CA-05: Creating an App Protection Policy for Mobile Devices
Overview
This guide walks you through creating a Conditional Access policy that requires approved client apps or app protection policies for mobile device access. This control ensures that corporate data accessed on iOS and Android devices is protected, even on personal (BYOD) devices.
Control ID: CA-05 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 + Microsoft Intune (included in Microsoft 365 Business Premium, E3, E5)
Why This Matters
Mobile devices accessing corporate data present unique risks:
- Data leakage - Users can copy corporate data to unmanaged apps
- Uncontrolled backups - Corporate data may sync to personal cloud storage
- Screenshot/screen recording - Sensitive data can be captured
- Jailbroken/rooted devices - Security controls can be bypassed
App Protection Policies (also called MAM - Mobile Application Management) protect data inside managed apps without requiring full device enrollment. This enables secure BYOD scenarios.
Prerequisites
Required Roles
You need the following roles:
For Conditional Access Policy:
- Conditional Access Administrator, Security Administrator, or Global Administrator
For Intune App Protection Policies:
- Intune Administrator or Global Administrator
Required Licenses
- Microsoft Entra ID P1 for Conditional Access
- Microsoft Intune for App Protection Policies
- Included in: Microsoft 365 Business Premium, E3, E5
Pre-Configuration Requirements
Before creating the Conditional Access policy:
- Create Intune App Protection Policies - Must be configured first
- Identify target apps - Typically Office 365 or all cloud apps
- Plan BYOD vs. corporate device strategy - This policy mainly benefits BYOD scenarios
Time Estimate
| Task | Duration |
|---|---|
| Create iOS App Protection Policy | 20-30 minutes |
| Create Android App Protection Policy | 20-30 minutes |
| Create Conditional Access Policy | 10-15 minutes |
| User communication and testing | 1-2 days |
| Total | 2-3 days including rollout |
Step-by-Step Instructions
Part 1: Create Intune App Protection Policies
Before creating the Conditional Access policy, you must create App Protection Policies in Intune.
Step 1A: Navigate to Intune App Protection
- Sign in to the Microsoft Intune admin center
- In the left navigation, select Apps
- Select App protection policies
Step 1B: Create iOS App Protection Policy
- Click + Create policy and select iOS/iPadOS
- Enter a name:
Corporate App Protection - iOS
Apps Tab:
- Under Target policy to, select All Apps or specific apps
- Recommended: Select All Microsoft Apps for initial deployment
Data Protection Tab: Configure the following settings:
| Setting | Recommended Value |
|---|---|
| Backup org data to iTunes and iCloud | Block |
| Send org data to other apps | Policy managed apps |
| Receive data from other apps | Policy managed apps |
| Save copies of org data | Block |
| Allow user to save copies to selected services | OneDrive for Business, SharePoint |
| Cut, copy, and paste between other apps | Policy managed apps with paste in |
| Screen capture and Google Assistant | Block |
| Encrypt org data | Require |
| Sync policy managed app data with native apps | Block |
| Printing org data | Block |
Access Requirements Tab:
| Setting | Recommended Value |
|---|---|
| PIN for access | Require |
| PIN type | Numeric |
| Simple PIN | Block |
| Minimum PIN length | 6 |
| Touch ID instead of PIN | Allow |
| Face ID instead of PIN | Allow |
| PIN reset after number of days | 90 |
| Work or school account credentials for access | Require |
Conditional Launch Tab:
| Setting | Value | Action |
|---|---|---|
| Jailbroken/rooted devices | N/A | Block access |
| Minimum OS version | 15.0 | Block access |
| Max PIN attempts | 5 | Reset PIN |
| Offline grace period | 720 minutes | Block access |
- Click Next and assign to All Users (or a pilot group)
- Click Create
Step 1C: Create Android App Protection Policy
- Click + Create policy and select Android
- Enter a name:
Corporate App Protection - Android
Apps Tab:
- Under Target policy to, select All Apps or specific apps
- Recommended: Select All Microsoft Apps for initial deployment
Data Protection Tab: Configure the following settings:
| Setting | Recommended Value |
|---|---|
| Backup org data to Android backup services | Block |
| Send org data to other apps | Policy managed apps |
| Receive data from other apps | Policy managed apps |
| Save copies of org data | Block |
| Allow user to save copies to selected services | OneDrive for Business, SharePoint |
| Cut, copy, and paste between other apps | Policy managed apps with paste in |
