CA-05: Creating an App Protection Policy for Mobile Devices

Overview

This guide walks you through creating a Conditional Access policy that requires approved client apps or app protection policies for mobile device access. This control ensures that corporate data accessed on iOS and Android devices is protected, even on personal (BYOD) devices.

Control ID: CA-05 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 + Microsoft Intune (included in Microsoft 365 Business Premium, E3, E5)

Why This Matters

Mobile devices accessing corporate data present unique risks:

  • Data leakage - Users can copy corporate data to unmanaged apps
  • Uncontrolled backups - Corporate data may sync to personal cloud storage
  • Screenshot/screen recording - Sensitive data can be captured
  • Jailbroken/rooted devices - Security controls can be bypassed

App Protection Policies (also called MAM - Mobile Application Management) protect data inside managed apps without requiring full device enrollment. This enables secure BYOD scenarios.


Prerequisites

Required Roles

You need the following roles:

For Conditional Access Policy:

  • Conditional Access Administrator, Security Administrator, or Global Administrator

For Intune App Protection Policies:

  • Intune Administrator or Global Administrator

Required Licenses

  • Microsoft Entra ID P1 for Conditional Access
  • Microsoft Intune for App Protection Policies
  • Included in: Microsoft 365 Business Premium, E3, E5

Pre-Configuration Requirements

Before creating the Conditional Access policy:

  1. Create Intune App Protection Policies - Must be configured first
  2. Identify target apps - Typically Office 365 or all cloud apps
  3. Plan BYOD vs. corporate device strategy - This policy mainly benefits BYOD scenarios

Time Estimate

TaskDuration
Create iOS App Protection Policy20-30 minutes
Create Android App Protection Policy20-30 minutes
Create Conditional Access Policy10-15 minutes
User communication and testing1-2 days
Total2-3 days including rollout

Step-by-Step Instructions

Part 1: Create Intune App Protection Policies

Before creating the Conditional Access policy, you must create App Protection Policies in Intune.

Step 1A: Navigate to Intune App Protection

  1. Sign in to the Microsoft Intune admin center
  2. In the left navigation, select Apps
  3. Select App protection policies

Step 1B: Create iOS App Protection Policy

  1. Click + Create policy and select iOS/iPadOS
  2. Enter a name: Corporate App Protection - iOS

Apps Tab:

  1. Under Target policy to, select All Apps or specific apps
  2. Recommended: Select All Microsoft Apps for initial deployment

Data Protection Tab: Configure the following settings:

SettingRecommended Value
Backup org data to iTunes and iCloudBlock
Send org data to other appsPolicy managed apps
Receive data from other appsPolicy managed apps
Save copies of org dataBlock
Allow user to save copies to selected servicesOneDrive for Business, SharePoint
Cut, copy, and paste between other appsPolicy managed apps with paste in
Screen capture and Google AssistantBlock
Encrypt org dataRequire
Sync policy managed app data with native appsBlock
Printing org dataBlock

Access Requirements Tab:

SettingRecommended Value
PIN for accessRequire
PIN typeNumeric
Simple PINBlock
Minimum PIN length6
Touch ID instead of PINAllow
Face ID instead of PINAllow
PIN reset after number of days90
Work or school account credentials for accessRequire

Conditional Launch Tab:

SettingValueAction
Jailbroken/rooted devicesN/ABlock access
Minimum OS version15.0Block access
Max PIN attempts5Reset PIN
Offline grace period720 minutesBlock access
  1. Click Next and assign to All Users (or a pilot group)
  2. Click Create

Step 1C: Create Android App Protection Policy

  1. Click + Create policy and select Android
  2. Enter a name: Corporate App Protection - Android

Apps Tab:

  1. Under Target policy to, select All Apps or specific apps
  2. Recommended: Select All Microsoft Apps for initial deployment

Data Protection Tab: Configure the following settings:

