App Protection Policies

The course is part of this learning path

Start course

Publishing Applications With Microsoft Endpoint Manager looks at what's involved when publishing apps to fully managed and BYOD devices. This course examines how to publish and deploy different app types and how to use Microsoft Endpoint manager to implement application configuration and protection. We see what an app needs to support configuration and protection policies, what those policies offer in the way of data protection, and how a policy can configure an app's access to a mobile device's hardware and capabilities. While the course's primary focus is deploying apps to mobile devices through app stores, we also look at using Endpoint manager to publish a custom in-house app to a desktop client.

Learning Objectives

  • Overview of app publishing scenarios
  • Learn about app protection policies and how to create one
  • Learn about app configuration policies and how to create one
  • Publish a custom line of business to a Window client
  • See how to investigate deployment issues

Intended Audience

  • Students working towards the MS-101 Microsoft 365 Mobility and Security exam
  • Those wanting to learn how to use Microsoft Endpoint Manager to publish and deploy applications


  • There are no prerequisite courses needed to take this course

App protection policies are rules that can prevent unauthorized access of corporate data from outside an app or prevent the user from performing forbidden actions within the application. In addition to protecting an app's data, apps can be encrypted and have a PIN applied to them, which the user must enter to access the app. A protection policy can prevent apps from running on jail-broken or otherwise compromised device. 

The ability to selectively wipe app data while leaving personal information intact is especially useful in a BYOD scenario. App protection operates only on apps, so it doesn't require device enrolment with Endpoint manager.

Data protection under APP is offered in three configurations. Enterprise basic protects apps with a PIN and encryption and enables selective data wiping. This entry-level protection validates Android device attestation and provides data protection similar to that found in Exchange Online mailbox policies. Enterprise-enhanced data protection incorporates all of the basic protection features and adds data leakage prevention along with minimum OS requirements. Enterprise enhanced is suitable for most users accessing work or school data in a mobile scenario. Enterprise high data protection includes all features from basic and enhanced and adds advanced data protection and PIN configuration, as well as APP Mobile Threat Defense.

App protection policies can be used to protect data when migrating from an old mobile device management system to Microsoft Endpoint manager. It's doubtful that all devices can be simultaneously migrated, so this leaves a window where some devices are unprotected. Not only will this migration window leave devices exposed, but it could lead to reduced productivity. App protection can fill this gap, allowing unprotected devices to operate while their apps are protected.

App protection can be incorporated into line-of-business apps via the Intune SDK or the Intune App Wrapping Tool for iOS, iPadOS, and Android devices. As the name implies, the App Wrapping Tool provides a protective envelope to an existing app, so access to the app's source code isn't required. The tool is used with internal deployments, not apps deployed through the Apple App Store or Google Play Store. It's particularly useful for apps that don't have their own data protection mechanism or only have basic user authentication.

On the other hand, the Intune SDK does require access to the app's source code and the relevant development experience to perform the coding. The SDK provides access to data protection features and can be used with apps distributed via Apple App, Google Play, and Microsoft stores.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.