Protect company data on mobile devices through application management policies Protecting your company's data is vitally important, and is an increasingly challenging task as more employees are using their mobile devices to access company resources, including email and email attachments. As an IT administrator, you want to make sure that company data is protected even when those mobile devices are not within the company’s physical location. This guide will focus on enablement of managed applications as it applies to two Intune MDM deployments: As a cloud management solution using Intune As an integrated service with Configuration Manager This allows you to create and deploy apps with mobile app management (MAM) policies to best protect your company data. This document focusses on creation of these MAM based policies when the end-user device is enrolled in Intune for MDM. See Protect line of business apps and data on devices not enrolled in Microsoft Intune for information about configuring these MAM policies when the device itself is not enrolled in Intune for MDM. Introduction Managed apps are apps that have mobile app management (MAM) policies applied to them that make them compliant with your company’s security requirements. You have two options for managing mobile apps: The default capability, such as Apple Managed Open In, which protects corporate data by controlling the apps that are allowed to open certain documents and email attachments. The Intune App SDK, which lets you limit the functionality and restrict sharing of data for any apps that have the Intune App SDK enabled. Some of the main features of the Intune App SDK is that it allows you to: o Manage the save-as function o Prevent cut, copy, paste o Require authentication when an app is accessed o Wipe corporate data from an Intune-managed app See Intune App SDK Overview for a description of all SDK features. Before you begin Learn about deploying apps using Microsoft Intune Learn the basics about Intune app deployment. Evaluate your desired implementation
33
Embed
Protect company data on mobile devices through …...Protect company data on mobile devices through application management policies Protecting your company's data is vitally important,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Protect company data on mobile devices through application
management policies
Protecting your company's data is vitally important, and is an increasingly challenging task as more
employees are using their mobile devices to access company resources, including email and email
attachments. As an IT administrator, you want to make sure that company data is protected even when
those mobile devices are not within the company’s physical location.
This guide will focus on enablement of managed applications as it applies to two Intune MDM
deployments:
As a cloud management solution using Intune
As an integrated service with Configuration Manager
This allows you to create and deploy apps with mobile app management (MAM) policies to best protect
your company data.
This document focusses on creation of these MAM based policies when the end-user device is enrolled
in Intune for MDM. See Protect line of business apps and data on devices not enrolled in Microsoft
Intune for information about configuring these MAM policies when the device itself is not enrolled in
Intune for MDM.
Introduction Managed apps are apps that have mobile app management (MAM) policies applied to them that make
them compliant with your company’s security requirements. You have two options for managing mobile
apps:
The default capability, such as Apple Managed Open In, which protects corporate data by
controlling the apps that are allowed to open certain documents and email attachments.
The Intune App SDK, which lets you limit the functionality and restrict sharing of data for any
apps that have the Intune App SDK enabled. Some of the main features of the Intune App SDK is
that it allows you to:
o Manage the save-as function
o Prevent cut, copy, paste
o Require authentication when an app is accessed
o Wipe corporate data from an Intune-managed app
See Intune App SDK Overview for a description of all SDK features.
Before you begin Learn about deploying apps using Microsoft Intune
The new policy displays in the Configuration Policies node of the Policy workspace.
Step 4: Associate the app with a MAM policy, then deploy the app. Deploy the app, ensuring that you select the MAM policy on the Mobile App Management page to
associate the policy with the app. For details about some of the concepts you need to understand
before you start deploying apps with Microsoft Intune, see Deploy apps in Microsoft Intune.
1. In the Microsoft Intune administrator console, choose Apps > Apps to view the list of apps you
manage.
2. Select the app you want to deploy, and then choose Manage Deployment.
4. Select the MAM policy whose status you want to view. You can view details of the policy in the
bottom pane and expand its node to display its settings.
5. Under the Status column of each of the MAM policies, Conforms, Conforms (Pending), or Error
will be displayed. If the selected policy has one or more settings in conflict, Error will be
displayed in this field.
6. Once you have identified a conflict, you can revise conflicting policy settings to use the same
setting, or deploy only one policy to the app and user.
