Creating a New Microsoft 365 App Protection Policy

Before you begin

  • This policy applies to iOS and Android devices.
  • Microsoft 365 applications must be installed.
  • SOTI MobiControl must connect to the Microsoft Endpoint Management service.
  • The Intune Company Portal application must be installed.
Note: Device users under an App Protection Policy receive a notification to download the Intune Company Portal application if it is not present on their device.

About this task

Procedure

  1. From the SOTI MobiControl web console main menu, select Global Settings > Services > Microsoft 365.
  2. In the App Protection Policies section, select Add to start the Create App Protection Policy wizard.

    Launch the Create App Protection Policy wizard

  3. Choose to create an Android or Apple (iOS) App Protection Policy.

    Select an Android or iOS policy

  4. In the General tab, enter a Policy Name and Description, and select Next.

    General settings

  5. In the Apps tab select Add to view the first 50 available applications. Use the Search apps field to search for applications that are not listed in the first 50 applications. Select the required applications and select Add

    Select applications

    Note: The information below the Search apps field displays the number of applications available and the number of applications selected.

    When finished, select Next.

  6. In the Data tab, select how protect your Microsoft 365 apps' data:

    Data Protection settings

    Data Protection Settings

    OptionDescription
    Disable Backup Choose:
    • Block to disable backup of organizational data to Android backup services.
    • Allow to enable backup. Personal and unmanaged data is unaffected.
    Send Data to Other Apps Select the apps this app can send organizational data to.
    Receive Data from Other Apps Select an option for apps this app can receive organizational data from:
    • None: Prevent receiving organizational data from any app.
    • Policy managed apps: Only receive organizational data from policy managed apps.
    • All apps: Receive organizational data from any app.
    Restrict Cut, Copy & Paste with Other Apps Block or allow these actions for use with any app, or restrict their use to apps that your organization manages.
    Disable Screen Capture and Android Assistant Enable or disable screen capture and Google Assistant app scanning capabilities when using a policy-managed app.
    Require Data Encryption Enable encryption of work or school data in this app. Intune uses an OpenSSL, 256-bit AES encryption scheme and the Android Keystore system to securely encrypt app data. Data encrypts synchronously during file input/output tasks. Content on the device storage is always encrypted.
    Disable Contacts Sync Prevent policy-managed apps from saving data to the native Contacts and Calendar apps on the device.
    Disable Printing Prevent an app from printing protected data.
    Open Content In Browser Choose the apps that this app can open web content in. Select SOTI Surf as the only browser for web content, specify a different unmanaged browser, or allow any app to open web links.
    Note: Hover over protection settings in the interface to learn more about its application in the policy.

    When finished, select Next.

  7. In the Access tab, configure the PIN and credential requirements for users to access the applications.

    Access settings

    Access Settings

    OptionDescription
    PIN Access

    If required, a PIN must be used to access the policy-managed app. Users must create an access PIN the first time they open the app.

    PIN Type

    On iOS/iPadOS, Passcode requires the app to have Intune SDK version 7.1.12 or above. Numeric type has no Intune SDK version restriction.

    Simple PIN

    Disabling the Passcode PIN type required the passcode to have at least one number, letter and special character.

    Minimum PIN Length  
    Allow Touch ID instead of PIN

    iOS 8+/iPadOS only.

    Allow Face ID instead of PIN

    iOS 11+/iPadOS only

    PIN Reset After Number of Days  
    Require App PIN When Device PIN Is Set

    If disabled, an app PIN does not need to be used to access the app if the device PIN is set on an MDM enrolled device.

    Require Work or School Account Credentials

    If enabled, access to the policy-managed app requires work or school credentials. If PIN method is also required for access to the app, the work or school credentials are required on top of those prompts.

    Recheck the Access Requirements

    The time, in minutes, that an app must be inactive before prompting a recheck of the access requirements (PIN, conditional launch settings, etc.). The value must be between 1 and 65535.

    When finished, select Next.

  8. In the Assign tab, select Add to assign one or more User Groups to the protection policy.

    Assign groups

  9. Select Finish to complete and save your protection policy. The policy is active immediately for the assigned user groups.