SettingRecommended Value
Backup org data to Android backup servicesBlock
Send org data to other appsPolicy managed apps
Receive data from other appsPolicy managed apps
Save copies of org dataBlock
Allow user to save copies to selected servicesOneDrive for Business, SharePoint
Cut, copy, and paste between other appsPolicy managed apps with paste in
Screen capture and Google AssistantBlock
Encrypt org dataRequire
Sync policy managed app data with native appsBlock
Printing org dataBlock

Access Requirements Tab:

SettingRecommended Value
PIN for accessRequire
PIN typeNumeric
Simple PINBlock
Minimum PIN length6
Fingerprint instead of PINAllow
Work or school account credentials for accessRequire

Conditional Launch Tab:

SettingValueAction
Rooted devicesN/ABlock access
SafetyNet device attestationBasic integrity and certified devicesBlock access
Minimum OS version10.0Block access
Max PIN attempts5Reset PIN
Offline grace period720 minutesBlock access
  1. Click Next and assign to All Users (or a pilot group)
  2. Click Create

Part 2: Create Conditional Access Policy

Now create the Conditional Access policy that enforces app protection.

Step 2A: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. In the left navigation, expand Protection
  3. Select Conditional Access
  4. Click Policies

Step 2B: Create the Policy

  1. Click + New policy
  2. Enter a name: Require App Protection for Mobile Access

Step 2C: Configure Users and Groups

  1. Under Assignments, click Users
  2. Select All users under Include
  3. Under Exclude, add your emergency access accounts

Step 2D: Configure Target Resources

  1. Under Target resources, click Cloud apps
  2. Select All cloud apps under Include

Alternative - Office 365 only:

  1. Select Select apps
  2. Choose Office 365 to limit to Microsoft 365 apps

Step 2E: Configure Conditions

  1. Under Conditions, click Device platforms
  2. Set Configure to Yes
  3. Under Include, select Select device platforms
  4. Check Android and iOS
  5. Click Done

Step 2F: Configure Access Controls

You have two options for grant controls:

Option A: Require Approved Client App (Simpler)

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require approved client app
  4. Click Select

Option B: Require App Protection Policy (More Flexible)

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check Require app protection policy
  4. Click Select

Option C: Either/Or (Recommended for Transition)

  1. Under Access controls, click Grant
  2. Select Grant access
  3. Check both:
    • Require approved client app
    • Require app protection policy
  4. Select Require one of the selected controls
  5. Click Select

Step 2G: Enable the Policy

  1. Under Enable policy, select Report-only initially
  2. Click Create
  3. Monitor impact for 1-2 days
  4. Edit policy and change to On when ready

Approved Client Apps vs. App Protection Policies

Approved Client Apps

Requires users to use specific Microsoft-approved applications:

  • Microsoft Outlook (instead of native mail)
  • Microsoft Teams
  • Microsoft OneDrive
  • Microsoft Edge

Pros:

  • Simple to implement
  • No Intune configuration required for the list

Cons:

  • Limited to Microsoft's approved list
  • Cannot customize protection settings

App Protection Policies

Requires apps to have an Intune App Protection Policy applied:

  • More granular control
  • Custom data protection settings
  • Can include non-Microsoft apps with Intune SDK

Pros:

  • Customizable protection settings
  • Supports third-party apps
  • No device enrollment required

Cons:

  • Requires Intune App Protection Policy configuration
  • More complex to set up

Verification Checklist

After enabling the policies, verify successful implementation:

Intune Policy Verification

  • iOS App Protection Policy shows in Intune with correct settings
  • Android App Protection Policy shows in Intune with correct settings
  • Policies are assigned to the correct user groups

Conditional Access Verification

  • Policy appears in the Conditional Access policies list with status "On"
  • Device platforms condition shows iOS and Android selected
  • Grant controls show either approved client app or app protection policy

End-User Testing

  1. iOS Test:

    • Sign in to Outlook app on an iOS device
    • Verify app protection policy is applied (look for managed app indicator)
    • Try to copy text to an unmanaged app - should be blocked
  2. Android Test:

    • Sign in to Outlook app on an Android device
    • Verify app protection policy is applied
    • Try to take a screenshot of corporate data - should be blocked

Sign-in Log Validation

  1. Navigate to Entra admin center > Monitoring > Sign-in logs
  2. Filter by device platform: iOS or Android
  3. Check the Conditional Access tab for mobile sign-ins
  4. Verify your policy appears with result "Success" or appropriate grant controls applied

Troubleshooting

Users Cannot Access Apps on Mobile

Symptom: Users receive "Access blocked" when signing into mobile apps.

