Step 2. Apply enhanced data protection
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.
The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.
Recommended app protection settings
Use the following recommended app protection settings when creating and applying Intune app protection for Level 2 enterprise enhanced data protection.
Level 2 enterprise enhanced data protection
Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. These recommendations don't assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and requiring a minimum operating system version.
Important
The policy settings enforced in level 2 include all the policy settings recommended for level 1. However, Level 2 only lists those settings that have been added or changed to implement more controls and a more sophisticated configuration than level 1. While these settings may have a slightly higher impact to users or to applications, they enforce a level of data protection more commensurate with the risks facing users with access to sensitive information on mobile devices.
Data protection
Setting | Setting description | Value | Platform | Notes |
---|---|---|---|---|
Data Transfer | Back up org data to… | Block | iOS/iPadOS, Android | |
Data Transfer | Send org data to other apps | Policy managed apps | iOS/iPadOS, Android | With iOS/iPadOS, administrators can configure this value to be "Policy managed apps", "Policy managed apps with OS sharing", or "Policy managed apps with Open-In/Share filtering". Policy managed apps with OS sharing is available when the device is also enrolled with Intune. This setting allows data transfer to other policy managed apps, and file transfers to other apps that are managed by Intune. Policy managed apps with Open-In/Share filtering filters the OS Open-in/Share dialogs to only display policy managed apps. For more information, see iOS app protection policy settings. |
Data Transfer | Send or data to | No destinations | Windows | |
Data Transfer | Receive data from | No sources | Windows | |
Data Transfer | Select apps to exempt | Default / skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services; | iOS/iPadOS | |
Data Transfer | Save copies of org data | Block | iOS/iPadOS, Android | |
Data Transfer | Allow users to save copies to selected services | OneDrive for Business, SharePoint Online, Photo Library | iOS/iPadOS, Android | |
Data Transfer | Transfer telecommunication data to | Any dialer app | iOS/iPadOS, Android | |
Data Transfer | Restrict cut, copy, and paste between apps | Policy managed apps with paste in | iOS/iPadOS, Android | |
Data Transfer | Allow cut, copy, and paste for | No destination or source | Windows | |
Data Transfer | Screen capture and Google Assistant | Block | Android | |
Functionality | Restrict web content transfer with other apps | Microsoft Edge | iOS/iPadOS, Android | |
Functionality | Org data notifications | Block Org Data | iOS/iPadOS, Android | For a list of apps that support this setting, see iOS app protection policy settings and Android app protection policy settings. |
Conditional launch
Setting | Setting description | Value / Action | Platform | Notes |
---|---|---|---|---|
App conditions | Disabled account | N/A / Block access | iOS/iPadOS, Android, Windows | |
Device conditions | Min OS version | Format: Major.Minor.Build Example: 14.8 / Block access |
iOS/iPadOS | Microsoft recommends configuring the minimum iOS major version to match the supported iOS versions for Microsoft apps. Microsoft apps support an N-1 approach where N is the current iOS major release version. For minor and build version values, Microsoft recommends ensuring devices are up to date with the respective security updates. See Apple security updates for Apple's latest recommendations |
Device conditions | Min OS version | Format: Major.Minor Example: 9.0 / Block access |
Android | Microsoft recommends configuring the minimum Android major version to match the supported Android versions for Microsoft apps. OEMs and devices adhering to Android Enterprise recommended requirements must support the current shipping release + one letter upgrade. Currently, Android recommends Android 9.0 and later for knowledge workers. See Android Enterprise Recommended requirements for Android's latest recommendations |
Device conditions | Min OS version | Format: Build Example: 10.0.22621.2506 / Block access |
Windows | Microsoft recommends configuring the minimum Windows build to match the supported Windows versions for Microsoft apps. Currently, Microsoft recommends the following:
|
Device conditions | Min patch version | Format: YYYY-MM-DD Example: 2020-01-01 / Block access |
Android | Android devices can receive monthly security patches, but the release is dependent on OEMs and/or carriers. Organizations should ensure that deployed Android devices do receive security updates before implementing this setting. See Android Security Bulletins for the latest patch releases. |
Device conditions | Required SafetyNet evaluation type | Hardware-backed key | Android | Hardware backed attestation enhances the existing Google's Play Integrity service check by applying a new evaluation type called Hardware Backed, providing a more robust root detection in response to newer types of rooting tools and methods that can't always be reliably detected by a software only solution. As its name implies, hardware backed attestation uses a hardware-based component, which shipped with devices installed with Android 8.1 and later. Devices that were upgraded from an older version of Android to Android 8.1 are unlikely to have the hardware-based components necessary for hardware backed attestation. While this setting should be widely supported starting with devices that shipped with Android 8.1, Microsoft strongly recommends testing devices individually before enabling this policy setting broadly. |
Device conditions | Require device lock | Medium/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. |
Device conditions | Samsung Knox device attestation | Block Access | Android | Microsoft recommends configuring the Samsung Knox device attestation setting to Block access to ensure the user account is blocked from access if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device. This setting applies to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see Use filters when assigning your apps, policies, and profiles in Microsoft Intune. |
App conditions | Offline grace period | 30 / Wipe data (days) | iOS/iPadOS, Android, Windows |
Note
Windows conditional launch settings are labeled as Health Checks.
Next step
Continue with Step 3 to apply high data protection in Microsoft Intune.