App protection policies (APPs) are sets of rules that ensure a company’s data remains safe or contained in a managed app. A policy can be a rule that is enforced if a user tries to access or move the data, or it can be a set of actions that are monitored when a user is using the app.
A managed app is an app that has APPs applied to it and that can be managed by Intune.
APPs can apply to apps running on devices that may or may not be managed by Intune.
You can use Intune APP separate of any MDM solution. This allows you to protect corporate data with or without enrolling devices in a device management solution. You can restrict access to corporate resources by applying app- level policies. APPs can be configured for apps that run on devices that are:
■ Enrolled in Microsoft Intune: These devices are typically corporate owned.
■ Enrolled in a third- party MDM solution: These devices are typically corporate owned.
■ Not enrolled in any MDM solution: These devices are typically owned by the user and the devices are not managed or enrolled in Intune or other MDM solutions.
There are a number of benefits when using APP:
Corporate data is protected at the app level. Since MAM does not require device management, you can protect corporate data on both managed and unmanaged devices.
End- user productivity is not affected and policies do not apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect corporate data without touching personal data.
App protection policies make sure that the app- layer protections are in place. This means you can:
■ Require a PIN to open an app in a work context
■ Control the sharing of data between apps
■ Prevent the saving of company app data to a personal storage location
MDM, in addition to MAM, makes sure that the device is protected. This means you can require a PIN to access the device, or you can deploy managed apps to the device.
The choices available in APP allow you to customize the protection to meet your specific needs. To help you prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three different configuration levels, with each level building off the previous level:
Enterprise Basic Data Protection (Level 1) Ensures that apps are protected with a PIN and encrypted and performs selective wipe operations.
Enterprise Enhanced Data Protection (Level 2) Introduces APP data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
Enterprise High Data Protection (Level 3) Introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This configuration is desirable for users who are accessing high- risk data.
Create an App Protection Policy
The following steps will walk you through the process of creating an APP:
- In Intune, select Apps ➢ App Protection Policies ➢ Create Policy ➢ Windows 10.
- Enter the following details:
■ Name: The name of this app protection policy.
■ Description [Optional]: The description of this app protection policy.
■ Enrollment state:
3. Under Protected Apps, click Add. The Add Apps pane is displayed.
4. Choose the apps that must adhere to this policy and click OK.
5. Click Next to display the Required settings.
6. Click Allow Overrides to set the Windows Information Protection mode. Selecting this option will block enterprise data from leaving the protected app.
7. Click Next to display the Advanced settings.
8. Click Next to display the Assignments.
9. Click Select Groups To Include, click the group, and click Select.
10. Click Next to display the Review + Create step.
11. Click Create to create your policy.
Change Existing Policies
You can also edit an existing policy and apply it to the targeted users. But you need to be aware that when you make changes to an existing policy, any user who is already signed into the apps will not see the changes for an 8- hour period. In order to see the effects of changes immediately, the end user must sign out of the app and then sign back in. To change policy settings:
- In the App Protection Policies pane, select the policy you wish to modify.
- In the Intune App Protection pane, click Properties.
- Next to the section corresponding to the settings you want to change, click Edit. Then change the settings to new values.
- Click Review + Create to review the updated settings for this policy.
- Click Save to save your changes. Repeat the process to select a settings area and modify and then save your changes until all your changes are complete. You can then close the Properties pane in Intune App Protection.
Migrating Data
Up to this point, this chapter has explained how to get software and applications deployed using Azure and Endpoint Manager. Besides knowing how to use Azure to deploy applications and operating systems, it is also important to understand how to move applications and data from an on- premises network to Azure.
Cloud migration gives you the ability of moving applications and data from one location (onsite, another cloud provider, etc.) to a public cloud provider’s server. There are many benefits, such as lowering IT costs, improving performance, using Azure security, and having the ability to increase or decrease your Azure network on the fly.
Some of the more commonly migrated workloads to Azure are IIS, SQL Server, Linux, SAP, and Windows Server. But you can migrate almost any data or applications to gain the cloud- based features. Many organizations have started migrating all of their servers to Azure. That can include Hyper-V hosts, Remote Desktop Services (RDS), Migrating Dynamic
Host Configuration Protocol (DHCP), IIS, and print servers. IT departments that still use mainframes can even migrate to the cloud. Two of the more commonly used mainframes are IBM and Unisys.
When you’re migrating workloads, there are two main ways to achieve the migration. One method, called Lift and Shift, allows you to migrate these workloads without making any changes to them. The second main way to migrate data is to do an update, called refactoring, of the workload. The advantage of refactoring is the ability for you to optimize performance and reliability.