Intune app protection policy settings (Android)
With an Intune app protection policy you define restrictions for Intune-managed apps. This page describes the available settings for Android apps.
General settings
Setting | Description |
---|---|
Name | The name of the policy. |
Description | A short description of the policy. |
Data relocation
Under Data relocation, you configure how data is allowed to enter or leave the app.
All settings apply to data users access when logged in with their corporate account.
Setting | Description |
---|---|
Prevent Android backups | The app doesn’t use the Android backup service. |
Allow app to transfer data to other apps | The apps this app can transfer data to:
There might be apps and services to which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption. Data transfer to an Android instant app is always blocked. |
Allow app to receive data from other apps | The apps this app can receive data from:
There might be apps and services from which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption. Data transfer from an Android instant app is always blocked. |
Prevent “Save As” | The Save-As option of the app is disabled. |
Storage locations | If Prevent “Save As” is selected, select the locations where corporate data is stored. Users can save to the selected locations. Other locations are blocked. |
Restrict cut, copy, and paste with other apps | Select how cut, copy, and paste actions can be used with the app.
|
Restrict web content to display in the Managed Browser | Enforce web links in the app to be opened in the Intune Managed Browser app. |
Encrypt app data | Data is encrypted using an encryption scheme defined by Intune. |
Disable contacts sync | The app doesn’t save data to the Contacts app. |
Disable printing | Printing is disabled in the app. |
Access
Under Access, you configure how users can access the app when logged in with their corporate account.
Setting | Description |
---|---|
Require PIN for access | A PIN is required to use the app. Users are prompted to set a PIN the first time they log in with their corporate account. All Intune-managed Android apps share the same PIN. |
Number of attempts before PIN reset | The number of failed login attempts before the PIN is reset. |
Forbid simple PIN | Users are not allowed to use simple PIN sequences such as 1234 or 1111 . |
PIN length | The minimum number of digits in a PIN sequence. |
Forbid fingerprint | Users can’t use fingerprint authentication instead of a PIN for authentication. |
Require corporate credentials for access | Users must enter their corporate password instead of a PIN. This setting overrides the other PIN requirements. |
Block managed apps from running on rooted devices | On rooted devices, users can’t use the app with their corporate account. |
Access requirements timeout | The time in minutes before the access requirements (set in this policy) are rechecked when the app is launched. After users have entered the PIN once, they may use other Intune-managed apps without having to enter the PIN again, for the time period defined in this setting. |
Offline grace period | The time in minutes that a device can be offline before the access requirements for the app are rechecked. After this period is expired, the app requires the user to connect to the network and authenticate again. |
Offline interval before app data is wiped | The number of days that a device can be offline before the user must connect to the network and authenticate again. If authentication fails, corporate app data is wiped. For the Microsoft Outlook app, wiping the app data also removes data saved to the Contacts app. |
Block screen capture and Android Assistant | Users can’t take screen captures or use the Google Assistant. This also blurs the app picture in the list of recent apps. |
Required minimum Android version | The minimum Android version required to use the app. Leave the field empty to ignore this setting. |
Recommended minimum Android version | The recommended minimum Android version to use the app. If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss. Leave the field empty to ignore this setting. |
Required minimum app version | The minimum app version required to use the app. Leave the field empty to ignore this setting. |
Recommended minimum app version | The recommended minimum app version to use the app. If the app on the device doesn’t meet this requirement, a notification is displayed which the user can dismiss. Leave the field empty to ignore this setting. |
Required minimum Android patch version | The minimum Android security patch level required to use the app. Enter the patch level date, using the format Leave the field empty to ignore this setting. |
Recommended minimum Android patch version | The recommended minimum Android security patch level to use the app. Enter the patch level date, using the format If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss. Leave the field empty to ignore this setting. |