Overview
The University of Idaho has deployed Microsoft Intune App Protection polices to all students, faculty, staff and affiliates. These policies secure Microsoft mobile applications, like Outlook and Teams, when used on Android and iOS (iPhone) devices.
The primary purpose of the standard app protection policy is to require encryption for Microsoft mobile applications. This allows all data to be encrypted on the mobile device regardless if the operation system is encrypting everything. Information about Android App Protection is available here: https://learn.microsoft.com/en-us/intune/intune-service/user-help/use-managed-apps-on-your-device-android
When configuring the first Microsoft protected application a dialog will be displayed requiring installation of the "Microsoft Intune Company Portal" app. There will be a link to go the store to install the application. Sign-in to Company Portal is *not* required. Once the application is installed, you can return to the original Microsoft application.
Intune Company Portal install required.
To use your work or school account with this app, you must install the Microsoft Intune Company Portal app. Tap "Go to store" to continue.
The Intune Company Portal application only needs to be installed once. After it is installed, when you start an application protected by App Protection policies, this dialog will be displayed.
Intune App Protection requiring encryption is enforced by the operating system so the Intune Company Portal does not need to be installed. Just using Microsoft mobile applications will enforce encryption of the data on the device.
You will see this notice on the device:
Your organization is now protecting its data in this app. Restart the app to continue
Employees with access to High Risk data have additional restrictions in App Protection policies. This typically includes requiring creation of a PIN and the use of biometric authentication when accessing a Microsoft application. This is very similar to mobile banking applications.
Note: Additional restrictions are in place with the high risk policy:
- Screenshots are also blocked.
- Copy and pasting data is limited to other protected applications.
The Intune Company Portal app will be installed in the same process as standard access Android users. The exception is after the "Get Access" protection screen is displayed, an additional PIN creation process is required. The PIN must be at least 6 digits and must contain numeric characters only.
Once the PIN has been created, and after a 30 minute timeout or device unlock, a biometric authentication will be required. If the device is not capable of biometric authentication, the PIN will be required.
The process for using App Protection on a high risk iOS device is very minimal. After the organization protection screen, a Face ID registration page will be displayed. This will allow Outlook to use biometric authentication for the Microsoft application.
These applications are included in the High Risk policies. Although an app may be included in the policy, it will not be restricted unless it is wrapped usning the Intune App Wrapping Tool.
- Adobe Acrobat Reader
- Microsoft Azure
- Microsoft Dynamics 365 for phones
- Microsoft Dynamics 365 for tablets
- Azure Information Protection
- Microsoft Launcher
- Microsoft Edge
- Microsoft Launcher
- Microsoft Lists
- Microsoft Loop
- Microsoft Kaizala
- Microsoft Excel
- Skype for Business
- Microsoft 365 Copilot
- Microsoft Office (HL)
- Microsoft Office (ROW)
- Microsoft Lens
- Microsoft OneNote
- Microsoft Outlook
- Microsoft PowerPoint
- Microsoft Word
- Outlook Groups
- Microsoft Planner
- Microsoft Power BI
- Microsoft SharePoint
- Microsoft OneDrive
- Microsoft Teams
- Microsoft To-Do
- Microsoft Whiteboard
- Microsoft 365 Admin
- Tableau Mobile for Intune
- Viva Engage
- Microsoft StaffHub
- Zoom for Intune
- com.microsoft.intune.mam.managedbrowser
- com.microsoft.rdc.android
- com.teamdynamix.mobileapp