Fastrack Blog

How to protect organisational data from unmanaged Android applications

Written by Varun Kapoor | March 02, 2020

Let me share a scenario that should keep most IT pros up at night.

Your CFO works long hours and does much of their work on the train while also juggling personal errands. Today, they are using their Samsung Galaxy Note to simultaneously make edits to next year's budget while setting a chiropractic appointment using their personal Gmail app. They notice an error in the budget, they screenshot an error, annotate some notes for the accounts team and... and oops, they've just sent key budget figures to their chiropractor. 

I'm all about removing barriers to mobile working, but this is the kind of thing keeps me up at night. Or at least it used to. 😜

With Microsoft Intune, we can control the end-user's ability to copy and screenshot data using application protection policies. We can even restrict how they access camera devices. Here's how.

Setting application protection policies for Android using Microsoft Intune.

There are a few steps involved in setting up application policies, so I recommended reading these steps and then watching the video below.

  1. Choose the app: Select the app you'd like set the policies for. In my video I use Outlook.

  2. Target your policy: The next step is to set your policy to select which device types to target. This will determine the scenarios in which your protection policies will be activated. There are three options you can select from: unmanaged, Android device administrator and Android Enterprise. You can select more than one option at a time.

  3. The fun bit: Each app protection policy is divided into three setting categories: data protection, access requirements and conditional launch. Here is where all the magic happens (Note: I dive deeper into all the settings in my video below).

    • Data protection settings: Data protection policies encrypts data at an app level. This is where we can restrict users from performing actions like; cut/copy and pasting into unmanaged apps!
    • Access requirement settings: As the name suggests access requirements manage how each app can be accessed. This controls what requirements need to be met before access is granted to organisational data. You can control the requirements for: if a password is required, the required password length, and situations where a password needs to be reset.
    • Conditional launch settings: Again, the name says it all! Conditional launch settings managed the conditions that must be met before the app can launch. This includes log-in attempts and which OS version the device is running, among other settings. You can even stop the app from launching if the device has been rooted. These settings are perfect final catch-all for managing the security of your data, because even if they somehow bypass the first two app protection settings, you can still stop the app from launching in the first place. 

Watch application protection policies in action.

Watch me set up app protection policies in my video below.

 

Want to learn more about managing Android devices with Microsoft Intune?

There's so many more setting and configurations in Android you can manage with Microsoft Intune.

Check out the following related webinars and blog posts:

  1. Configuration Policies

  2. Zero Touch enrolment

  3. How to package Android applications in Microsoft Intune.

  4. Android Device Management webinar.