Why I should think about App protection policy. Do I need this? Why?
As you know from many of my recent posts, cloud data protection has been my main task in the last few months. I am huge fan of modern IT department idea. I try to build solutions that, on the one hand, will not need constant supervision, but will meet my requirements.
Especially in recent months, when so many people work from home, the issue of data security is becoming a big challenge for IT departments. A special element in this puzzle is the private devices of the company’s employees. They are used to access data such as OneDrive or emails. Today I would like to share with you a scenario of how you can secure corporate data on BYOD devices. And this is a susceptible topic, on the one hand, for the protection of private property and, on the other hand, for the need to secure corporate data. An app protection policy is a solution that comes to our aid.
What is an App protection policy?
App protection policies (APP) are rules that ensure an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it and can be managed by Intune. If you want to read more, you should check Microsoft site.
How to start?
There’s one requirement. You need a proper license, as the scenario described below requires Azure Premium and Intune. You can read more about Intune in my post. In general, you need an EMS P3 license. That’s all. So, let’s create our first policy. Our starting point is the Intune portal. When you log in, you should go to Apps -> App protection policies -> Create policy.
Now we must select which platform will be targeted. Let’s select iOS/iPAD. Now we have an important option to select. “Target to apps on all device types“: manged and unmanaged. Personally, I always create two policies. Why? For example, I can’t just wipe private device. On other hand I can limit some features in this case. But as a result, I will protect company resources.
Time to the next step. Select the public app to proceed to the next step, for example, Microsoft Outlook. In the production environment, you should add all the Microsoft applications that are used in your company. Why? The recommended approach is to allow data exchange between apps only under policy control. So if you don’t do this, you will not be allowed to save attachments from Outlook to OneDrive or start Teams, for example.
You will see the main page of your policy.
This main step which you should configure carefully. Settings on this page will decide what will be possible for the user and how your App protection policy will work. Here are a few key elements:
- Backup org data to iTunes and iCloud backups – usually, you set it to block. You don’t want to save company data to private user storage. Right?
- Send org data to other apps – you decide which application can exchange information. Suggested setting is: Policy-managed apps. In this way, non, protected applications can’t access your organization’s data.
- Receive data from other apps – just like in the previous step
- Encryption – you decide here if your data should be encrypted
How to set up a device?
In the previous step we decided what’s possible for the application. Now we have decided what’s our requirements for the device to allow access to company resources. Look below
A few settings which we should configure:
- PIN for access – it’s obvious, but you should also consider biometric override to make the user experience better. I am huge fan of face ID 🙂
- Timeout – you decide when user should enter again PIN to access an application
Conditional launch for App protection policy
This is the last step but also important. Look below. You decide when allow to run an app. As you can see those settings protect you against few critical issues. For example, when someone is offline for long time or when the device is rooted. In such case access will not be possible and start Microsoft Outlook for example. You don’t want to allow access from a device which is at big security risk.
And that’s it. Now you can save your policy and assign it to a group. In the next post I will show you how to use conditional access to apply those settings.
Why I should care about it???
A few weeks ago, I saw Office 365 tenant. It wasn’t small organization and information which I saw many will consider as sensitive. And there’s no MFA or App protection policy. Nothing. And they had a problem as base on logs ex-employee stored a lot of company documents on his iPAD. What can we do now? Now???
Office 365 provides us so many tools to protect our assets. Why people think that they will create a tenant and that’s it? Microsoft do a lot of things to secure our information but you have also do something. If you don’t know where or how to start check your security score for example or just contact me and I will help you.