| Screen capture and Google Assistant | Block |
| Encrypt org data | Require |
| Sync policy managed app data with native apps | Block |
| Printing org data | Block |
Access Requirements Tab:
| Setting | Recommended Value |
|---|---|
| PIN for access | Require |
| PIN type | Numeric |
| Simple PIN | Block |
| Minimum PIN length | 6 |
| Fingerprint instead of PIN | Allow |
| Work or school account credentials for access | Require |
Conditional Launch Tab:
| Setting | Value | Action |
|---|---|---|
| Rooted devices | N/A | Block access |
| SafetyNet device attestation | Basic integrity and certified devices | Block access |
| Minimum OS version | 10.0 | Block access |
| Max PIN attempts | 5 | Reset PIN |
| Offline grace period | 720 minutes | Block access |
- Click Next and assign to All Users (or a pilot group)
- Click Create
Part 2: Create Conditional Access Policy
Now create the Conditional Access policy that enforces app protection.
Step 2A: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- In the left navigation, expand Protection
- Select Conditional Access
- Click Policies
Step 2B: Create the Policy
- Click + New policy
- Enter a name:
Require App Protection for Mobile Access
Step 2C: Configure Users and Groups
- Under Assignments, click Users
- Select All users under Include
- Under Exclude, add your emergency access accounts
Step 2D: Configure Target Resources
- Under Target resources, click Cloud apps
- Select All cloud apps under Include
Alternative - Office 365 only:
- Select Select apps
- Choose Office 365 to limit to Microsoft 365 apps
Step 2E: Configure Conditions
- Under Conditions, click Device platforms
- Set Configure to Yes
- Under Include, select Select device platforms
- Check Android and iOS
- Click Done
Step 2F: Configure Access Controls
You have two options for grant controls:
Option A: Require Approved Client App (Simpler)
- Under Access controls, click Grant
- Select Grant access
- Check Require approved client app
- Click Select
Option B: Require App Protection Policy (More Flexible)
- Under Access controls, click Grant
- Select Grant access
- Check Require app protection policy
- Click Select
Option C: Either/Or (Recommended for Transition)
- Under Access controls, click Grant
- Select Grant access
- Check both:
- Require approved client app
- Require app protection policy
- Select Require one of the selected controls
- Click Select
Step 2G: Enable the Policy
- Under Enable policy, select Report-only initially
- Click Create
- Monitor impact for 1-2 days
- Edit policy and change to On when ready
Approved Client Apps vs. App Protection Policies
Approved Client Apps
Requires users to use specific Microsoft-approved applications:
- Microsoft Outlook (instead of native mail)
- Microsoft Teams
- Microsoft OneDrive
- Microsoft Edge
Pros:
- Simple to implement
- No Intune configuration required for the list
Cons:
- Limited to Microsoft's approved list
- Cannot customize protection settings
App Protection Policies
Requires apps to have an Intune App Protection Policy applied:
- More granular control
- Custom data protection settings
- Can include non-Microsoft apps with Intune SDK
Pros:
- Customizable protection settings
- Supports third-party apps
- No device enrollment required
Cons:
- Requires Intune App Protection Policy configuration
- More complex to set up
Verification Checklist
After enabling the policies, verify successful implementation:
Intune Policy Verification
- iOS App Protection Policy shows in Intune with correct settings
- Android App Protection Policy shows in Intune with correct settings
- Policies are assigned to the correct user groups
Conditional Access Verification
- Policy appears in the Conditional Access policies list with status "On"
- Device platforms condition shows iOS and Android selected
- Grant controls show either approved client app or app protection policy
End-User Testing
-
iOS Test:
- Sign in to Outlook app on an iOS device
- Verify app protection policy is applied (look for managed app indicator)
- Try to copy text to an unmanaged app - should be blocked
-
Android Test:
- Sign in to Outlook app on an Android device
- Verify app protection policy is applied
- Try to take a screenshot of corporate data - should be blocked
Sign-in Log Validation
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Filter by device platform: iOS or Android
- Check the Conditional Access tab for mobile sign-ins
- Verify your policy appears with result "Success" or appropriate grant controls applied
Troubleshooting
Users Cannot Access Apps on Mobile
Symptom: Users receive "Access blocked" when signing into mobile apps.
