Skip to main content

Corporate Data on Personal Phones: The Intune Policy That Contains It Without Enrollment

Nick Ross3 min read

TL;DR

  • Intune app protection policies containerize corporate data inside managed apps on personal iOS and Android devices without requiring device enrollment.
  • A single policy can restrict cut, copy, paste, and save-as so corporate data only moves between other policy-managed apps.
  • Access requirements add an app-level PIN or additional sign-in, which protects corporate data even when a personal device itself is compromised.
  • Conditional launch rules act as if-then statements that block or wipe corporate data when a device reaches a defined state.
  • As of September 2021, policies apply immediately on assignment, and users see an in-app notice that the organization is protecting data.

Your customer's payroll spreadsheet is one careless tap from someone's personal notes app, and the phone it happened on was never yours to manage. That is the BYOD problem in one sentence, and as of September 2021, app protection policies in Microsoft Intune remain the cleanest answer. They containerize corporate data inside the apps you trust, without enrolling the device in management at all, and without getting in the user's way.

This walkthrough covers what the policies aim to do, how to build one from a blank Endpoint Manager console, and what your end users actually experience once it lands.

What is an app protection policy supposed to accomplish?

Diagram of app protection policy goals for corporate data on mobile devices

Three goals drive the design:

  • Keep corporate data out of untrusted or unmanaged locations
  • Provide end-to-end protection when a device is lost or stolen
  • Grant access to corporate data while restricting how it can be shared

How do you build the policy?

  1. Sign into the Endpoint Manager admin center (opens in new tab).
  2. Go to Apps > App Protection Policies > Create Policy.
Create Policy menu under App Protection Policies in Endpoint Manager

This example builds an iOS policy. Android policies mirror iOS with a few obvious differences native to the OS nomenclature.

  1. Provide a name.
Naming the app protection policy in the creation wizard
  1. In the Apps section, choose which device types the policy targets. It can apply to both managed and unmanaged devices, and a common pattern is two policies, with the unmanaged-device policy carrying the tighter restrictions. This example scopes to unmanaged devices.
Scoping the policy to unmanaged device types
  1. Click +Select Public Apps. This is where you declare which apps are sanctioned, meaning trusted, in the organization. Microsoft has a preset library, and we recommend at least including the core Office suite. These become your managed apps, the ones you can then wrap with protections like cut, copy, paste, and save-as restrictions. Custom apps can also be uploaded for protection outside Microsoft's offerings.
Selecting public apps from Microsoft's preset library
Selected sanctioned apps list for the policy
  1. The Data Protection section defines the security settings for your managed apps. We will not cover every toggle here, but the pattern that matters: restrict these permissions to other policy-managed apps, as shown below. That single choice is what keeps corporate data circulating only inside the container.
Data protection settings restricting data transfer to policy-managed apps
  1. Access Requirements define app-level security like a PIN or an additional sign-in. If a device is stolen or broken into, this is the extra layer standing between the thief and corporate data.
Access requirements settings including app-level PIN
  1. Conditional Launch is a set of if-then statements you declare for when a device reaches a certain state, such as blocking access or wiping corporate data when conditions fail.
Conditional launch rules for device and app conditions
  1. The final tabs scope the policy to specific users or groups. The policy takes effect immediately, and users opening the protected apps on an iOS device are told their data is being protected.

What changes for the user?

The point of app protection is that almost nothing changes until the user tries to move data somewhere it should not go. Here is the experience end to end.

The first sign-in. When a user signs into a protected app like Outlook, they get a prompt explaining the organization is now protecting data in the app:

Outlook prompt telling the user their organization is protecting app data

Copy and paste hits a wall. Cut, copy, and paste into unmanaged applications is restricted. Here is an attempt to copy an email message into a personal notepad app:

Copying email content from a managed app
Paste blocked into an unmanaged notes app

Save-as is limited too. Saving a Word document to a personal location on the iOS device is blocked by the policy:

Attempting to save a Word document outside managed locations
Save-as restricted to approved corporate locations

The PIN gets established up front. If you configured additional access controls like a PIN, the user is asked to set it the first time they open a managed app after the policy is created:

User prompted to set an app PIN on first launch after policy assignment

The trade worth making

App protection policies take light administrative work to set up and meaningfully raise the protection of corporate data on devices you will never fully manage. For the BYOD-heavy customer base most MSPs carry, that is about the best effort-to-impact ratio in the Intune catalog.

Microsoft's reference documentation is here: App protection policies overview (opens in new tab)

Frequently asked questions

Do app protection policies require the phone to be enrolled in Intune?

No. App protection policies work on unmanaged devices, which is their main appeal for BYOD. You can scope a policy to unmanaged devices only, or run separate policies for managed and unmanaged devices with different levels of restriction.

Are Android app protection policies different from iOS?

Android policies mirror iOS with a few differences native to each operating system's nomenclature. The walkthrough here uses iOS, and the same structure applies on Android.

Can you protect non-Microsoft apps with these policies?

Yes. Microsoft maintains a preset library of public apps that support app protection, and custom apps can be uploaded for protection outside the Microsoft suite.

BYOD policies drift just like every other control

An app protection policy that worked at rollout can quietly stop matching reality as apps and groups change. CloudCapsule checks 250+ controls across every tenant you manage in about 60 seconds each.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading