Intune's (MEM) App protection policies are rules that ensure an organization’s data remains safe or contained in a managed app. When protected applications are used on managed or unmanaged iOS or Android devices, these policies can help to manage and protect your organization's data.
Microsoft created the app protection policy data protection framework to give organizations recommendations for policy settings to use when answering this very question. You can choose between three different levels of protection for mobile app data when using the framework:
Visit the official list of Microsoft Intune protected apps for public use to find out if a specific app can be protected with Intune app protection policies.
The APP Data Protection Framework is organized into three configuration scenarios:
Basic (Level 1) enterprise basic data protection
Enhanced (Level 2) enterprise enhanced data protection
High (Level 3) enterprise high data protection
The framework provides .JSON files that can be downloaded and imported directly into your Intune tenant for each app protection policy level, rather than just telling you what settings you need to configure.
Note: See the rest of prerequisites for importing JSON files in the README.md file available in the .ZIP bundle
Configuration Steps
Download Intune-Config-Frameworks-master.zip file from GitHub.
Your local system will end up with a few files and folders regardless of how you do it. Right now, we only care about policies in AppProtectionPolicies.
Download PowerShell script, the ManagedAppPolicy_Import_FromJSON.ps1 and put it into the same folder (AppProtectionPolicies)
Open an elevated PowerShell prompt, go to folder AppProtectionPolicies and run the import PS script: .\ManagedAppPolicy_Import_FromJSON.ps1
The first time you run the script, you should be prompted to specify your Global Administrator account and password. You won't see that prompt for about 60 minutes after that.
Provide Consent to your organization.
Select Checkbox to accept the permissions and Click"Accept"
Following that, you'll be prompted to specify a path to a JSON file to import the data from, in this case, it will just be a matter of providing a file name, repeat this process until all JSON templates (APP Policies) have been imported:
level-1-enterprise-basic-data-protection-Android.json
level-1-enterprise-basic-data-protection-iOS.json
level-2-enterprise-enhanced-data-protection-Android.json
level-2-enterprise-enhanced-data-protection-iOS.json
level-3-enterprise-high-data-protection-Android.json
level-3-enterprise-high-data-protection-iOS.json
Note: The next time you run PS script and receive a prompt for authentication with Azure AD credentials, you should use an Intune Administrator account with a valid Intune license (instead of the Global Admin account).
Login to Microsoft Endpoint Manager (endpoint.microsoft.com) and go to Apps - App protection policies to make sure policies were imported successfully:
To make changes that match your security requirements, review the application policies in MEM/Intune console (if not already done in JSON files) and add or remove applications from the default list, and set the kind of management the policies will use.
Next Step
After you’ve deployed the app protection framework policies, you’ll need to monitor them just like any other policy you deploy with Intune.
Using the ManagedAppPolicy_Export.ps1 script, you can create a local backup that contains the final policy settings now that you understand how to use the Intune PowerShell examples. That's an easy script to figure out and use, so give it a try.