Using Mobile App Management policies in Configuration Manager Beginning with System Center 2012 Configuration Manager SP2, app management policies let you
modify the functionality of apps that you deploy to help bring them into line with your company
compliance and security policies. For example, you can restrict cut, copy and paste operations within a
restricted app, or configure an app to open all web links inside a managed browser. App management
policies support:
Devices that run Android 4 and later.
Devices that run iOS 7 and later.
In addition to managed devices, mobile app management policies can be used to protect apps
on devices that are not managed by Intune. Using this new capability, you can apply mobile app
management policies for apps connecting to Office 365 services. This is not supported for apps
connecting to on-premises Exchange or SharePoint.
To use this new capability, you must use the Azure preview portal. The following topics can help
you get started:
Get ready to configure mobile app management policies with Microsoft Intune
Monitor mobile app management policies with Microsoft Intune
Unlike configuration items and baselines in Configuration Manager, you do not deploy an application
management policy directly. Instead, you associate the policy with the app deployment type (DT) that
you want to restrict. When the app DT is deployed and installed on devices, the settings you specify will
take effect.
To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software
Development Kit (SDK). There are two methods of obtaining this type of app:
Use a policy managed app (Android and iOS): Has the App SDK built-in. To add this type of app,
you specify a link to the app from an app store such as the iTunes store or Google Play. No
further processing is required for this type of app. For a list of the policy managed apps that are
available for iOS and Android devices, see Microsoft Intune mobile application gallery.
Use a ‘wrapped’ app – (Android and iOS): Apps that are repackaged to include the App SDK by
using the Microsoft Intune App Wrapping Tool. This tool is typically used to process company
apps that were created in-house. It cannot be used to process apps that were downloaded from
the app store. See Prepare iOS apps for mobile application management with the Microsoft
Intune App Wrapping Tool and Prepare Android apps for mobile application management with
the Microsoft Intune App Wrapping Tool.
Create and deploy an app with a MAM policy
Step 1: Obtain the link to a policy managed app, or create a wrapped app. To obtain a link to a policy managed app (iOS and Android) - From the app store, find, and note
the URL of the policy managed app you want to deploy.
For example, the URL of the Microsoft Word for iPad app is
To create a wrapped app (iOS and Android) - Use the information in the topics Prepare iOS apps
for mobile application management with the Microsoft Intune App Wrapping Tool and Prepare
Android apps for mobile application management with the Microsoft Intune App Wrapping Tool
to create a wrapped app. The tool creates a processed app and an associated manifest file. You
will use these files when you create a Configuration Manager application containing the app.
Step 2: Create a Configuration Manager application that contains an app. The procedure to create the Configuration Manager application differs depending on whether you are
using a policy managed app (external link), or an app that was created by using the Microsoft Intune App
Wrapping Tool for iOS (App package for iOS). Use one of the following procedures to create the
Configuration Manager application.
To create an application for an App Wrapping Tool for iOS app
1. In the Configuration Manager console, choose Software Library.
2. In the Software Library workspace, expand Application Management, and then choose
The new policy is displayed in the Application Management Policies node of the Software Library
workspace.
Step 4: Associate the application management policy with a deployment type. When a deployment type is created for an app that requires an application management policy,
Configuration Manager will recognize that an app management policy must be linked to this deployment
type when the associated app gets deployed and prompt you to associate an app management policy.
For the Managed Browser, you will be required to associate both a General and Managed Browser
policy. For more information, see How to Create and Deploy Applications for Mobile Devices in
Configuration Manager.
For devices that run operating systems earlier than iOS 7.1, associated policies will not be
removed when the app is uninstalled.
If the device is unenrolled from Configuration Manager, polices are not removed from the apps.
Apps that had policies applied will retain the policy settings even after the app is uninstalled and
reinstalled.
Step 5: Monitor the app deployment. Once you have created and deployed an app associated with a MAM policy, you can monitor the app
and resolve any policy conflicts.
1. In the Configuration Manager console, choose Software Library.