Creating a New Microsoft 365 App Protection Policy

Before you begin

  • This policy is applicable for iOS and Android devices.
  • The devices must have Microsoft 365 apps installed.
  • The devices must have the Microsoft Company Portal app installed if an app protection policy is assigned to the device and the user attempts to launch the app which is managed by the policy. On the device side, users will see a message directing them to download Company Portal if it is not installed.
  • SOTI MobiControl must be connected to the Microsoft Endpoint Management service.

About this task


  1. From the SOTI MobiControl web console main menu, select Global Settings > Services > Microsoft 365
  2. In the the App Protection Policies section, click the Add Profile button.
  3. Select either an Android or Apple (iOS) policy.
    The Create App Protection Policy wizard launches, which allows you to build your policy in four steps.
  4. In the first step, General, enter a Policy Name and Description, then click Next.
  5. In the second step, Apps, the default (and only) selection is to include All Apps in your protection policy. This means that protections you choose will affect interactions between your Microsoft 365 apps and every other application on your device.
  6. In the third step, Data, you can select how the data from your Microsoft 365 apps is protected:

    The data step of the Create App Protection Policy wizard

    Hover your mouse over each protection setting in the interface to learn more about its application in the policy.

    Disable Backup Choose Block to disable backup of org datato Android backup services. Choose Allow to enable backup. Personal and unmanaged data is unaffected.
    Send Data to Other Apps Select an option to specify what apps this app can send org data to.
    Receive Data from Other Apps Select an option to specify what apps this app can receive org data from.
    • None: Prevent receiving org data from any app.
    • Policy managed apps: Only recieve org data from policy managed apps.
    • All apps: Receive org data from any app.
    Restrict Cut, Copy & Paste with Other Apps Choose to block these actions copmpletely between apps, allow these actions for use with any app, or restrict use to apps that your organization manages.
    Disable Screen Capture and Android Assistant Choose to enable or disable screen capture and Google Assistant app scanning capabilities when using a policy-managed app.
    Require Data Encryption Toggle on to enable encryption of work or school data in this app. Intune uses an OpenSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file input/output tasks. Content on the device storage is always encrypted.
    Disable Contacts Sync Choose to prevent policy managed apps from saving data to the native Contacts and Calendar apps on the device.
    Disable Printing Choose to prevent an app from printing protected data.
    Open Content In Browser Choose the apps that this app can open web content in. You can select SOTI Surf as the only browser for web content, specify a different, unmanaged browser, or allow any app to open web links.
  7. In the fourth step, Assign, click the Add Group button to assign one or more User Groups to the protection policy.

    The Assign step of the Create App Protection Policy wizard

  8. Click Finish to complete and save your protection policy. The policy becomes active for the assigned User Groups immediately.