App Protection Policies & Conditional Access
App protection policies keep corporate data safe inside managed apps β even on personal devices that aren't enrolled in Intune. Combined with conditional access, they're the BYOD security backbone.
What are app protection policies?
Think of app protection policies as invisible walls around corporate data inside an app.
When Rikoβs designer opens Outlook on their personal iPhone, they can read work email just fine. But they canβt copy the email text and paste it into WhatsApp. They canβt save work attachments to their personal iCloud. They canβt screenshot the email. The data stays inside the βwallβ of the managed app.
The beautiful part: Riko didnβt need to enroll the designerβs personal phone. App protection policies work at the APP level, not the device level.
What app protection policies control
| Setting Category | Examples |
|---|---|
| Data transfer | Block copy/paste to unmanaged apps, block βSave Asβ to personal storage, block screenshots |
| Access requirements | Require PIN or biometric to open the app, require minimum OS version |
| Conditional launch | Block access if device is jailbroken/rooted, block if OS version is too old, wipe after X days offline |
| Encryption | Encrypt app data at rest |
| Selective wipe | Remove corporate data from the app without affecting personal data or the device |
Example: Rikoβs BYOD policy at Pixel & Co
| Setting | Configuration | Why |
|---|---|---|
| Block copy/paste to unmanaged apps | Yes | Prevent data leaking to personal apps |
| Require PIN to open work apps | Yes (6 digits) | Extra layer of security beyond device passcode |
| Block screenshots in managed apps | Yes | Prevent screen capture of sensitive content |
| Allow Save to OneDrive for Business only | Yes | Work files stay in corporate storage |
| Wipe app data after 30 days offline | Yes | If a device goes silent, corporate data self-destructs |
| Block if device is jailbroken | Yes | Jailbroken devices are a security risk |
APP vs MDM
| Feature | App Protection (MAM) | Device Management (MDM) |
|---|---|---|
| Enrollment required | No | Yes |
| What's managed | Data inside managed apps | The entire device |
| Personal data affected | No β only corporate data in managed apps | Yes β device-wide policies apply |
| Selective wipe | Yes β remove corp data only | Retire removes corp data; Wipe removes everything |
| Best for | BYOD, personal devices | Corporate-owned devices |
| User acceptance | High β no device control | Lower β users worry about IT seeing personal data |
| Protection scope | App-level (managed apps only) | Device-level (everything) |
Key exam concept: APP (MAM) and MDM are not mutually exclusive. You can use BOTH: MDM for corporate devices AND APP for managed apps on those same devices. APP adds a second layer of data protection even on enrolled devices.
Conditional access for app protection
You can combine APP with conditional access to create a powerful BYOD strategy:
βRequire approved client appβ or βRequire app protection policyβ
| CA Grant Control | What It Does |
|---|---|
| Require approved client app | User must access resources through a Microsoft-approved managed app (Outlook, Teams, Edge, etc.) |
| Require app protection policy | Userβs app must have an app protection policy applied before accessing resources |
Rikoβs CA + APP strategy
- CA policy: βFor all users accessing Office 365, require app protection policyβ
- Result: Users on personal devices MUST use managed apps (Outlook, Teams) with APP applied
- Unmanaged browsers or email apps are blocked from accessing corporate resources
- Personal apps arenβt affected β only access to M365 is gated
Exam tip: APP + CA is the BYOD answer
When the exam describes a BYOD scenario where:
- Users have personal devices (not enrolled)
- The company needs to protect corporate data
- The company canβt/wonβt enroll personal devices
The answer is almost always: App Protection Policy + Conditional Access requiring app protection policy.
This combination ensures: users can only access M365 through managed apps β those apps enforce data protection rules β no device enrollment needed.
Deep dive: APP for different platforms
App protection policies are supported on iOS/iPadOS and Android. Windows has a separate feature called Windows Information Protection (WIP), which is being deprecated in favour of Microsoft Purview Information Protection.
Platform differences:
- iOS: APP controls copy/paste, screenshots, open-in, Save As, PIN, biometric, jailbreak detection
- Android: Same as iOS + work profile integration (APP inside work profile provides double protection)
- Windows: Use Purview sensitivity labels and Windows DLP instead of APP
The exam focuses on iOS and Android for APP scenarios.
π¬ Video walkthrough
Flashcards
Knowledge Check
A designer at Pixel & Co copies a client proposal from work Outlook and tries to paste it into their personal Notes app on their iPhone (not enrolled in Intune). An app protection policy is applied to Outlook. What happens?
Riko wants to ensure that Pixel & Co employees can ONLY access Exchange Online and SharePoint through managed apps with app protection policies β not through personal email apps or unmanaged browsers. What should Riko configure?
Next up: App Configuration: Managed Apps & Devices β pushing app settings centrally so users donβt have to configure anything.