Android devices. After creating this policy, ZENworks establishes a connection with Azure and creates the policy with the same settings in the Azure portal. Subsequently, any changes made to the policy in ZCC will be replicated in Azure.

NOTE:With an Intune App Protection policy, you cannot:

  • Create a Sandbox version of the policy

  • Add the policy within a policy group.

  • Assign the policy to individual users. This policy can be assigned to only user groups. This is a Microsoft limitation.

It is recommended that you use ZCC to create and edit this protection policy. Any edits made to the policy directly in the Azure portal will not be synced back to ZENworks.

30.4.1 Creating iOS Intune App Protection Policy

To create this policy:

  1. Click Policies in the left hand pane in ZCC.

  2. On the Select Platform page, select Mobile and click Next.

  3. On the Select Policy Category page, select iOS and click Next.

  4. On the Select Policy Type page, retain the default selection iOS Intune App Protection Policy and click Next.

  5. On the Define Details page, specify the Policy Name, the folder in which the policy should reside, and short description of the policy.

  6. On the Select Target Devices page, select the devices on which the policy is applied:

    • All Devices: Select this option to apply the policy to all devices.

    • Specific Devices: Select this option to apply the policy to specific devices. The option includes following set of devices:

      • Android work profile devices: Select this option, if you want to deploy the policy to all devices with Android work profile. This setting is applicable only for Android devices.

      • Intune unmanaged devices (includes ZENworks managed devices): Select this option, if you want to deploy the policy to devices that are managed by ZENworks and devices that are not managed by Intune.

      • Intune managed devices: Select this option, if you want to deploy the policy to devices that are managed by Intune.

  7. On Microsoft Intune Apps page, select the apps on which the restrictions should be applied. You can also click Add to include a custom app. A custom app is an in-house app that is not published on the Azure app portal. While adding a custom app, you need to specify the name of the app and its package ID. Click Next.

  8. On the App Protection Settings page, assign a security level. Based on the security level selected, the pre-defined values for each setting is populated. However, these values can be customized to suit your requirement:

    • Low: A few restrictions are enforced on the device. Some of the values pre-configured with this security level are:

      • The default value for Recheck the access requirements after offline grace period is 12 hours.

      • The default value for Offline interval before app data is wiped is 90 days.

      • The default value for Restrict web content to display in managed browser is No.

    • Moderate: Some restrictions are enforced on the device. Some of the values pre-configured with this security level are:

      • The default value for Recheck the access requirements after offline grace period is 6 hours.

      • The default value for Offline interval before app data is wiped is 30 days.

      • The default value for Restrict web content to display in managed browser is Yes.

    • High: Most restrictions are enforced on the device. Some of the values pre-configured with this security level are:

      • The default value for Recheck the access requirements after offline grace period is 1 hour.

      • The default value for Offline interval before app data is wiped is 7 days.

      • The default value for Allow simple PIN is No.

      • The default value to Disable contact sync is Yes.

  9. On the Summary page, review the information. You can also click Define Additional Properties, if you want to edit the values of the settings. Click Finish.

    On clicking Finish, ZENworks calls the Azure REST APIs and creates the same policy in Azure. At times, policy creation might fail in Azure. You can identify the reason for failure by navigating to the summary page of policy in ZCC (click the policy in the Policies panel in ZCC) and checking the message logs. For more information on the possible reasons for failure, see Protecting Intune Apps.

30.4.2 Creating Android Intune App Protection Policy

To create this policy:

  1. Click Policies in the left hand pane in ZCC.

  2. On the Select Platform page, select Mobile and click Next.

  3. On the Select Policy Category page, select Android and click Next.

  4. On the Select Policy Type page, click Android Intune App Protection Policy and click Next.

  5. On the Define Details page, specify the Policy Name, the folder in which the policy should reside, and short description of the policy.

  6. On the Select Target Devices page, select the devices on which the policy is applied:

    • All Devices: Select this option to apply the policy to all devices.

    • Specific Devices: Select this option to apply the policy to specific devices. The option includes following set of devices:

      • Android work profile devices: Select this option, if you want to deploy the policy to all devices with Android work profile. This setting is applicable only for Android devices.

      • Intune unmanaged devices (includes ZENworks managed devices): Select this option, if you want to deploy the policy to devices that are managed by ZENworks and devices that are not managed by Intune.

      • Intune managed devices: Select this option, if you want to deploy the policy to devices that are managed by Intune.

  7. On Microsoft Intune Apps page, select the apps on which the restrictions should be applied. You can also click Add to include a custom app. A custom app is an in-house app that is not published on the Azure app portal. While adding a custom app, you need to specify the name of the app and its package ID. Click Next.

  8. On the App Protection Settings page, assign a security level. Based on the security level selected, the pre-defined values for each setting is populated. However, these values can be customized to suit your requirement:

    • Low: A few restrictions are enforced on the device. Some of the values pre-configured with this security level are:

      • The default value for Recheck the access requirements after offline grace period is 12 hours.

      • The default value for Offline interval before app data is wiped is 90 days.

      • The default value for Restrict web content to display in managed browser is No.

    • Moderate: Some restrictions are enforced on the device. Some of the values pre-configured with this security level are:

      • The default value for Recheck the access requirements after offline grace period is 6 hours.

      • The default value for Offline interval before app data is wiped is 30 days.

      • The default value for Restrict web content to display in managed browser is Yes.

    • High: Most restrictions are enforced on the device. Some of the values pre-configured with this security level are:

      • The default value for Recheck the access requirements after offline grace period is 1 hour.

      • The default value for Offline interval before app data is wiped is 7 days.

      • The default value for Allow simple PIN is No.

      • The default value to Disable contact sync is Yes.

  9. On the Summary page, review the information. You can also click Define Additional Properties, if you want to edit the values of the settings. Click Finish.

    On clicking Finish, ZENworks calls the Azure REST APIs and creates the same policy in Azure. At times, policy creation might fail in Azure. You can identify the reason for failure by navigating to the summary page of policy in ZCC (click the policy in the Policies panel in ZCC) and checking the message logs. For more information on the possible reasons for failure, see Protecting Intune Apps.