Solutions:

  1. Ensure the user is using an approved client app (e.g., Outlook, not native Mail)
  2. Verify the app supports app protection policies
  3. Check if the Intune App Protection Policy is assigned to the user
  4. For new users, policy deployment can take up to 24 hours

App Protection Policy Not Applied

Symptom: Data protection features are not working (users can copy to any app).

Solutions:

  1. Force close and reopen the app
  2. Sign out and sign back in to the app
  3. Verify the app is the latest version from the app store
  4. Check Intune for policy assignment status

Jailbreak/Root Detection Blocking Legitimate Devices

Symptom: Users with legitimate devices are blocked as jailbroken/rooted.

Solutions:

  1. Ensure device operating systems are updated
  2. For Android: Verify SafetyNet attestation passes
  3. Review the conditional launch settings for appropriate thresholds
  4. Users may need to remove problematic apps that trigger detection

Third-Party Apps Not Working

Symptom: Non-Microsoft apps that should be protected are blocked.

Solutions:

  1. Verify the app has Intune SDK integration
  2. Add the app explicitly to the App Protection Policy target apps
  3. Check if the app supports the required protection features
  4. Contact the app vendor for Intune compatibility

Users on Older Devices Blocked

Symptom: Users with older iOS or Android versions cannot access apps.

Solutions:

  1. Review the minimum OS version settings in App Protection Policy
  2. Adjust thresholds to match your organization's device landscape
  3. Consider warning actions instead of blocking for older OS versions
  4. Communicate upgrade requirements to affected users

Policy Configuration Summary

Conditional Access Policy

SettingValue
Policy NameRequire App Protection for Mobile Access
Users - IncludeAll users
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps (or Office 365)
Conditions - Device platformsiOS, Android
GrantRequire app protection policy
Enable PolicyOn

iOS App Protection Policy

SettingValue
Policy NameCorporate App Protection - iOS
Target AppsAll Microsoft Apps
Backup to iCloudBlock
Send data to other appsPolicy managed apps
Encrypt org dataRequire
Jailbroken devicesBlock access
Assigned toAll Users

Android App Protection Policy

SettingValue
Policy NameCorporate App Protection - Android
Target AppsAll Microsoft Apps
Backup to Android servicesBlock
Send data to other appsPolicy managed apps
Encrypt org dataRequire
Rooted devicesBlock access
SafetyNet attestationBasic integrity + certified devices
Assigned toAll Users

User Communication

When rolling out app protection policies, communicate with users:

Recommended Message

Subject: New Mobile Security Requirements

Starting [DATE], we are implementing enhanced security for mobile access to company data.

What's changing:

  • You must use approved apps (Outlook, Teams, OneDrive) for work email and files
  • Apps will require a PIN on first use
  • Copy/paste to personal apps will be restricted for work content

What you need to do:

  1. Download Microsoft Outlook, Teams, and OneDrive from the App Store/Google Play
  2. Sign in with your work account
  3. Set up a PIN when prompted

Benefits:

  • Your personal data and apps are NOT affected
  • No device enrollment required
  • Protects company data if your phone is lost or stolen

Contact IT Support with questions.


Related Controls

  • DV-01: Require Compliant Devices for Admin Access (full device management)
  • CA-01: Require MFA for All Users (baseline authentication)
  • DV-02: Require Compliant Devices for Global Admins (enhanced admin protection)
  • EXT-06: External Sharing Visibility (data protection)

Additional Resources