Amidst a global crisis that is testing the resiliency of many companies in many industries, it may not be reasonable to provide an entire workforce with corporate-owned devices to allow them to work remotely. Instead, it may be more sensible and more cost-effective to endorse a BYOD strategy that allows employees to work remotely on their personal devices. If there is no desire to enrol personal devices into MDM in Microsoft Endpoint Manager, then fear not as you can still leverage MEM App Protection Policies to protect your data.

In this blog, we will talk about how you can use an app protection policy to define your control around organizational data with one or more applications. We’ll additionally leverage a Conditional Access policy to require the use of these applications specifically so that your controls are enforced. While you can leverage these policies to protect other cloud apps, we will focus on how to protect Exchange Online data with the Outlook application in this blog.


As is the case with almost any technology, it’s imperative that we first review the prerequisites for implementing App Protection policies. The following subscriptions are required in your tenant to leverage app protection policies and conditional access:
• Azure Active Directory Premium
• Intune (standalone or bundled in EMS or M365 subscriptions)
• Office 365 Business with Exchange (or other bundles with O365/Exchange).

App Protection Policies

So long as you meet the prerequisites, the next step in securing access to your organizational data on personal devices is to configure an app protection policy in Microsoft Endpoint Manager. Start by launching the MEM Admin Center and navigating to Apps -> App Protection Policies and creating a new policy. After choosing the appropriate platform/OS, provide a relevant name and description. In this blog, we will focus on the iOS platform.

Figure 1 Create App Protection Policy
App Protection Policy

Next, we’ll configure the policy for the Outlook iOS app to control how organizational data is treated with the Outlook application on unmanaged (not MDM enrolled) iOS devices.
To do so, on the Apps configuration, change the value of target to all apps to No and then under device types, choose Unmanaged. Finally, add Outlook to Public Apps (see Figure 2 below).

Figure 2 APP Apps Configuration for Outlook
Apps Configuration for Outlook

Next, in the Data Protection tab, choose the desired settings that will determine how users interact with org data in the Outlook app. Pay very close attention to how data can interact with other apps and if org data should be allowed to be backed up. See Figure 3 below for the available configurations to choose from.

Figure 3 Data Protection Settings
Data Protection Settings

The next configuration includes setting access requirements such as PIN and account credentials. Here you can specify PIN requirements as needed and set the requirement for a work/school account. Figure 4 represents these configuration options for Access Requirements.

Figure 4 Access Requirements
Access Requirements

While not covered in this blog, the next tab (Conditional Launch) allows you to set conditional launch conditions that can be used to set sign-in security requirements for your policy. You can learn more here regarding Conditional Launch.

You then configure the target of your policy in the Assignments tab. Use these settings to control which group you target with your policy. It’s a good idea to begin with applying this to a small set of users in an Azure AD group so that you can test and validate your policy before applying it to all users. Figure 5 below illustrates how you can target your policy using Assignments.

Figure 5 Policy Assignments
Policy Assignments

Finally, you can review your policy in the Review + Create tab before clicking Create to create the policy. We’ve now completed the task of creating the app protection policy to control organizational data on unmanaged devices when using the Outlook app.

Conditional Access

Next, we’ll configure a Conditional Access policy that will force users to use the Outlook app when accessing Exchange Online. Start by launching the MEM console and navigating to the Conditional Access policies from the Devices blade in the console. Begin by creating a new policy and naming it accordingly. Afterwards, choose the target of the policy using Users and Groups within Assignments. Again, it is highly recommended that this be tested first with a subset of users using an Azure AD group. Figure 6 below demonstrates how you can use assignments to target your policy effectively.

Figure 6 Conditional Access Assignments
Conditional Access Assignments

We then will use the Cloud Apps or Actions to target Exchange Online. Figure 7 illustrates how this should appear after you’ve chosen Select Apps and defined Office 365 Exchange Online as the targeted application for this Conditional Access policy.

Figure 7 Office 365 Exchange Online Cloud App
Office 365 Exchange Online Cloud App

Moving forward, we will now set this policy to apply to the iOS platform using Conditions. Using Conditions, we will choose the Device Platform condition and change this from any device to iOS. Figure 8 below represents how this can be configured.

Figure 8 Device Platform Condition
Device Platform Condition

Next, we’ll move on to setting the grant control that will require the Outlook application to be used (which will then leverage the app protection policy we already created to make use of the data controls that were put in place). To accomplish this, within the grant controls, enable the Require approved client app control. This is illustrated in Figure 9 below.

Figure 9 Require Approved Client App Grant Control
Require Approved Client App Grant Control

Finally, under Enable Policy, select On to turn this policy on. Please make note of the ability to utilize the report-only feature in Conditional Access to test the integrity of your configuration without actually enabling it. Report-only will simulate your policy against your targeted users and allow you to use Azure AD Sign-in logs to simulate the results of the policy and allow you to analyze them before turning the policy on. This is a very effective technique to test any CA policy before rolling it out. Figure 10 below illustrates how to enable your policy under Enable policy.

Figure 10 Enable CA Policy
Enable CA Policy

With these configurations in effect now, you should now be forcing users to use the Outlook application to access Exchange online data and then controlling that data when using the Outlook app when using unmanaged (personal) devices. This can certainly be very useful when considering how to gain control over organizational data when allowing the use of personal devices.


Microsoft Endpoint Configuration Manager / SCCM Services

MessageOps can deliver these services to assist you:

  • Setup/ configure Cloud Management Gateway and/or cloud distribution points
  • Develop a plan to assist in managing devices that are off the company network
  • Discuss Intune licensing is included within SCCM licensing
  • Establish co-management with Intune
  • Complete Desktop Analytics to demonstrate the advantages it provides in a Win 10 migration
  • Create or enhance OSDs for Win 10 imaging or feature upgrades
  • Create or enhance software updates, ADRs, peer caching or Windows updates for business
  • Create or enhance Servicing Rings for Win 10 feature updates
Was this article helpful?

Make us your Microsoft partner today!

We hope you found this useful, if you need any support we are here to help.

Get started