Intune - Mobile App Management (MAM)
Mobile App Management - What Is It?
Mobile App Management is achieved via deployment of an App Protection Policy (APP) that ensures an organization's data remains safe or contained in a managed app. APPs are managed via Intune.
https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/troubleshoot-mam
An app protection policy can be a rule that's enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app.
A managed app is an app that has app protection policies applied to it and can be managed by Intune.
The App Protection Policy that applies to County users is based off of Microsoft’s APP data protection framework for iOS and Android mobile app management as well as minimum Security recommendations:
Enterprise Enhanced Data Protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
Ultimately, Mobile App Management via Intune App Protection Policies allow the County to:
Protect County data while leaving personal data untouched.
Restrict data transfer and copy-and-paste functions from managed apps.
Encrypt County data residing locally on a device.
Enforce access requirements (strong PIN) to access County data.
Enforce conditional launch behaviors to protect the County data.
Apply data loss prevention policies without managing the user's device.
Enable app protection without requiring device enrollment in Intune.
Company Portal app and Intune app protection
Much of app protection functionality is built into the Company Portal app. Device enrollment is not required even though the Company Portal app is always required. For Mobile Application Management (MAM), the end user just needs to have the Company Portal app installed on the device.
App Protection Policy Specifics
This section will cover specifics of the App Protection Policy applied to the County that will have the most noticeable impact to the common user: Access Requirements & PIN Prompt, Data Transfer Restrictions, Encryption Enforcement, and Functionality Configurations.
Access Requirements & PIN Prompt
Access Requirements is a setting in the APP which refers to the PIN set on the Managed App (or sometimes a full corporate login with your email and password in rare cases). Intune prompts for the user's app PIN when the user is about to access "corporate" data. In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their PIN when they try to open a "corporate" document or file.
The amount of time before the access requirements are checked on a device is pre-set by the County Intune Admins. However, important details about PIN that affect how often the user will be prompted are:
The PIN is shared among apps of the same publisher to improve usability:
On iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher. For example, all Microsoft apps share the same PIN.
On Android, one app PIN is shared amongst all apps.
Recheck the access requirements behavior after a device reboot:
A timer tracks the number of minutes of inactivity that determine when to show the Intune app PIN, or corporate credential prompt next.On iOS/iPadOS, the timer is unaffected by device reboot. Thus, device reboot has no effect on the number of minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or corporate credential) policy targeted.
On Android, the timer is reset on device reboot. As such, Android apps with Intune PIN (or corporate credential) policy will likely prompt for an app PIN, or corporate credential prompt, regardless of any timer the policy has set.
The rolling nature of the timer associated with the PIN:
Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the timer gets reset for that PIN. Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset.
For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Access Requirements timer is met again for the app that is not the main input focus.
So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN.
The user is focused on app A (foreground), and app B is minimized.
After the Access Requirements timer is up and the user switches to app B, the PIN would be required.
Data Transfer & Encryption
As a general rule, the County App Protection Policy aims to secure, contain, and protect County data. In practice this means that data in managed apps will generally be restricted from being sent to un-managed apps, whether that be through copying & pasting, saving files locally, etc. However, the policy does generally allow data from un-managed apps to be transferred into the managed apps.
Intune, via the App Protection Policy, enforces iOS/iPadOS device-level encryption to protect app data while the device is locked. Managed data from apps is also encrypted using 256-bit AES encryption.
 |
Conditional Launch
There are certain security requirements that are checked upon attempting to launch a managed application. One of the most common requirements is whether or not the Access Requirements can be satisfied (PIN Prompt) however, there are other settings that are checked as well, such as:
Max PIN Attempts - How many times have you attempted the PIN?
Offline Grace Period - How long has this app run offline?
Disabled Account - Is the user attempting to launch the app disabled?
Jailbroken/Rooted - Is this device jailbroken/rooted?
Min OS Version - Does this device meet the minimum OS version set by Security?
Different actions, or sets of actions, can be configured to execute if any of these security requirements are not met upon attempting to launch a managed app, such as:
Prompt to reset PIN (you’ll be required to authenticate with your email and MFA first)
Block Access (immediately if not meeting the minimum OS version, or device is jailbroken/rooted)
Block Access (for a specified amount of time/until app checks-in online again)
Wipe Data (if app has been offline for a specified amount of days)
Selective-wipe of managed app data only
Common Pop-Ups & What They Mean
Apple - The Intune Company Portal is not Required
3rd Party Keyboard Blocked
This pop-up is a notification that informs the user that third-party keyboards (any keyboard not native to the iOS platform) are blocked from being used within this specific managed application.
