App protection policies are rules that can prevent unauthorized access of corporate data from outside an app or prevent the user from performing forbidden actions within the application. In addition to protecting an app's data, apps can be encrypted and have a PIN applied to them, which the user must enter to access the app. A protection policy can prevent apps from running on jail-broken or otherwise compromised device. 

The ability to selectively wipe app data while leaving personal information intact is especially useful in a BYOD scenario. App protection operates only on apps, so it doesn't require device enrolment with Endpoint manager.

Data protection under APP is offered in three configurations. Enterprise basic protects apps with a PIN and encryption and enables selective data wiping. This entry-level protection validates Android device attestation and provides data protection similar to that found in Exchange Online mailbox policies. Enterprise-enhanced data protection incorporates all of the basic protection features and adds data leakage prevention along with minimum OS requirements. Enterprise enhanced is suitable for most users accessing work or school data in a mobile scenario. Enterprise high data protection includes all features from basic and enhanced and adds advanced data protection and PIN configuration, as well as APP Mobile Threat Defense.

App protection policies can be used to protect data when migrating from an old mobile device management system to Microsoft Endpoint manager. It's doubtful that all devices can be simultaneously migrated, so this leaves a window where some devices are unprotected. Not only will this migration window leave devices exposed, but it could lead to reduced productivity. App protection can fill this gap, allowing unprotected devices to operate while their apps are protected.

App protection can be incorporated into line-of-business apps via the Intune SDK or the Intune App Wrapping Tool for iOS, iPadOS, and Android devices. As the name implies, the App Wrapping Tool provides a protective envelope to an existing app, so access to the app's source code isn't required. The tool is used with internal deployments, not apps deployed through the Apple App Store or Google Play Store. It's particularly useful for apps that don't have their own data protection mechanism or only have basic user authentication.

On the other hand, the Intune SDK does require access to the app's source code and the relevant development experience to perform the coding. The SDK provides access to data protection features and can be used with apps distributed via Apple App, Google Play, and Microsoft stores.