Office 365 App Protection policies

Once you register Ivanti EPMM as an Azure app you can add and manage Office 365 App Protection policies in the Microsoft Azure cloud for Office 365 apps.

This section includes the following topics:

Before using this feature, complete the prerequisites described in the following section: Prerequisites for using Office 365 App Protection.

Adding Office 365 App Protection policies

Policies use data populated from Azure Active Directory during real-time syncs.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Services > Microsoft Graph > Policies > Add.
  3. Complete the App protection policies form.

    Refer to Add Office 365 App Protection policies window for details.

  4. In the Compliance Actions section, select a Setting, enter the value, and select an Action. Refer to the App protection policies fields table.
  5. Select +Add to configure additional compliance actions.
  6. Select Save to add the policy to the list of DLP policies on the Policies table.

Editing Office 365 App Protection policies

Policies use data populated from Azure Active Directory during real-time syncs.

Procedure 

  1. Log into the Admin Portal.
  2. Go to Services > Microsoft Graph > Policies.
  3. Select the name of a policy you want to edit.
  4. Complete the App protection policies form.

    Refer to Add Office 365 App Protection policies window for details.

  5. In the Compliance Actions section, select a Setting, enter the value, and select an Action. Refer to the App protection policies fields table.
  6. Select +Add to configure additional compliance actions.
  7. Select Save to save the policy edits.

Managing Office 365 App Protection policies

You can take any of the following actions on each Office 365 App Protection policy:

  • Assign User Groups
  • Assign Apps
  • Delete Policies

Procedure 

  1. Log into the Admin Portal.
  2. Go to Services > Microsoft Graph > Policies.
  3. Locate a policy you want to manage and go to the Actions column.
  4. Assign user groups to the App Protection policy.
    1. Select the Assign User Groups icon.
    2. Search for user groups.
    3. Select one or more user groups to add to the policy.
    4. Select Save.
  5. Assign Office 365 apps to the app protection policy.
    1. Select the Assign Apps icon.
    2. Search for apps.
    3. Select one or more apps to add to the policy.
    4. Select Save.
  6. Delete an Office 365 App Protection policy.
    1. Select the Delete Policy icon.
    2. Select Yes to confirm deletion of the policy.

The Office 365 App Protection policies take affect:

  • After assigning the policy to a user group.
  • A user from the assigned user group logs into an Office 365 app using AAD credentials.

Add Office 365 App Protection policies window

Access this window by logging into the Admin Portal and selecting Services > Microsoft Graph > Policy and selecting Add or selecting a policy to edit.

The following table summarizes fields and descriptions in the Add App Policies window. Also, refer to the App protection policies fields table.

Table 126.  App protection policies fields

Fields

Description

Name

This required field is the name used to track the Office 365 App Protection policy in Ivanti EPMM.

Description

Describes the profile’s purpose (optional).

Platform

Select the platform for the Office 365 apps. The options are: iOS or Android. Some of the other options on this form will change depending on which platform you select. Refer to the relevant platform's Device Management Guide.

Data Relocation

Prevent iTunes and iCloud backups

Choose Yes to prevent this app from backing up data to iTunes and iCloud. Choose No to allow this app to back up data to iTunes and iCloud. (The default is Yes.)

Allow app to transfer data to other apps

Use this option to specify what apps can receive data from this app. The options are listed below.

  • Policy managed apps: Allow transfer only to other policy-managed apps.
  • All apps: Allow transfer to any app (default.)
  • None: Do not allow data transfer to any app, including other policy-managed apps.
  • Policy managed apps with OS sharing: Only allow transfer only to other policy managed apps and file transfer to other MDM managed apps on enrolled devices.
  • Policy managed apps with Open-In/Share filtering: Allow transfer only to other policy managed apps and filter OS Open-In/Share dialogs to only display policy managed apps.

When any of the above options except All apps are selected, the exempted apps are listed to the right of the Allow app to receive data from other apps field. Modifying these settings changes how data is transferred to other applications.

Allow app to receive data from other apps

Select an option to specify what apps can transfer data to this app.

  • Policy managed apps - Allow app to receive data from only other policy-managed apps.
  • All apps With Incoming Org Data - Treat all incoming data without a user identity as data from your organization.
  • All apps Allow app to receive data from other apps (default.)
  • None - Do not allow app to receive data from any app, including other policy-managed apps.

Prevent "Save As "

Select to disable the use of the Save As (a new document) option in any app that uses this policy. De-select if you want to allow the use of Save As. (Default is unchecked.)

Selecting Prevent Save As activates the Select which storage services corporate data can be saved to field. The options are:

  • OneDrive for Business
  • SharePoint
  • Local Storage

Restrict cut, copy and paste with other apps

Specifies when cut, copy, and paste actions can be used with this app. The options are listed below.

  • Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
  • Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
  • Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.
  • Any app: No restrictions for cut, copy, and paste to and from this app. (This is the default.)

Encrypt app data

Select to encrypt app data that is associated with an Intune mobile application management policy, data is encrypted when the device is locked (the operating system provides device-level encryption). When a PIN or fingerprint identification is required, the data is encrypted per the settings in the mobile application management policy. The module used by iOS 7 are FIPS 140-2 certified.

These values determine when the data is encrypted:

  • When device is locked: All app data that is associated with this policy is encrypted while the device is locked. (This is the default.)
  • When device is locked and there are open files: All app data associated with this policy is encrypted while the device is locked, except for data in the files that are currently open in the app.
  • After device restart: All app data associated with this policy is encrypted when the device is restarted, until the device is unlocked for the first time.
  • Use device settings: App data is encrypted based on the default settings on the device.

