Can app protection policy be applied to device enrolled in third party MDM?

Learn how to create and assign Microsoft Intune app protection policies (APP) for users of your organization. This topic also describes how to make changes to existing policies.

Before you begin

App protection policies can apply to apps running on devices that may or may not be managed by Intune. For a more detailed description of how app protection policies work and the scenarios that are supported by Intune app protection policies, see What are Microsoft Intune app protection policies?

If you're looking for a list of MAM supported apps, see MAM apps list.

For information about adding your organization's line-of-business (LOB) apps to Microsoft Intune to prepare for app protection policies, see Add apps to Microsoft Intune.

App protection policies for iOS/iPadOS and Android apps

When you create an app protection policy for iOS/iPadOS and Android apps, you follow a modern Intune process flow that results in a new app protection policy.

Create an iOS/iPadOS or Android app protection policy

  1. Sign in to the Microsoft Endpoint Manager Admin Center.

  2. In Intune portal, choose Apps > App protection policies. This selection opens the App protection policies details, where you create new policies and edit existing policies.

  3. Select Create policy and select either iOS/iPadOS or Android. The Create policy pane is displayed.

  4. On the Basics page, add the following values:

    ValueDescriptionNameThe name of this app protection policy.Description[Optional] The description of this app protection policy.

    The Platform value is set based on your above choice.

    Can app protection policy be applied to device enrolled in third party MDM?

  5. Click Next to display the Apps page.
    The Apps page allows you to choose how you want to apply this policy to apps on different devices. You must add at least one app.

    Value/OptionDescriptionTarget to apps on all devices typesUse this option to target your policy to apps on devices of any management state. Choose No to target apps on specific devices types. For information, see Target app protection policies based on device management stateDevice typesUse this option to specify whether this policy applies to MDM managed devices or unmanaged devices. For iOS/iPadOS APP policies, select from Unmanaged and Managed devices. For Android APP policies, select from Unmanaged, Android device administrator, and Android Enterprise.Public appsClick Select public apps to choose the apps to target.Custom appsClick Select custom apps to select custom apps to target based on a Bundle ID.

    The app(s) you have selected will appear in the public and custom apps list.

  6. Click Next to display the Data protection page.
    This page provides settings for data loss prevention (DLP) controls, including cut, copy, paste, and save-as restrictions. These settings determine how users interact with data in the apps that this app protection policy applies.​

    Data protection settings:

    • iOS/iPadOS data protection - For information, see iOS/iPadOS app protection policy settings - Data protection.
    • Android data protection - For information, see Android app protection policy settings - Data protection.
  7. Click Next to display the Access requirements page.
    This page provides settings to allow you to configure the PIN and credential requirements that users must meet to access apps in a work context.

    Access requirements settings:

    • iOS/iPadOS access requirements - For information, see iOS/iPadOS app protection policy settings - Access requirements.
    • Android access requirements - For information, see Android app protection policy settings - Access requirements.
  8. Click Next to display the Conditional launch page.
    This page provides settings to set the sign-in security requirements for your app protection policy. Select a Setting and enter the Value that users must meet to sign in to your company app. Then select the Action you want to take if users do not meet your requirements. In some cases, multiple actions can be configured for a single setting.

    Conditional launch settings:

    • iOS/iPadOS conditional launch - For information, see iOS/iPadOS app protection policy settings - Conditional launch.
    • Android conditional launch - For information, see Android app protection policy settings - Conditional launch.
  9. Click Next to display the Assignments page.
    The Assignments page allows you to assign the app protection policy to groups of users.

  10. Click Next: Review + create to review the values and settings you entered for this app protection policy.

  11. When you are done, click Create to create the app protection policy in Intune.

    [!TIP] These policy settings are enforced only when using apps in the work context. When end users use the app to do a personal task, they aren't affected by these policies. Note that when you create a new file it is considered a personal file.

End users can download the apps from the App store or Google Play. For more information, see:

  • What to expect when your Android app is managed by app protection policies
  • What to expect when your iOS/iPadOS app is managed by app protection policies

Change existing policies

You can edit an existing policy and apply it to the targeted users. However, when you change existing policies, users who are already signed in to the apps won’t see the changes for an eight-hour period.

To see the effect of the changes immediately, the end user must sign out of the app, and then sign back in.

To change the list of apps associated with the policy

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Properties.

  3. Next to the section titled Apps, select Edit.

  4. The Apps page allows you to choose how you want to apply this policy to apps on different devices. You must add at least one app.

    Value/OptionDescriptionTarget to apps on all devices typesUse this option to target your policy to apps on devices of any management state. Choose No to target apps on specific devices types. For information, see Target app protection policies based on device management stateDevice typesUse this option to specify whether this policy applies to MDM managed devices or unmanaged devices. For iOS/iPadOS APP policies, select from Unmanaged and Managed devices. For Android APP policies, select from Unmanaged, Android device administrator, and Android Enterprise.Public appsClick Select public apps to choose the apps to target.Custom appsClick Select custom apps to select custom apps to target based on a Bundle ID.

