How to set up App Protection Policies in Microsoft Intune

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Man I wish this was around when I first started addressing APP in our org. This is really good thank you!

👍︎︎ 2 👤︎︎ u/bigrichardchungus 📅︎︎ Nov 10 2020 🗫︎ replies

Captions

today a lot of people are starting to use their personal devices to access corporate data so in this video i want to show you how you can protect your corporate data on these devices so if you're new to this channel my name is harry loudson i'm a technology strategist at microsoft and the goal of this channel is to help you learn technology but also show you some new things that might help you and your organization out so most of our discussion here is going to be around microsoft intune and intune app protection policies and you might be asking well what is an app protection policy well really allows us to protect from data loss whether it's intentional or unintentional but what this does from a high level from a from a benefit to your organization is it allows us to say well you can still keep your users productive on for example their personal devices but if they start accessing corporate data we want to put some policies around it so for example today if you don't have a policy set up well somebody could send you a really important message on teams that isn't for the consumption of anyone but your organization and then they could go ahead and just copy that data and bring up something like gmail for example paste it in and send that email to whoever they like so with intune app protection policies we can put those policies around your data somebody signs into a managed application with their corporate identity we can say all right well you can't save it to icloud you can't copy and paste in non-managed applications we're going to force you to have a fingerprint or you know whatever the authentication is needed to get into this application to protect your data so that's what we're going to look at one thing to note before we dive into the console what's really great about this is we're going to be talking about the personal device scenario but you can also if you've already got your devices managed by intune you can use that protection policies what's really really impressive is if you already have a mobile device management provider what you can do is you can also if you own intune you can also add these app protection policies to that as well so let's go ahead and look at how we can set these policies up in the microsoft endpoint manager console and then we'll go ahead after that and look at the end user experience so i'm here inside the microsoft endpoint manager admin center let's go ahead and create one of these app protection policies and look at how we get this setup before looking at the end user experience so first thing you got to do from the menu system is just go to apps and then just go to app protection policies and from here you can see like any good cooking or show i've got some of the recipes already built for us the ingredients is there but we will look at how to create our own as well but first thing you might notice is i've got an android and an ios policy you might be thinking well harry why have i got to do double the work when i could just create one policy well the reason for this and we've created this way is some features aren't in ios or in android so for example you can't block saving icloud or itunes on an android device because it's an ios feature so that's why the policies are split up just for simple administration really so you can see here when i go to create policy i've got ios android and windows 10. we're only going to be talking about mobile devices today windows 10 there's a few more things we have to think about we'll talk about that some other time so in this discussion let's just go ahead and create an ios policy so first thing you need to do as you would imagine is just give this thing a name and you're going to call it ios app protection policy of course you can go get the description if you want and you can see it's already chosen for us that the platform is ios ipad and os for example so i'm not going to dive deep into any of these sections just going to give you a feel for what you can do with them my recommendation is of course go look at them yourself and see what makes sense for your organization and please make sure you test them before you put them in production so first up is we can choose about you know how do we target these app to device types and that's quite an interesting one because we get to choose is it managed or unmanaged the device so is it a personal device for example or if it's managed then is it enrolled into intune i'm just going to leave it as yes and then you need to choose what applications are being protected by this policy so we've got public apps which is you know anything kind of really in the app store that we've we've certified and then you've got custom applications this could be something you've built internally and you want to make sure it's got these app protection policies assigned to it so we're going to do select public apps and here you can see first up it's not even a microsoft application because we can bring third-party apps into here as well so we've got things like adobe box cisco you name it but we can just do outlook for example and then i could choose teams as well and now we've got ad protection policies against you know outlook and teams and of course select the ones that make sense for your organization next up is we have data protection so here we're really controlling how are your users going to interact with this data so can they copy and paste data can they save to icloud for example so you can see that kind of is the first option here for data transfer can we backup org data to itunes or icloud backup most of you are probably going to put block here and then we can choose where do we send organization data to other apps so yeah for simplicity i could choose policy managed apps only but what is really cool here is that then you can choose where can users save their data so i could say you know i'm going to block anything unless it's onedrive or sharepoint because i want to make sure all my data stays within our microsoft 365 environment and then you can choose things like how to use this copy and paste data encryption printing and all that good stuff so let's go ahead now and look at access requirements so from access requirements here's where we're setting up how are your users going to access these applications