Deploy Intune App Protection Policies based on Management State

Microsoft Intune is always evolving, and with the latest round of updates they have added a feature to target Intune App Protection Policies based on the device's management state. Since Intune App Protection Policies are identity-driven, it was common for someone with a mix of managed and unmanaged devices to receive the same App Protection Policies - whereas an organization may want to be a little less strict with policies that target managed devices versus unmanaged devices.

For example, my company wants to force company data to be saved to OneDrive or SharePoint instead of saving to the local storage. For managed devices, this will be allowed (note that this is just a demo and maybe not the best example for production). To achieve this, First let's make a policy for our unmanaged iOS devices:

  • Go to https://portal.azure.com
  • Navigate to Intune > Mobile Apps > App protection policies
  • From the App protection policies blade, select +Add a policy

app-protection-policies-new

  • From the Add a policy blade, give a name to your new policy
  • Next give the policy a good description
  • Since I am deploying to iOS devices for this demo, I selected iOS for the Platform
  • Now for the Target to all app types option, I am going to select No to change the defaults and check Apps on unmanaged devices for the App types

app-protection-policies-app-types

  • Next click Select required apps to choose the apps that this policy will apply for and click Select
  • Once you've selected your apps, we'll select Configure required settings to edit our policy
  • Set your policies based on your own requirements, but for this demo, my goal was to block the device from saving files to the local storage. Once you are finished, click OK

app-protection-policies-save-as

  • Now back at the Add a policy blade, review your settings and click Create when ready
  • Once the policy is created, we can click on it and select Assignments to choose who you want to deploy the policies to (I chose to deploy to All Users) and you are finished

app-protection-policies-assignment

Now that the unmanaged policy is complete, lets create our managed policy:

Follow the same steps as above, except we are going to change our selection for the Target to all app types option. This time around we will be checking Apps on Intune managed devices

app-protection-policies-managed

  • And once again, click Select required apps to choose the apps that this policy will apply for and click Select
  • Next we'll select Configure required settings to edit our policy and this time around we are going to change the Save As policy

app-protection-policies-managed-save-as

  • Now back at the Add a policy blade, review your settings once again and click Create when ready
  • Once the policy is created, we can click on it and select Assignments to choose who you want to deploy the policies to (I chose the same All Users group) and you are finished

Now we have a different policy for both managed and unmanaged iOS devices deployed to the same group of users.

app-protection-policies-complete

About Frank Trout

I am an IT Consultant with ~20 years of experience working with Microsoft technologies. I am also a blogger, a Microsoft MVP, and an all-around geek at heart.