Intune app protection policy settings (Android)

With an Intune app protection policy you define restrictions for Intune-managed apps. This section describes the available settings for Android apps.

General settings

Setting

Description

Name

The name of the policy.

Description

A short description of the policy.

Data relocation

Under Data relocation, you configure how data is allowed to enter or leave the app.

Note All settings apply to data users access when logged in with their corporate account.

Setting

Description

Prevent Android backups

The app doesn’t use the Android backup service.

Allow app to transfer data to other apps

The apps this app can transfer data to:

Policy-managed apps: Only allow transfer to other apps managed by an Intune policy.

All apps: Allow transfer to any app.

No apps: Do not allow transfer to any app.

Note
  • There might be apps and services to which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption.
  • Data transfer to an Android instant app is always blocked.

Allow app to receive data from other apps

The apps this app can receive data from:

Policy-managed apps: Only allow transfer from other apps managed by an Intune policy.

All apps: Allow transfer from any app.

No apps: Do not allow transfer from any app.

Note
  • There might be apps and services from which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption.
  • Data transfer from an Android instant app is always blocked.

Prevent “Save As”

The Save-As option of the app is disabled.

Storage locations

If Prevent “Save As” is selected, select the locations where corporate data is stored.

Users can save to the selected locations. Other locations are blocked.

Restrict cut, copy, and paste with other apps

Select how cut, copy, and paste actions can be used with the app.

Blocked: Do not allow cut, copy, and paste actions between this app and other apps.

Policy-managed apps: Allow cut, copy, and paste actions between this app and other apps managed by an Intune policy.

Policy-managed with paste in: Allow cut or copy between this app and other apps managed by an Intune policy. Allow data from any app to be pasted into this app.

All apps: No restrictions for cut, copy, and paste to and from this app.

Restrict web content to display in the Managed Browser

Enforce web links in the app to be opened in the Intune Managed Browser app.

Encrypt app data

Data is encrypted using an encryption scheme defined by Intune.

Disable contacts sync

The app doesn’t save data to the Contacts app.

Disable printing

Printing is disabled in the app.

Access

Under Access, you configure how users can access the app when logged in with their corporate account.

Setting

Description

Require PIN for access

A PIN is required to use the app.

Users are prompted to set a PIN the first time they log in with their corporate account.

Note All Intune-managed Android apps share the same PIN.

Number of attempts before PIN reset

The number of failed login attempts before the PIN is reset.

Forbid simple PIN

Users are not allowed to use simple PIN sequences such as 1234 or 1111.

PIN length

The minimum number of digits in a PIN sequence.

Forbid fingerprint

Users can’t use fingerprint authentication instead of a PIN for authentication.

Require corporate credentials for access

Users must enter their corporate password instead of a PIN.

This setting overrides the other PIN requirements.

Block managed apps from running on rooted devices

On rooted devices, users can’t use the app with their corporate account.

Access requirements timeout

The time in minutes before the access requirements (set in this policy) are rechecked when the app is launched.

Note After users have entered the PIN once, they may use other Intune-managed apps without having to enter the PIN again, for the time period defined in this setting.

Offline grace period

The time in minutes that a device can be offline before the access requirements for the app are rechecked.

After this period is expired, the app requires the user to connect to the network and authenticate again.

Offline interval before app data is wiped

The number of days that a device can be offline before the user must connect to the network and authenticate again.

If authentication fails, corporate app data is wiped.

Note For the Microsoft Outlook app, wiping the app data also removes data saved to the Contacts app.

Block screen capture and Android Assistant

Users can’t take screen captures or use the Google Assistant.

This also blurs the app picture in the list of recent apps.

Required minimum Android version

The minimum Android version required to use the app.

Leave the field empty to ignore this setting.

Recommended minimum Android version

The recommended minimum Android version to use the app.

If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.

Required minimum app version

The minimum app version required to use the app.

Leave the field empty to ignore this setting.

Recommended minimum app version

The recommended minimum app version to use the app.

If the app on the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.

Required minimum Android patch version

The minimum Android security patch level required to use the app.

Enter the patch level date, using the format YYYY-MM-DD.

Leave the field empty to ignore this setting.

Recommended minimum Android patch version

The recommended minimum Android security patch level to use the app.

Enter the patch level date, using the format YYYY-MM-DD.

If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.