Intune app protection policy settings (iOS, iPadOS)

With an Intune app protection policy you define restrictions for Intune-managed apps. This section describes the available settings for iPhone and iPad apps.

General settings

Setting

Description

Name

The name of the policy.

Description

A short description of the policy.

Data relocation

Under Data relocation, you configure how data is allowed to enter or leave the app.

Note All settings apply to data users access when logged in with their corporate account.

Setting

Description

Prevent iTunes and iCloud backups

The app doesn’t back up data to iTunes or iCloud.

Allow app to transfer data to other apps

The apps this app can transfer data to:

Policy-managed apps: Only allow transfer to other apps managed by an Intune policy.

All apps: Allow transfer to any app.

No apps: Do not allow transfer to any app.

Note
  • There might be apps and services to which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption.
  • Policy-managed apps and No apps also block Siri to search data within the app.

Allow app to receive data from other apps

The apps this app can receive data from:

Policy-managed apps: Only allow transfer from other apps managed by an Intune policy.

All apps: Allow transfer from any app.

No apps: Do not allow transfer from any app.

Note
  • There might be apps and services from which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption.
  • Some apps ignore this setting and allow all incoming data.

Prevent “Save As”

The Save-As option of the app is disabled.

Storage locations

If Prevent “Save As” is selected, select the locations where corporate data is stored.

Users can save to the selected locations. Other locations are blocked.

Restrict cut, copy, and paste with other apps

Select how cut, copy, and paste actions can be used with the app.

Blocked: Do not allow cut, copy, and paste actions between this app and other apps.

Policy-managed apps: Allow cut, copy, and paste actions between this app and other apps managed by an Intune policy.

Policy-managed with paste in: Allow cut or copy between this app and other apps managed by an Intune policy. Allow data from any app to be pasted into this app.

All apps: No restrictions for cut, copy, and paste to and from this app.

Restrict web content to display in the Managed Browser

Enforce web links in the app to be opened in the Intune Managed Browser app.

Encrypt app data

Select when data is encrypted. Data is encrypted using the device-level encryption scheme provided by the device.

When device is locked: App data is encrypted when the device is locked.

When device is locked and there are open files: App data is encrypted when the device is locked, except data of currently open files.

When device restart: App data is encrypted when the devices is restarted, until the device is unlocked for the first time.

Use device settings: App data is encrypted based on the device settings.

Disable contacts sync

The app doesn’t save data to the Contacts app.

Disable printing

Printing is disabled in the app.

Access

Under Access, you configure how users can access the app when logged in with their corporate account.

Setting

Description

Require PIN for access

A PIN is required to use the app.

Users are prompted to set a PIN the first time they log in with their corporate account.

Note All Intune-managed iPhone and iPad apps of the same publisher share the same PIN.

Password type

The type of PIN users must define:

Numeric: PIN must only contain digits.

Passcode: PIN must contain at least one letter, special character, or symbol (as available on the English language keyboard).

Note Some apps don’t support the Passcode type.

Number of attempts before PIN reset

The number of failed login attempts before the PIN is reset.

Forbid simple PIN

Users are not allowed to use simple PIN sequences such as 1234 or 1111.

If Password type is set to Passcode, the PIN must contain at least one digit, one letter, and one special character or symbol.

PIN length

The minimum number of characters in a PIN sequence.

Forbid fingerprint

Users can’t use Touch ID instead of a PIN for authentication.

Forbid facial recognition

Users can’t use Face ID instead of a PIN for authentication.

Require corporate credentials for access

Users must enter their corporate password instead of a PIN.

This setting overrides the other PIN requirements.

Block managed apps from running on jailbroken devices

On jailbroken devices, users can’t use the app with their corporate account.

Access requirements timeout

The time in minutes before the access requirements (set in this policy) are rechecked when the app is launched.

Note After users have entered the PIN once, they may use other Intune-managed apps of the same publisher without having to enter the PIN again, for the time period defined in this setting.

Offline grace period

The time in minutes that a device can be offline before the access requirements for the app are rechecked.

After this period is expired, the app requires the user to connect to the network and authenticate again.

Offline interval before app data is wiped

The number of days that a device can be offline before the user must connect to the network and authenticate again.

If authentication fails, corporate app data is wiped.

Note For the Microsoft Outlook app, wiping the app data also removes data saved to the Contacts app.

Required minimum iOS version

The minimum iOS or iPadOS version required to use the app.

Leave the field empty to ignore this setting.

Recommended minimum iOS version

The recommended minimum iOS or iPadOS version to use the app.

If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.

Required minimum app version

The minimum app version required to use the app.

Leave the field empty to ignore this setting.

Recommended minimum app version

The recommended minimum app version to use the app.

If the app on the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.

Required minimum Intune app protection policy SDK version

The minimum Intune app protection policy SDK version the app must have.

Leave the field empty to ignore this setting.