so you know do they need a pin if it's a pen as a simple pin the cool thing is we can also say can we override this with biometrics the good news is pretty much any modern device today whether it's ios or android has biometric ability fingerprint and face id so you might want to go ahead and set them up as well so next up we have conditional launch and this allows us to set up you know things around app conditions and device conditions so have conditions of things like well if you fail your pin five times then we're going to choose you to reset that pin we could also choose things like you know if you're offline for 90 days then we're gonna wipe your data there are a couple other things you can do in here like what should be the minimum application version and what will our action be and stuff like that as well and then from the device conditions here's where you can choose things like well you know if somebody's on a jailbroken or rooted device of course we want to block access we don't want you in our data we don't know what you're doing on that device so we could blog access you could also choose like all right if you're in an old os version like your ios 12 or whatever it is that you can't come in unless you update your phone or you know if you're on a device which is a little bit dodgy maybe we don't trust it then we could remove that device as well so that's really it for the conditioned side of the house um and those are the main things you know what applications are you protecting what how are you going to protect your data and then how are users going to access that data as well next up is just assignments you know you're going to assign this to a dynamic group a security group you know for example i could come in and say you know we want the security group of sales you know they should have protection on their applications so i could just select them and go from there as i say i'm not going to go ahead and create this because i already have one built so i'm just going to close this down and we can see here on the ios one if i choose that i've already got a user checking in they've checked into teams so you can go look at this and go see what's happening in your policies after the event the other thing to note if i go to properties now i can see what i'm blocking so things like excel outlook onedrive these are all the things being protected um i can see here that in you know restrict copy paste i've got policy managed apps with paste in from other apps this is really cool this means that you can copy data in to our managed application so teams and outlook but you can't copy the data out unless it's another managed application so i can't go from outlook to gmail for example but i could go to outlook to teams so this is going to be my policy i've got it assigned so let's now go ahead and look at the ipad and see what the user experience is with this policy all right so we're now here on the ipad and we're going to look at the experience of copying data from a managed application to an unmanaged application so in theory it shouldn't allow us to do it we saw earlier a clip of where i copied from teams to gmail and it worked perfectly fine so we're going to go here to teams and the first thing that's going to happen because i put a restriction policy on this is i'm going to actually have to log in with my pin so i'm going to go ahead and do that so because we're already being enforced to log in with a pin we already know that our policies in action because we saw that we created policies with the uh the pin enabled so let's go ahead and go back to chat and we saw that we already had a message earlier you would have seen me copy and paste this into gmail from megan letting us know that we're buying an incredible company called loudoun incorporated for a hundred billion dollars well it does sound important so let's go ahead and do the same thing let's go hold this and see if we can copy it i'm just going to choose copy and let's go back to gmail now so from gmail go ahead and compose a new email and let's just get into the compose section and we're going to go ahead and do paste and look at that so we can see that it's still at the top there we've posted from you know teams to gmail but instead of us seeing how important it was that we're buying an organization you can now see it says your organization's data cannot be pasted here so that was going from you know one application to another so the other really cool thing we can do is support multiple identities in one application so for example let's say we're in outlook here so in outlook if i just quickly have a look at this we got my corporate identity here and then i also have a gmail account assigned to this as well so if we're inside the corporate identity we can see here that megan has actually emailed us the same message as she did before so if i went ahead and we copied that data so i just go copy and then we go out of my corporate identity and we go to gmail so i'm going to choose gmail on the left here let's go ahead and compose an email and now let's say you know we're going to compose a new email i'm going to go to paste again and there we go and there we go same thing your organization's data cannot be pasted here so that i mean to me that's incredible right we're in one application we've got our corporate identity and our personal identity and we can protect between those two barriers but i could still do absolutely everything i want to do on my gmail account here inside outlook i just being stopped from doing some things between the two accounts so that's what i really wanted to show you know really we've gone through here what is intune app protection policies we've looked at setting them up and we've looked at the end user experience so you know i will put some links down in the description for some more resources for additional learning and reading but make sure you like subscribe and we'll see you next week for another video

Info

Channel: Harry Lowton

Views: 4,450

Rating: 5 out of 5

Keywords: intune, microsoft intune, microsoft endpoint management, mobile application management, intune app protection policy, intune app protection, intune application protection, data loss prevention, app protection, app protection policy, intune app deployment, microsoft intune demo, microsoft intune 2020, microsoft intune training, app protection policy in microsoft intune, microsoft intune for beginners, intune mobile application management

Id: 0Wft5cF6W-o

Channel Id: undefined

Length: 12min 28sec (748 seconds)

Published: Tue Nov 10 2020