This is the case with all iPhone users who open up a managed application as we have this configured on the backend for the app protection policies.
The security justification is that there are malicious third-party keyboards that can be installed which act as info stealers and result in data leakage.
What To Do
Your only option is to accept this by clicking “OK”
If there is a business justification for using a third-party keyboard this needs to be brought up to the Security team in a ticket for review.
Allow [app] to use Face ID?
This pop-up is requesting your permission to use biometrics - specifically Face ID - to satisfy the Access Requirements of the Managed Application. This is generally recommended as you would otherwise have to input the actual PIN you initially set up for the Managed Applications whenever they require you to satisfy the Access Requirements again.
What To Do
You can choose to allow this or not however, it is strongly recommended for convenience.
Applying Protection Policies
This is generally a very short-lived pop-up that is a result of the Intune App SDK doing its job and applying the App Protection Policy settings to whatever Managed Application you have just opened. You will generally only see this one time for an app.
What To Do
Nothing. This should resolve quickly, and the app should load up for you.
There are some cases discussed online where an app can get stuck in a loop of applying these policies. In that case, submit a ticket to Help Desk.
Checking Data Access Requirements
This is a result of the Managed Application checking that the device meets the Access Requirements set in the Application Protection Policy.
This is also when a device reviews and checks Conditional Launch requirements. You can review some examples of what those requirements could be set to above.
What To Do
This usually resolves fairly quickly but if it doesn’t - for whatever reason - try closing and relaunching the app again. If it still doesn’t resolve, your device might be failing to meet one of the Conditional Launch requirements. Submit a ticket to Help Desk.
Restart the App To Continue
This is a notification received when the Application Protection Policies are initially deployed, upon launching a Managed Application after you’ve been included in the scope of the policies.
You will only see it once.
What To Do
There is nothing to be done here. Click “OK” and the app will close and relaunch, where it will then apply the policies and ask you to set a PIN if this is you first time ever launching a Managed Application.
Reconnect to your Organization
This message can be brought on by a device being non-compliant in Intune for too long but if you are a BYOD user this can also be prompted by some of our App Protection Policies that are in place.
Essentially, an app is asking you to sign-in again to validate that you are still active, enabled, and authorized. You will use your Microsoft, Franklin County credentials to do so.
What To Do
Click “Sign in” and you will be brought to a Microsoft Modern Authentication sign-in page where you’ll sign in with your Franklin County email and password and likely also have to satisfy a MFA prompt.
Android - The Intune Company Portal is Required
When trying to access an app that is considered a Managed Application for the first time after Application Protection Policies have been deployed you will be presented with a message like this if you are on an Android device specifically.
What To Do
Download and install the Company Portal app, then you can attempt to relaunch the app you were trying to before. You can click “KEEP ACCOUNT” on the pop-up to initiate this installation.
After the install has been completed, relaunch the same app and it should bring you to a screen that says “Get Access” at the top. It’ll show a checklist of Conditional Launch/Access requirements that you are meeting.
Simply click “CONTINUE” and you should be let into the Managed Application now. This is a one-time occurrence, so long as you don’t remove the Company Portal app from your device.
Note: This is NOT enrolling your device in Intune. This is one of the requirements of the App Protection Policies we have in place. The Company Portal App simply needs to be installed; you do not need to actually enroll into Intune through the Company Portal App for this to resolve.
You will need to sign in to your account with your franklincountyohio.gov email and password to re-credential your account.
Org Data Removal
This pop-up is notifying you that the data within Managed Applications on your device has been wiped. Essentially, this means that you will need to restart the apps, sign-in to your Franklin County credentials again through a Modern Authentication sign-in prompt, and then you can use these apps again - so long as you are meeting the Access Requirements and Conditional Launch requirements.
This will occur if a Managed Applications wipe is executed by the Intune Admins team but can also occur if a user has been on leave for 90 days and then fails to sign-in successfully when they try to access a Managed Application and it prompts them to sign-in to their account again.
What To Do
Nothing can be done here except for signing-in again. If you feel this should not have happened, you need to submit a ticket to Help Desk.
Page Contents
Related Articles
FCDC Help Desk | helpdesk@franklincountyohio.gov | 614-525-3282