Solutions:
- Ensure the user is using an approved client app (e.g., Outlook, not native Mail)
- Verify the app supports app protection policies
- Check if the Intune App Protection Policy is assigned to the user
- For new users, policy deployment can take up to 24 hours
App Protection Policy Not Applied
Symptom: Data protection features are not working (users can copy to any app).
Solutions:
- Force close and reopen the app
- Sign out and sign back in to the app
- Verify the app is the latest version from the app store
- Check Intune for policy assignment status
Jailbreak/Root Detection Blocking Legitimate Devices
Symptom: Users with legitimate devices are blocked as jailbroken/rooted.
Solutions:
- Ensure device operating systems are updated
- For Android: Verify SafetyNet attestation passes
- Review the conditional launch settings for appropriate thresholds
- Users may need to remove problematic apps that trigger detection
Third-Party Apps Not Working
Symptom: Non-Microsoft apps that should be protected are blocked.
Solutions:
- Verify the app has Intune SDK integration
- Add the app explicitly to the App Protection Policy target apps
- Check if the app supports the required protection features
- Contact the app vendor for Intune compatibility
Users on Older Devices Blocked
Symptom: Users with older iOS or Android versions cannot access apps.
Solutions:
- Review the minimum OS version settings in App Protection Policy
- Adjust thresholds to match your organization's device landscape
- Consider warning actions instead of blocking for older OS versions
- Communicate upgrade requirements to affected users
Policy Configuration Summary
Conditional Access Policy
| Setting | Value |
|---|---|
| Policy Name | Require App Protection for Mobile Access |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps (or Office 365) |
| Conditions - Device platforms | iOS, Android |
| Grant | Require app protection policy |
| Enable Policy | On |
iOS App Protection Policy
| Setting | Value |
|---|---|
| Policy Name | Corporate App Protection - iOS |
| Target Apps | All Microsoft Apps |
| Backup to iCloud | Block |
| Send data to other apps | Policy managed apps |
| Encrypt org data | Require |
| Jailbroken devices | Block access |
| Assigned to | All Users |
Android App Protection Policy
| Setting | Value |
|---|---|
| Policy Name | Corporate App Protection - Android |
| Target Apps | All Microsoft Apps |
| Backup to Android services | Block |
| Send data to other apps | Policy managed apps |
| Encrypt org data | Require |
| Rooted devices | Block access |
| SafetyNet attestation | Basic integrity + certified devices |
| Assigned to | All Users |
User Communication
When rolling out app protection policies, communicate with users:
Recommended Message
Subject: New Mobile Security Requirements
Starting [DATE], we are implementing enhanced security for mobile access to company data.
What's changing:
- You must use approved apps (Outlook, Teams, OneDrive) for work email and files
- Apps will require a PIN on first use
- Copy/paste to personal apps will be restricted for work content
What you need to do:
- Download Microsoft Outlook, Teams, and OneDrive from the App Store/Google Play
- Sign in with your work account
- Set up a PIN when prompted
Benefits:
- Your personal data and apps are NOT affected
- No device enrollment required
- Protects company data if your phone is lost or stolen
Contact IT Support with questions.
Related Controls
- DV-01: Require Compliant Devices for Admin Access (full device management)
- CA-01: Require MFA for All Users (baseline authentication)
- DV-02: Require Compliant Devices for Global Admins (enhanced admin protection)
- EXT-06: External Sharing Visibility (data protection)