<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	
	>
<channel>
	<title>
	Comments on: Secure Outlook Mobile with App Protection Policies	</title>
	<atom:link href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/feed/" rel="self" type="application/rss+xml" />
	<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/</link>
	<description>Intune, Windows, Office 365, Microsoft 365, Azure, Automation</description>
	<lastBuildDate>Sun, 26 Jun 2022 07:33:17 +0000</lastBuildDate>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	
	<item>
		<title>
		By: Peter Klapwijk		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-184551</link>

		<dc:creator><![CDATA[Peter Klapwijk]]></dc:creator>
		<pubDate>Sun, 26 Jun 2022 07:33:17 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-184551</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-184115&quot;&gt;Pieter&lt;/a&gt;.

Pieter,

As it involves Intune and Azure AD, for this you need licenses. That means you should purchase an EMS license (instead of separate an Intune and AZure AD license).

Regards,

Peter]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-184115">Pieter</a>.</p>
<p>Pieter,</p>
<p>As it involves Intune and Azure AD, for this you need licenses. That means you should purchase an EMS license (instead of separate an Intune and AZure AD license).</p>
<p>Regards,</p>
<p>Peter</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Pieter		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-184115</link>

		<dc:creator><![CDATA[Pieter]]></dc:creator>
		<pubDate>Thu, 16 Jun 2022 15:19:01 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-184115</guid>

					<description><![CDATA[Peter voor welke licentie structuur is dit?  ik heb 1 beheerder en 30 business standaards. werkt dat hier op? welke licenties heb ik allemaal nodig om dit te laten werken?]]></description>
			<content:encoded><![CDATA[<p>Peter voor welke licentie structuur is dit?  ik heb 1 beheerder en 30 business standaards. werkt dat hier op? welke licenties heb ik allemaal nodig om dit te laten werken?</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Peter Klapwijk		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-143665</link>

		<dc:creator><![CDATA[Peter Klapwijk]]></dc:creator>
		<pubDate>Tue, 15 Dec 2020 21:07:13 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-143665</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-143654&quot;&gt;Sam&lt;/a&gt;.

Depending on Android version and/ or vendor there might be a settings &#039;Use one lock&#039;. Set to enabled it uses one lock for the work profile and device screen. Might be located under Accounts or in the separate Work profile settings section.]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-143654">Sam</a>.</p>
<p>Depending on Android version and/ or vendor there might be a settings &#8216;Use one lock&#8217;. Set to enabled it uses one lock for the work profile and device screen. Might be located under Accounts or in the separate Work profile settings section.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Sam		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-143654</link>

		<dc:creator><![CDATA[Sam]]></dc:creator>
		<pubDate>Tue, 15 Dec 2020 16:50:54 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-143654</guid>

					<description><![CDATA[How often will a user be prompted to enter their PIN / touch ID to access the Outlook app controlled by App Protection policy? I have timeout set to default of 30 mins and yet I never seem to get prompted for PIN even if the device is left overnight now? Will just unlocking the phone with fingerprint unlock the Outlook app by default?]]></description>
			<content:encoded><![CDATA[<p>How often will a user be prompted to enter their PIN / touch ID to access the Outlook app controlled by App Protection policy? I have timeout set to default of 30 mins and yet I never seem to get prompted for PIN even if the device is left overnight now? Will just unlocking the phone with fingerprint unlock the Outlook app by default?</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Peter Klapwijk		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105231</link>

		<dc:creator><![CDATA[Peter Klapwijk]]></dc:creator>
		<pubDate>Fri, 15 May 2020 08:41:33 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-105231</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105052&quot;&gt;Nate&lt;/a&gt;.

I would still recommend to use a CA policy to enforce the use of an Approved app or enforce the APP like described in the article. If you don`t require that, the user is able to use third-party apps to access the mailbox and the App Protection policy isn`t enforced of such a third-party app.
And on iOS the broker app (Microsoft Authenticator) is still needed, referencing this article https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

Regards,

Peter]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105052">Nate</a>.</p>
<p>I would still recommend to use a CA policy to enforce the use of an Approved app or enforce the APP like described in the article. If you don`t require that, the user is able to use third-party apps to access the mailbox and the App Protection policy isn`t enforced of such a third-party app.<br />
And on iOS the broker app (Microsoft Authenticator) is still needed, referencing this article <a href="https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune" rel="nofollow ugc">https://docs.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune</a></p>
<p>Regards,</p>
<p>Peter</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Nate		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105052</link>

		<dc:creator><![CDATA[Nate]]></dc:creator>
		<pubDate>Thu, 14 May 2020 18:02:02 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-105052</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105046&quot;&gt;Nate&lt;/a&gt;.

Also note, the only reason your device is AAD registered and the only reason you had to have the device registered with the Company Portal App (or Authenticator app on iOS) is because you are using the CA policy. This would largely only be good if you plan to push MDM level controls instead of MAM controls down to all devices. I would avoid this if you don&#039;t want to enforce the use of the broker app for BYOD.