    The app(s) you have selected will appear in the public and custom apps list.

  5. Click Review + create to review the apps selected for this policy.

  6. When you are done, click Save to update the app protection policy.

To change the list of user groups

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Properties.

  3. Next to the section titled Assignments, select Edit.

  4. To add a new user group to the policy, on the Include tab choose Select groups to include, and select the user group. Choose Select to add the group.

  5. To exclude a user group, on the Exclude tab choose Select groups to exclude, and select the user group. Choose Select to remove the user group.

  6. To delete groups that were added previously, on either the Include or Exclude tabs, select the ellipsis (...) and select Delete.

  7. Click Review + create to review the user groups selected for this policy.

  8. After your changes to the assignments are ready, select Save to save the configuration and deploy the policy to the new set of users. If you select Cancel before you save your configuration, you will discard all changes you've made to the Include and Exclude tabs.

To change policy settings

  1. In the App protection policies pane, select the policy you want to change.

  2. In the Intune App Protection pane, select Properties.

  3. Next to the section corresponding to the settings you want to change, select Edit. Then change the settings to new values.

  4. Click Review + create to review the updated settings for this policy.

  5. Select the Save to save your changes. Repeat the process to select a settings area and modify and then save your changes, until all your changes are complete. You can then close the Intune App Protection - Properties pane.

Target app protection policies based on device management state

In many organizations, it’s common to allow end users to use both Intune Mobile Device Management (MDM) managed devices, such as corporate owned devices, and un-managed devices protected with only Intune app protection policies. Unmanaged devices are often known as Bring Your Own Devices (BYOD).

Because Intune app protection policies target a user’s identity, the protection settings for a user can apply to both enrolled (MDM managed) and non-enrolled devices (no MDM). Therefore, you can target an Intune app protection policy to either Intune enrolled or unenrolled iOS/iPadOS and Android devices. You can have one protection policy for unmanaged devices in which strict data loss prevention (DLP) controls are in place, and a separate protection policy for MDM managed devices, where the DLP controls may be a little more relaxed. For more information how this works on personal Android Enterprise devices, see App protection policies and work profiles.

To create these policies, browse to Apps > App protection policies in the Intune console, and then select Create policy. You can also edit an existing app protection policy. To have the app protection policy apply to both managed and un-managed devices, navigate to the Apps page and confirm that Target to apps on all device types is set to Yes, the default value. If you want to granularly assign based on management state, set Target to apps on all device types to No.

Device types

  • Unmanaged: Unmanaged devices are devices where Intune MDM management has not been detected. This includes devices managed by third-party MDM vendors.
  • Intune managed devices: Managed devices are managed by Intune MDM.
  • Android device administrator: Intune-managed devices using the Android Device Administration API.
  • Android Enterprise: Intune-managed devices using Android Enterprise Work Profiles or Android Enterprise Full Device Management.

[!NOTE] Android devices will prompt to install the Intune Company Portal app regardless of which Device type is chosen. For example, if you select 'Android Enterprise' then users with unmanaged Android devices will still be prompted.

For iOS/iPadOS, additional app configuration settings are required to target app protection policy (APP) settings to apps on Intune enrolled devices:

  • IntuneMAMUPN must be configured for all MDM managed applications. For more information, see How to manage data transfer between iOS/iPadOS apps in Microsoft Intune.
  • IntuneMAMDeviceID must be configured for all third-party and line-of-business MDM managed applications. The IntuneMAMDeviceID should be configured to the device ID token. For example, key=IntuneMAMDeviceID, value={{deviceID}}. For more information, see Add app configuration policies for managed iOS/iPadOS devices.
  • If only the IntuneMAMDeviceID is configured, the Intune APP will consider the device as unmanaged.

[!NOTE] For specific iOS/iPadOS support information about app protection policies based on device management state, see MAM protection policies targeted based on management state.

Policy settings

To see a full list of the policy settings for iOS/iPadOS and Android, select one of the following links:

Can we use Intune app protection policies independent of any mobile device management MDM solution?

You can use Intune app protection policies independent of any mobile-device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution.

On which devices can you apply app configuration policies?

You can create and use app configuration policies to provide configuration settings for both iOS/iPadOS or Android apps.

Which apps can be managed by app protection policies?

App protection policies can be configured for apps that run on devices that are:.
Enrolled in Microsoft Intune:These devices are typically corporate owned..
Enrolled in a third-party Mobile device management (MDM) solution:These devices are typically corporate owned..

What is the re try interval when user has not applied the app protection policy irrespective of the platform?

Wait for next retry interval. App Protection is not active for the user. 12 hours - However, on Android devices this interval requires Intune APP SDK version 5.6. 0 or later.