App Protection Policies – All about Microsoft Intune

Combining the different layers of data security on personal Windows devices

May 20, 2024 by Peter van der Woude

This week is a continuation of my previous blog post about working with personal Windows devices. That post was focussed on the different options available for providing secure access to corporate data on personal Windows devices. This post is focussed on providing more details around using those different options actually as different layers in a single solution. All with the focus on providing secure access to corporate data on personal Windows devices, while still providing the user with as much flexibility and options to be productive. Besides that, using different layers of data security also enables the IT administrators to add more granularity to the solution. That makes the total solution less black-and-white. So, for example, not just block the ability of the user to …

Working with personal Windows devices

May 13, 2024 by Peter van der Woude

This week is kind of a follow up on my post of a couple of weeks ago about why enrolling personal Windows devices might be a really bad idea. That post was focussed on advising against allowing enrolling personal Windows devices into Microsoft Intune (or any other MDM provider). The logic follow up question would be: what are the alternatives? And that’s of course a fair question. This post will be about answering that specific question. And to be quite honest, the answer might come very close to a blog post of about four years around supporting unsupported platforms. The main difference will be what Microsoft has provided over the years. And that’s a lot, especially for the Windows platform. This post will focus on …

Remotely collecting diagnostic logs for managed Microsoft 365 apps

May 6, 2024 by Peter van der Woude

This week is sort of a follow-up on a post of more then 5 years ago, about checking diagnostic logs for managed apps on iOS and Android devices. That post was focussed on how to achieve that locally on the device. Since recently, a lot has changed. The local option is still available, but it’s now also possible to remotely collect those diagnostic logs for managed Microsoft 365 apps. That make the troubleshooting of app protection and app configuration policies a lot easier. Without really difficult, or challenging, activities from an user perspective. The main thing that is left for the user, is accepting the remote collections of the diagnostics logs. There are, however, some other details to keep in mind. This post will focus …

Troubleshooting MAM for Windows

April 8, 2024 by Peter van der Woude

This week is a short follow-up on a post of a few months ago about getting started with Mobile Application Management (MAM) for Windows. That post was really focused on getting started with MAM for Windows, while this post will be more focused on what’s coming after that. The concept and the basic configuration of MAM for Windows is pretty straight forward, once being familiar with the available configuration options. However, it gets more challenging when verifying the configuration and the behavior. Especially when there is not that much information available. The (location of the) log file is not really well documented, as is the process to verify the applied configuration. This post will provide answers to those questions. It will described were to find …

Getting started with Mobile Application Management for Windows

July 24, 2023 by Peter van der Woude

This week is all about Mobile Application Management (MAM) for Windows. A long awaited feature that will be a big help with addressing unmanaged Windows devices. MAM for Windows enables organizations to manage the app in a similar way as already possible on mobile platforms. So, making sure that there is a separation between personal and work data, and making sure that the chances of accidental data leakages getting slimmer. In some areas, especially when looking at browser access, it might feel similar to what could already be achieved by using app enforced restrictions in Conditional Access, or by using Microsoft Defender for Cloud Apps in combination with Conditional Access. Big difference, however, is that MAM for Windows also includes the ability to use app …

Simplifying targetting groups of apps with app protection policies

October 11, 2021 by Peter van der Woude

This week is all about the simplification in targetting groups of apps with app protection policies and a followup on my tweet of last week. That tweet provided a quick peak at the new targetting options of app protection policies for Android and iOS/iPadOS devices. The great thing about that simplification is that app protection policies can now be targeted at different categories (or groups) of apps. Those categories of apps are All apps, All Microsoft apps and Core Microsoft apps, and are dynamically updated to include the appropriate apps. That dynamic update will make sure that the already created app protection policies are automatically updated with the latest apps that are available for the different categories and will also make sure that newly created …

App protection policies and managed iOS devices

July 5, 2021 by Peter van der Woude

This week is all about app protection policies for managed iOS devices. More specifically, about some default behavior that might be a little bit confusing when not known. When creating app protection policies, those policies can be configured for managed devices or managed apps. That sounds simple. By default, however, when creating and assigning separate policies for managed devices and managed apps, every iOS device will apply app protection policies that are assigned to managed apps. That behavior is caused by the fact that the device will only be identified as a managed device when a specific configuration is in place. That configuration is the user UPN setting. Even better, the user UPN setting opens even more use cases for managed devices. This post will …

Conditional access and requiring app protection policy

April 29, 2019 by Peter van der Woude

This week is focused on conditional access and the recently introduced grant control of Require app protection policy (preview). I already tweeted about it a couple of weeks a go, but I thought that it would be good to also write a little bit about this grant control. The Require app protection policy (preview) grant control could be seen as the successor of the Require approved client app grant control. The main difference is that the new Require app protection policy (preview) grant control will be more flexible. In this post I’ll start with a short introduction about this new grant control, followed by a configuration example. That example will be about a scenario for accessing Exchange Online. I’ll end this post by showing the …

Remotely selective wipe WIP without enrollment devices

February 11, 2019 by Peter van der Woude

This week week a relatively short blog post about the ability to remotely selective wipe Windows Information Protection Without Enrollment (WIP-WE) devices. Almost two years ago I already wrote about app protection for Windows 10 (back than referred to as MAM-WE). That was the first piece of the without-enrollment-puzzle for Windows 10 devices. The second piece of that puzzle is just recently introduced, and is the subject of this post, which is the ability to remotely selective wipe those WIP-WE devices. In my opinion the third and yet still missing piece of that puzzle would be conditional access (require a managed app). Hopefully we can complete that puzzle soon. In this post I’ll show the remote action to selectively wipe a WIP-WE device, followed by …

Quick tip: Intune Diagnostics for App Protection Policies via about:intunehelp

November 26, 2018 by Peter van der Woude

This week a relatively short blog post about a feature that already exists for a long time, but that is not that known. That feature is the Intune Diagnostics for App Protection Policies (APP). The Intune Diagnostics can be really useful with troubleshooting APP. Especially when looking at APP for apps on unmanaged devices. The Intune Diagnostics provides information about the device, provides the ability to collect logs and provides the ability to look at the applied APP for the different apps. The Intune Diagnostics can be accessed on iOS devices, by using the Intune Managed Browser or by using Microsoft Edge. In this post I’ll only look at the experience when with the Intune Diagnostics. The experience Let’s start at the beginning, which is …