Skip to content

Intune app protection policy settings (Android)

With an Intune app protection policy you define restrictions for Intune-managed apps. This page describes the available settings for Android apps.

General settings

Setting Description
Name The name of the policy.
Description A short description of the policy.

Data relocation

Under Data relocation, you configure how data is allowed to enter or leave the app.

All settings apply to data users access when logged in with their corporate account.

Setting Description
Prevent Android backups The app doesn’t use the Android backup service.
Allow app to transfer data to other apps The apps this app can transfer data to:
  • Policy-managed apps: Only allow transfer to other apps managed by an Intune policy.
  • All apps: Allow transfer to any app.
  • No apps: Do not allow transfer to any app.

There might be apps and services to which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption.

Data transfer to an Android instant app is always blocked.

Allow app to receive data from other apps The apps this app can receive data from:
  • Policy-managed apps: Only allow transfer from other apps managed by an Intune policy.
  • All apps: Allow transfer from any app.
  • No apps: Do not allow transfer from any app.

There might be apps and services from which data transfer is always allowed. For details, see the Microsoft Intune documentation on data transfer exemption.

Data transfer from an Android instant app is always blocked.

Prevent “Save As” The Save-As option of the app is disabled.
Storage locations If Prevent “Save As” is selected, select the locations where corporate data is stored.

Users can save to the selected locations. Other locations are blocked.

Restrict cut, copy, and paste with other apps Select how cut, copy, and paste actions can be used with the app.
  • Blocked: Do not allow cut, copy, and paste actions between this app and other apps.
  • Policy-managed apps: Allow cut, copy, and paste actions between this app and other apps managed by an Intune policy.
  • Policy-managed with paste in: Allow cut or copy between this app and other apps managed by an Intune policy. Allow data from any app to be pasted into this app.
  • All apps: No restrictions for cut, copy, and paste to and from this app.
Restrict web content to display in the Managed Browser Enforce web links in the app to be opened in the Intune Managed Browser app.
Encrypt app data Data is encrypted using an encryption scheme defined by Intune.
Disable contacts sync The app doesn’t save data to the Contacts app.
Disable printing Printing is disabled in the app.

Access

Under Access, you configure how users can access the app when logged in with their corporate account.

Setting Description
Require PIN for access A PIN is required to use the app.

Users are prompted to set a PIN the first time they log in with their corporate account.

All Intune-managed Android apps share the same PIN.

Number of attempts before PIN reset The number of failed login attempts before the PIN is reset.
Forbid simple PIN Users are not allowed to use simple PIN sequences such as 1234 or 1111.
PIN length The minimum number of digits in a PIN sequence.
Forbid fingerprint Users can’t use fingerprint authentication instead of a PIN for authentication.
Require corporate credentials for access Users must enter their corporate password instead of a PIN.

This setting overrides the other PIN requirements.

Block managed apps from running on rooted devices On rooted devices, users can’t use the app with their corporate account.
Access requirements timeout The time in minutes before the access requirements (set in this policy) are rechecked when the app is launched.

After users have entered the PIN once, they may use other Intune-managed apps without having to enter the PIN again, for the time period defined in this setting.

Offline grace period The time in minutes that a device can be offline before the access requirements for the app are rechecked.

After this period is expired, the app requires the user to connect to the network and authenticate again.

Offline interval before app data is wiped The number of days that a device can be offline before the user must connect to the network and authenticate again.

If authentication fails, corporate app data is wiped.

For the Microsoft Outlook app, wiping the app data also removes data saved to the Contacts app.

Block screen capture and Android Assistant Users can’t take screen captures or use the Google Assistant.

This also blurs the app picture in the list of recent apps.

Required minimum Android version The minimum Android version required to use the app.

Leave the field empty to ignore this setting.

Recommended minimum Android version The recommended minimum Android version to use the app.

If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.

Required minimum app version The minimum app version required to use the app.

Leave the field empty to ignore this setting.

Recommended minimum app version The recommended minimum app version to use the app.

If the app on the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.

Required minimum Android patch version The minimum Android security patch level required to use the app.

Enter the patch level date, using the format YYYY-MM-DD.

Leave the field empty to ignore this setting.

Recommended minimum Android patch version The recommended minimum Android security patch level to use the app.

Enter the patch level date, using the format YYYY-MM-DD.

If the device doesn’t meet this requirement, a notification is displayed which the user can dismiss.

Leave the field empty to ignore this setting.