Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Mobile App Management - What Is It?

Mobile App Management is achieved via deployment of an App Protection Policy (APP) that ensures an organization's data remains safe or contained in a managed app. APPs are managed via Intune.

An app protection policy can be a rule that's enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.

A managed app is an app that has app protection policies applied to it and can be managed by Intune.

A managed app is an app that has app protection policies applied to it and can be managed by Intune.

The App Protection Policy that applies to County users is based off of Microsoft’s APP data protection framework for iOS and Android mobile app management as well as minimum Security recommendations:

Enterprise Enhanced Data Protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.

Ultimately, Mobile App Management via Intune App Protection Policies allow the County to:

  • Protect County data while leaving personal data untouched.

  • Restrict data transfer and copy-and-paste functions from managed apps.

  • Encrypt County data residing locally on a device.

  • Enforce access requirements (strong PIN) to access County data.

  • Enforce conditional launch behaviors to protect the County data.

  • Apply data loss prevention policies without managing the user's device.

  • Enable app protection without requiring device enrollment in Intune.

Company Portal app and Intune app protection

Much of app protection functionality is built into the Company Portal app. Device enrollment is not required even though the Company Portal app is always required. For Mobile Application Management (MAM), the end user just needs to have the Company Portal app installed on the device.

App Protection Policy Specifics

This section will cover specifics of the App Protection Policy applied to the County that will have the most noticeable impact to the common user: Access Requirements & PIN Prompt, Data Transfer Restrictions, Encryption Enforcement, and Functionality Configurations.

Access Requirements & PIN Prompt

Access Requirements is a setting in the APP which refers to the PIN set on the Managed App (or sometimes a full corporate login with your email and password in rare cases). Intune prompts for the user's app PIN when the user is about to access "corporate" data. In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file.

The amount of time before the access requirements are checked on a device is pre-set by the County Intune Admins. However, important details about PIN that affect how often the user will be prompted are:

  • The PIN is shared among apps of the same publisher to improve usability:

    • On iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher. For example, all Microsoft apps share the same PIN.

    • On Android, one app PIN is shared amongst all apps.

  • Recheck the access requirements behavior after a device reboot:
    A timer tracks the number of minutes of inactivity that determine when to show the Intune app PIN, or corporate credential prompt next.

    • On iOS/iPadOS, the timer is unaffected by device reboot. Thus, device reboot has no effect on the number of minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or corporate credential) policy targeted.

    • On Android, the timer is reset on device reboot. As such, Android apps with Intune PIN (or corporate credential) policy will likely prompt for an app PIN, or corporate credential prompt, regardless of any timer the policy has set.

  • The rolling nature of the timer associated with the PIN:
    Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the timer gets reset for that PIN. Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset.

For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Access Requirements timer is met again for the app that is not the main input focus. So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. The user is focused on app A (foreground), and app B is minimized. After the Access Requirements timer is up and the user switches to app B, the PIN would be required.


Data Transfer & Encryption

As a general rule, the County App Protection Policy aims to secure, contain, and protect County data. In practice this means that data in managed apps will generally be restricted from being sent to un-managed apps, whether that be through copying & pasting, saving files locally, etc. However, the policy does generally allow data from un-managed apps to be transferred into the managed apps.

Intune, via the App Protection Policy, enforces iOS/iPadOS device-level encryption to protect app data while the device is locked. Managed data from apps is also encrypted using 256-bit AES encryption.


Conditional Launch

There are certain security requirements that are checked upon attempting to launch a managed application. One of the most common requirements is whether or not the Access Requirements can be satisfied (PIN Prompt) however, there are other settings that are checked as well, such as:

  • Max PIN Attempts - How many times have you attempted the PIN?

  • Offline Grace Period - How long has this app run offline?

  • Disabled Account - Is the user attempting to launch the app disabled?

  • Jailbroken/Rooted - Is this device jailbroken/rooted?

  • Min OS Version - Does this device meet the minimum OS version set by Security?

Different actions, or sets of actions, can be configured to execute if any of these security requirements are not met upon attempting to launch a managed app, such as:

  • Prompt to reset PIN (you’ll be required to authenticate with your email and MFA first)

  • Block Access (immediately if not meeting the minimum OS version, or device is jailbroken/rooted)

  • Block Access (for a specified amount of time/until app checks-in online again)

  • Wipe Data (if app has been offline for a specified amount of days)

    • Selective-wipe of managed app data only


Common Pop-Ups & What They Mean

3rd Party Keyboard Blocked

This pop-up is a notification that informs the user that third-party keyboards (any keyboard not native to the iOS platform) are blocked from being used within this specific managed application.

This is the case with all iPhone users who open up a managed application as we have this configured on the backend for the app protection policies.

The security justification is that there are malicious third-party keyboards that can be installed which act as info stealers and result in data leakage.

What To Do

Your only option is to accept this by clicking “OK”

If there is a business justification for using a third-party keyboard this needs to be brought up to the Security team in a ticket for review.


Allow [app] to use Face ID?

This pop-up is requesting your permission to use biometrics - specifically Face ID - to satisfy the Access Requirements of the Managed Application. This is generally recommended as you would otherwise have to input the actual PIN you initially set up for the Managed Applications whenever they require you to satisfy the Access Requirements again.

What To Do

You can choose to allow this or not however, it is strongly recommended for convenience.


Applying Protection Policies

This is generally a very short-lived pop-up that is a result of the Intune App SDK doing its job and applying the App Protection Policy settings to whatever Managed Application you have just opened. You will generally only see this one time for an app.

What To Do

Nothing. This should resolve quickly, and the app should load up for you.

There are some cases discussed online where an app can get stuck in a loop of applying these policies. In that case, submit a ticket to Help Desk.


Checking Data Access Requirements

This is a result of the Managed Application checking that the device meets the Access Requirements set in the Application Protection Policy.

This is also when a device reviews and checks Conditional Launch requirements. You can review some examples of what those requirements could be set to above.

What To Do

This usually resolves fairly quickly but if it doesn’t - for whatever reason - try closing and relaunching the app again. If it still doesn’t resolve, your device might be failing to meet one of the Conditional Launch requirements. Submit a ticket to Help Desk.


Restart the App To Continue

This is a notification received when the Application Protection Policies are initially deployed, upon launching a Managed Application after you’ve been included in the scope of the policies.

You will only see it once.

What To Do

There is nothing to be done here. Click “OK” and the app will close and relaunch, where it will then apply the policies and ask you to set a PIN if this is you first time ever launching a Managed Application.


Reconnect to your Organization

This message can be brought on by a device being non-compliant in Intune for too long but if you are a BYOD user this can also be prompted by some of our App Protection Policies that are in place.

Essentially, an app is asking you to sign-in again to validate that you are still active, enabled, and authorized. You will use your Microsoft, Franklin County credentials to do so.

What To Do

Click “Sign in” and you will be brought to a Microsoft Modern Authentication sign-in page where you’ll sign in with your Franklin County email and password and likely also have to satisfy a MFA prompt.

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.