Name
|
This required field is the name used to track the Office 365 App Protection policy in Ivanti EPMM.
|
Description
|
Describes the profile’s purpose (optional).
|
Platform
|
Select the platform for the Office 365 apps. The options are: iOS or Android. Some of the other options on this form will change depending on which platform you select. Refer to the relevant platform's Device Management Guide.
|
Data Relocation
|
Prevent iTunes and iCloud backups
|
Choose Yes to prevent this app from backing up data to iTunes and iCloud. Choose No to allow this app to back up data to iTunes and iCloud. (The default is Yes.)
|
Allow app to transfer data to other apps
|
Use this option to specify what apps can receive data from this app. The options are listed below.
- Policy managed apps: Allow transfer only to other policy-managed apps.
- All apps: Allow transfer to any app (default.)
- None: Do not allow data transfer to any app, including other policy-managed apps.
- Policy managed apps with OS sharing: Only allow transfer only to other policy managed apps and file transfer to other MDM managed apps on enrolled devices.
- Policy managed apps with Open-In/Share filtering: Allow transfer only to other policy managed apps and filter OS Open-In/Share dialogs to only display policy managed apps.
When any of the above options except All apps are selected, the exempted apps are listed to the right of the Allow app to receive data from other apps field. Modifying these settings changes how data is transferred to other applications.
|
Allow app to receive data from other apps
|
Select an option to specify what apps can transfer data to this app.
- Policy managed apps - Allow app to receive data from only other policy-managed apps.
-
All apps With Incoming Org Data - Treat all incoming data without a user identity as data from your organization.
- All apps Allow app to receive data from other apps (default.)
- None - Do not allow app to receive data from any app, including other policy-managed apps.
|
Prevent "Save As "
|
Select to disable the use of the Save As (a new document) option in any app that uses this policy. De-select if you want to allow the use of Save As. (Default is unchecked.)
Selecting Prevent Save As activates the Select which storage services corporate data can be saved to field. The options are:
- OneDrive for Business
- SharePoint
- Local Storage
|
Restrict cut, copy and paste with other apps
|
Specifies when cut, copy, and paste actions can be used with this app. The options are listed below.
- Blocked: Do not allow cut, copy, and paste actions between this app and any other app.
- Policy managed apps: Allow cut, copy, and paste actions between this app and other policy-managed apps.
- Policy managed with paste in: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.
- Any app: No restrictions for cut, copy, and paste to and from this app. (This is the default.)
|
Encrypt app data
|
Select to encrypt app data that is associated with an Intune mobile application management policy, data is encrypted when the device is locked (the operating system provides device-level encryption). When a PIN or fingerprint identification is required, the data is encrypted per the settings in the mobile application management policy. The module used by iOS 7 are FIPS 140-2 certified.
These values determine when the data is encrypted:
- When device is locked: All app data that is associated with this policy is encrypted while the device is locked. (This is the default.)
- When device is locked and there are open files: All app data associated with this policy is encrypted while the device is locked, except for data in the files that are currently open in the app.
- After device restart: All app data associated with this policy is encrypted when the device is restarted, until the device is unlocked for the first time.
- Use device settings: App data is encrypted based on the default settings on the device.
|
Disable contact sync
|
When this setting is enabled, users cannot sync contacts to the native address book. Default is un-checked.
|
Disable printing
|
Select this to block printing protected data from the app. Default is un-checked.
|
Restrict web content to display in the Managed Browser
|
Check this to enforce web links in the app to be opened in the Managed Browser app.
Uncheck this to open web links in Safari. Default is de-selected.
|
Block third party keyboards
|
When this setting is enabled, a third-party keyboard cannot be used with protected apps.
|
Access
|
Require PIN for access
|
Select this to require users to enter a PIN to access this app. The user is prompted to set up this PIN the first time the app is run. Default is selected, which activates all the fields in the Access section of this page.
You can also let users prove their identity by using Touch ID instead of a PIN. When users tries to use this app with their account, they are prompted to provide their fingerprint identity instead of entering a PIN. When this setting is enabled, the App-switcher preview image will be blurred while using the account. (The default is checked.)
|
Allow simple PIN
|
Allow simple PIN: Check this to allow users to use simple PIN sequences like 1234 or 1111. Choose No to prevent them from using simple sequences. (The default value is checked.)
- PIN length: Specify the minimum number of digits in a PIN sequence. (The default value is 4.)
When the Require PIN for access field is de-selected, this field is deactivated.
|
Allow Touch ID instead of PIN for access (iOS 8+)
|
Select to allow the device user to use Touch ID instead of PIN for access. Applicable for iOS 8 or supported newer versions.
When the Require PIN for access field is de-selected, this field is deactivated.
|
Override Touch ID with PIN after timeout (minutes)
|
If required, depending on the timeout (minutes of inactivity), a PIN prompt will override Touch ID prompts. If this timeout value is not met, the Touch ID prompt will continue to show. This timeout value specified under "Recheck the access requirements after (minutes of Activity)". On iOS, this feature requires the app to have Intune SDK version 8.1.1 or above.
Inactivity timeout: Specify a time in minutes after which the PIN will override the use of a Touch ID.
When the Require PIN for access field is de-selected, this field is deactivated.
|
Disable app PIN when device PIN is managed
|
Select to disable the app PIN when a device lock is detected on an enrolled device. If you select this option, it overrides the requirements for PIN or Touch ID. (The default is unchecked.)
When the Require PIN for access field is de-selected, this field is deactivated.
|
Require corporate credentials for access
|
Select to require corporate credentials instead of a PIN for app access. Not selecting this option overrides the requirements for PIN or Touch ID. The user will be prompted to provide their corporate credentials. (The default is unchecked.)
|
Recheck the access requirements after (minutes)
|
Timeout for access requirements is measured in terms of the time of inactivity between any policy-managed application.
- Timeout: Enter the number of minutes before the access requirements (defined earlier in the policy) are rechecked. For example, an administrator turns on PIN in the policy, which means a when device user opens a app, a PIN must be entered. When using the Recheck the access requirements setting, the device user would not have to re-enter the PIN on any app for another 30 minutes. (The default is 30.)
|