Why I should think about App protection policy. Do I need this? Why?

As you know from many of my recent posts, the cloud data protection has been my main task in last months. I am huge fan of modern IT department idea. I try to build solutions that, on the one hand, will not need constant supervision, but will meet my requirements.

Especially in recent months, when so many people work from home, the issue of data security is becoming a big challenge for IT departments. A special element in this puzzle is the private devices of the company’s employees. They are used to access data such as OneDrive or emails. Today I would like to share with you a scenario of how you can secure corporate data on BYOD devices. And this is a particularly sensitive topic, on the one hand, for the protection of private property and, on the other hand, for the need to secure corporate data. And App protection policy is a solution which comes to our aid.

What is App protection policy?

App protection policies (APP) are rules that ensure an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it and can be managed by Intune. If you want to read more, you should check Microsoft site.

How to start?

There’s a one requirement. You need proper license as scenario described below require Azure Premium and Intune. More you can read in my post about Intune. In general, you need EMS P3 license. That’s all. So, let’s create our first policy. Our starting point is Intune portal. When you log in you should go to Apps -> App protection policies -> Create policy.

App protection policy

Now we must select which platform will be targeted. Let’s select iOS/iPAD. Now we have an important option to select. “Target to apps on all device types“: manged and unmanaged. Personally, I always create two policies. Why? For example, I can’t just wipe private device. On other hand I can limit some features in this case. But in the result, I will protect company resources.

Time to the next step. Select public app, to proceed to the next step, for example Microsoft Outlook. In production enviroment you should add all Microsoft applications which are used in your company. Why? Recomended approach is to allow data exchange between apps only under policy control. So if don’t do this you will not allow to save attachment from Outlook to OneDrive or start Teams for example.

You will see the main page of your policy

This main step which you should configure carefully. Settings on this page will decide what will be possible for the user and how your App protection policy will work. Here are a few key elements:

  • Backup org data to iTunes and iCloud backups – usually you set it to block. You don’t want to save company data to private user storage. Right?
  • Send org data to other apps – you decide which application can exchange information. Suggested setting is: Policy managed apps. In this way non protected application can’t access to your organization data
  • Receive data from other apps – just like in the previous step
  • Encryption – you decide here if your data should be encrypted

How to set up a device?

In the previous step we decided what’s possible for the application. Now we have decided what’s our requirements for the device to allow access to company resources. Look below

A few settings which we should configure:

  • PIN for access – it’s obvious but also you should consider biometric override to make user experience better. I am huge fan of face ID 🙂
  • Timeout – you decide when user should enter again PIN to access an application

Conditional launch for App protection policy

This is the last step but also important. Look below. You decide when allow to run an app. As you can see those settings protect you against few critical issues. For example, when someone is offline for long time or when the device is rooted. In such case access will not be possible and start Microsoft Outlook for example. You don’t want to allow access from a device which is at big security risk.

And that’s it. Now you can save your policy and assign it to a group. In the next post I will show you how to use conditional access to apply those settings.

Why I should care about it???

A few weeks ago, I saw Office 365 tenant. It wasn’t small organization and information which I saw many will consider as sensitive. And there’s no MFA or App protection policy. Nothing. And they had a problem as base on logs ex-employee stored a lot of company documents on his iPAD. What can we do now? Now???

Office 365 provides us so many tools to protect our assets. Why people think that they will create a tenant and that’s it? Microsoft do a lot of things to secure our information but you have also do something. If you don’t know where or how to start check your security score for example or just contact me and I will help you.