From Microsoft:
&quot;In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.&quot;

&quot;- Apps for app protection policy support the Intune mobile application management feature with policy protection.&quot;
&quot; - The Require app protection policy requirements:
Only supports the iOS and Android for device platform condition.
A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.&quot;]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105046">Nate</a>.</p>
<p>Also note, the only reason your device is AAD registered and the only reason you had to have the device registered with the Company Portal App (or Authenticator app on iOS) is because you are using the CA policy. This would largely only be good if you plan to push MDM level controls instead of MAM controls down to all devices. I would avoid this if you don&#8217;t want to enforce the use of the broker app for BYOD.</p>
<p>From Microsoft:<br />
&#8220;In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.&#8221;</p>
<p>&#8220;- Apps for app protection policy support the Intune mobile application management feature with policy protection.&#8221;<br />
&#8221; &#8211; The Require app protection policy requirements:<br />
Only supports the iOS and Android for device platform condition.<br />
A broker app is required to register the device. On iOS, the broker app is Microsoft Authenticator and on Android, it is Intune Company Portal app.&#8221;</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Nate		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-105046</link>

		<dc:creator><![CDATA[Nate]]></dc:creator>
		<pubDate>Thu, 14 May 2020 17:41:24 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-105046</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-52309&quot;&gt;Peter Klapwijk&lt;/a&gt;.

Its actually based on OS. iOS doesn&#039;t require the Intune Company Portal app and the controls are fully within the apps. On android, MAM policies will require the Intune Company Portal - but an important note is you don&#039;t need to login to the portal app at all, it just needs to be on the device - the apps use it on the backend as the broker for Android. Logging into the portal app is only necessary in regards to full MDM and device policies.

CA is really not necessary for the experience described above, if you apply MAM correctly you will force a pin, or secure the data regardless of a CA policy. This article is also missing that iOS MAM policies do not have an option for blocking screen capture.

Directly from Microsoft on Android:
&quot;The Company Portal app is required for all apps that are associated with app protection policies on Android devices.

For devices that are not enrolled in Intune, the Company Portal app must be installed on the device. However, the user does not have to launch or sign into the Company Portal app before they can use apps that are managed by app protection policies.

The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.&quot;

Directly from Microsoft on iOS
&quot;If the device is not enrolled in Intune, the user is asked to restart the app when they first use it. A restart is required so that app protection policies can be applied to the app.

For devices that are enrolled for management in Intune, the user sees a message that their app is now managed.&quot;]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-52309">Peter Klapwijk</a>.</p>
<p>Its actually based on OS. iOS doesn&#8217;t require the Intune Company Portal app and the controls are fully within the apps. On android, MAM policies will require the Intune Company Portal &#8211; but an important note is you don&#8217;t need to login to the portal app at all, it just needs to be on the device &#8211; the apps use it on the backend as the broker for Android. Logging into the portal app is only necessary in regards to full MDM and device policies.</p>
<p>CA is really not necessary for the experience described above, if you apply MAM correctly you will force a pin, or secure the data regardless of a CA policy. This article is also missing that iOS MAM policies do not have an option for blocking screen capture.</p>
<p>Directly from Microsoft on Android:<br />
&#8220;The Company Portal app is required for all apps that are associated with app protection policies on Android devices.</p>
<p>For devices that are not enrolled in Intune, the Company Portal app must be installed on the device. However, the user does not have to launch or sign into the Company Portal app before they can use apps that are managed by app protection policies.</p>
<p>The Company Portal app is a way for Intune to share data in a secure location. Therefore, the Company Portal app is a requirement for all apps that are associated with app protection policies, even if the device is not enrolled in Intune.&#8221;</p>
<p>Directly from Microsoft on iOS<br />
&#8220;If the device is not enrolled in Intune, the user is asked to restart the app when they first use it. A restart is required so that app protection policies can be applied to the app.</p>
<p>For devices that are enrolled for management in Intune, the user sees a message that their app is now managed.&#8221;</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Peter Klapwijk		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-52309</link>

		<dc:creator><![CDATA[Peter Klapwijk]]></dc:creator>
		<pubDate>Fri, 05 Apr 2019 20:51:18 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-52309</guid>

					<description><![CDATA[In reply to &lt;a href=&quot;https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-52293&quot;&gt;Rkast&lt;/a&gt;.

You get this user experience when you set Require approved client app and/ or Require app protection policy in a CA policy. If you don`t use such a CA policy, users can still bypass the APP.
And yes the device is AAD Registered.]]></description>
			<content:encoded><![CDATA[<p>In reply to <a href="https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-52293">Rkast</a>.</p>
<p>You get this user experience when you set Require approved client app and/ or Require app protection policy in a CA policy. If you don`t use such a CA policy, users can still bypass the APP.<br />
And yes the device is AAD Registered.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		By: Rkast		</title>
		<link>https://inthecloud247.com/secure-outlook-mobile-with-app-protection-policies/#comment-52293</link>

		<dc:creator><![CDATA[Rkast]]></dc:creator>
		<pubDate>Fri, 05 Apr 2019 08:24:30 +0000</pubDate>
		<guid isPermaLink="false">https://inthecloud247.com/?p=2549#comment-52293</guid>

					<description><![CDATA[Since when do we need a broker app with APP(MAM)? This due to the fact you used ‘required client’ in the CA policy? Then this is not really byod/mam anymore cause user has to register and enroll the device. Is it a AAD registration or intune enrollment when using the CP/broker app ?]]></description>
			<content:encoded><![CDATA[<p>Since when do we need a broker app with APP(MAM)? This due to the fact you used ‘required client’ in the CA policy? Then this is not really byod/mam anymore cause user has to register and enroll the device. Is it a AAD registration or intune enrollment when using the CP/broker app ?</p>
]]></content:encoded>
		
			</item>
	</channel>
</rss>