Disable contact sync

When this setting is enabled, users cannot sync contacts to the native address book. Default is un-checked.

Disable printing

Select this to block printing protected data from the app. Default is un-checked.

Restrict web content to display in the Managed Browser

Check this to enforce web links in the app to be opened in the Managed Browser app.

Uncheck this to open web links in Safari. Default is de-selected.

Block third party keyboards

When this setting is enabled, a third-party keyboard cannot be used with protected apps.

Access

Require PIN for access

Select this to require users to enter a PIN to access this app. The user is prompted to set up this PIN the first time the app is run. Default is selected, which activates all the fields in the Access section of this page.

You can also let users prove their identity by using Touch ID instead of a PIN. When users tries to use this app with their account, they are prompted to provide their fingerprint identity instead of entering a PIN. When this setting is enabled, the App-switcher preview image will be blurred while using the account. (The default is checked.)

Allow simple PIN

Allow simple PIN: Check this to allow users to use simple PIN sequences like 1234 or 1111. Choose No to prevent them from using simple sequences. (The default value is checked.)

  • PIN length: Specify the minimum number of digits in a PIN sequence. (The default value is 4.)

When the Require PIN for access field is de-selected, this field is deactivated.

Allow Touch ID instead of PIN for access (iOS 8+)

Select to allow the device user to use Touch ID instead of PIN for access. Applicable for iOS 8 or supported newer versions.

When the Require PIN for access field is de-selected, this field is deactivated.

 

Override Touch ID with PIN after timeout (minutes)

If required, depending on the timeout (minutes of inactivity), a PIN prompt will override Touch ID prompts. If this timeout value is not met, the Touch ID prompt will continue to show. This timeout value specified under "Recheck the access requirements after (minutes of Activity)". On iOS, this feature requires the app to have Intune SDK version 8.1.1 or above.

Inactivity timeout: Specify a time in minutes after which the PIN will override the use of a Touch ID.

When the Require PIN for access field is de-selected, this field is deactivated.

Disable app PIN when device PIN is managed

Select to disable the app PIN when a device lock is detected on an enrolled device. If you select this option, it overrides the requirements for PIN or Touch ID. (The default is unchecked.)

When the Require PIN for access field is de-selected, this field is deactivated.

Require corporate credentials for access

Select to require corporate credentials instead of a PIN for app access. Not selecting this option overrides the requirements for PIN or Touch ID. The user will be prompted to provide their corporate credentials. (The default is unchecked.)

Recheck the access requirements after (minutes)

Timeout for access requirements is measured in terms of the time of inactivity between any policy-managed application.

  • Timeout: Enter the number of minutes before the access requirements (defined earlier in the policy) are rechecked. For example, an administrator turns on PIN in the policy, which means a when device user opens a app, a PIN must be entered. When using the Recheck the access requirements setting, the device user would not have to re-enter the PIN on any app for another 30 minutes. (The default is 30.)

Compliance Actions

Use the Compliance Actions Settings to set the security requirements for your access protection policy. Several settings are provided with pre-configured values and actions.

Procedure 

  1. Select a Setting, enter the value, and select an Action. Refer to the table below.
  2. Select +Add to configure additional compliance actions.
  3. At the top of the Policies tab, select Save.

 

Table 127.  Compliance Action Settings

Setting

Description

Max PIN attempts (default)

Specify the number of tries the device user has to successfully enter the correct PIN before the configured action is taken. (Default value is 30 minutes.) Actions include:

  • Reset PIN - The user must reset their PIN.
  • Wipe data - The user account that is associated with the application is wiped from the device.

Offline grace period (default)

This is the number of minutes that apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked. After this period is expired, the app will Block Access. The default is 720 minutes (12 hours.)

Offline grace period (default)

This is the number of minutes that apps can run offline. Specify the time (in days) before the access requirements for the app are rechecked. After this period is expired, the app will Wipe data. The default is 90 days.

Jailbroken/rooted device

  • Block access - Prevent this app from running on jailbroken or rooted devices. The device user continues to be able to use this app for personal tasks, but will have to use a different device to access data in this app.
  • Wipe data - The device user account that is associated with the application is wiped from the device

Min OS version

Select this to require a minimum operating system to use this app. Enter the value in the following format [major].[minor] and select one of the following actions:

  • Block access - The device user will be blocked from access if the version on the device does not meet the requirement.
  • Wipe data - The device user account that is associated with the application is wiped from the device.
  • Warn - The user will see a notification if the operating system version on the device does not meet the requirement. This notification can be dismissed.

Min App version

Check this option to require a minimum app version to use the app. The user will be blocked from access if the app version on the device does not meet the requirement.

  • Block access - The device user will be blocked from access if the app version on the device does not meet this requirement.
  • Wipe data - The device user account that is associated with the application is wiped from the device.
  • Warn - The user will see a notification if the app version on the device does not meet the requirement. This notification can be dismissed.

Min SDK version

Select to require devices to have a minimum iOS security patch released by Apple. The value must be in the following format: [Major].[Minor] or [Major].[Minor].[Build] or [Major].[Minor].[Build].[Revision]

Example: 1.5 or 1.5.50 or 1.5.50.101

Set the Action:

  • Block access - The device user will be blocked from access if the iOS version on the device does not meet this requirement.
  • Wipe data - The device user account that is associated with the application is wiped from the device.

Device model(s)

Specify a device manufacturer that is required to use this app. Actions include:

  • Block access - Only devices that match the specified manufacturer can use the app. All other devices are blocked.
  • Wipe data - The user account that is associated with the application is wiped from the device.