Barony: Blessed Addition Mac OS
App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move 'corporate' data, or a set of actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it, and can be managed by Intune.
Mobile Application Management (MAM) app protection policies allows you to manage and protect your organization's data within an application. With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device, including personal devices in bring-your-own-device (BYOD) scenarios. Many productivity apps, such as the Microsoft Office apps, can be managed by Intune MAM. See the official list of Microsoft Intune protected apps available for public use.
How you can protect app data
Pippin is based on the Apple Macintosh platform, including the classic Mac OS architecture. Apple built a demonstration device based on Pippin called 'Pippin Power Player,' and used it to demonstrate the platform at trade shows and to the media, in order to attract potential software developers and hardware manufacturers.
Your employees use mobile devices for both personal and work tasks. While making sure your employees can be productive, you want to prevent data loss, intentional and unintentional. You'll also want to protect company data that is accessed from devices that are not managed by you.
You can use Intune app protection policies independent of any mobile-device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.
App protection policies on devices
App protection policies can be configured for apps that run on devices that are:
Enrolled in Microsoft Intune: These devices are typically corporate owned.
Enrolled in a third-party Mobile device management (MDM) solution: These devices are typically corporate owned.
Note
Mobile app management policies should not be used with third-party mobile app management or secure container solutions.
Not enrolled in any mobile device management solution: These devices are typically employee owned devices that aren't managed or enrolled in Intune or other MDM solutions.
- View Robb Beal’s profile on LinkedIn, the world’s largest professional community. Robb has 11 jobs listed on their profile. See the complete profile on LinkedIn and discover Robb’s.
- Sudo bless -folder '/Volumes/Mac OS X Lion Install ESD' -label 'Lion Install' Whatever you put for the label is what should show up at the choose disk screen when holding option during a boot.
Important
You can create mobile app management policies for Office mobile apps that connect to Microsoft 365 services. You can also protect access to Exchange on-premises mailboxes by creating Intune app protection policies for Outlook for iOS/iPadOS and Android enabled with hybrid Modern Authentication. Before using this feature, make sure you meet the Outlook for iOS/iPadOS and Android requirements. App protection policies are not supported for other apps that connect to on-premises Exchange or SharePoint services.
Benefits of using App protection policies
The important benefits of using App protection policies are the following:
Protecting your company data at the app level. Because mobile app management doesn't require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management.
End-user productivity isn't affected and policies don't apply when using the app in a personal context. The policies are applied only in a work context, which gives you the ability to protect company data without touching personal data.
App protection policies makes sure that the app-layer protections are in place. For example, you can:
- Require a PIN to open an app in a work context
- Control the sharing of data between apps
- Prevent the saving of company app data to a personal storage location
MDM, in addition to MAM, makes sure that the device is protected. For example, you can require a PIN to access the device, or you can deploy managed apps to the device. You can also deploy apps to devices through your MDM solution, to give you more control over app management.
There are additional benefits to using MDM with App protection policies, and companies can use App protection policies with and without MDM at the same time. For example, consider an employee that uses both a phone issued by the company, and their own personal tablet. The company phone is enrolled in MDM and protected by App protection policies while the personal device is protected by App protection policies only.
If you apply a MAM policy to the user without setting the device state, the user will get the MAM policy on both the BYOD device and the Intune-managed device. You can also apply a MAM policy based on the managed state. So when you create an app protection policy, next to Target to all app types, you'd select No. Then do any of the following:
- Apply a less strict MAM policy to Intune managed devices, and apply a more restrictive MAM policy to non MDM-enrolled devices.
- Apply a MAM policy to unenrolled devices only.
Barony: Blessed Addition Mac Os 8
Supported platforms for app protection policies
Intune offers a range of capabilities to help you get the apps you need on the devices you want to run them on. For more information, see App management capabilities by platform.
Intune app protection policies platform support aligns with Office mobile application platform support for Android and iOS/iPadOS devices. For details, see the Mobile apps section of Office System Requirements.
Important
The Intune Company Portal is required on the device to receive App Protection Policies on Android. For more information, see the Intune Company Portal access apps requirements.
App protection policy data protection framework
The choices available in app protection policies (APP) enable organizations to tailor the protection to their specific needs. For some, it may not be obvious which policy settings are required to implement a complete scenario. To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.
The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:
- Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. For Android devices, this level validates Android device attestation. This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
- Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. This is the configuration that is applicable to most mobile users accessing work or school data.
- Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. This configuration is desirable for users that are accessing high risk data.
To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.
How app protection policies protect app data
Apps without app protection policies
When apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. The arrows in the following diagram show unrestricted data movement between both corporate and personal apps, and to storage locations.
Data protection with app protection policies (APP)
You can use App protection policies to prevent company data from saving to the local storage of the device (see the image below). You can also restrict data movement to other apps that aren't protected by App protection policies. App protection policy settings include:
- Data relocation policies like Save copies of org data, and Restrict cut, copy, and paste.
- Access policy settings like Require simple PIN for access, and Block managed apps from running on jailbroken or rooted devices.
Data protection with APP on devices managed by an MDM solution
The below illustration shows the layers of protection that MDM and App protection policies offer together.
The MDM solution adds value by providing the following:
- Enrolls the device
- Deploys the apps to the device
- Provides ongoing device compliance and management
The App protection policies add value by providing the following:
- Help protect company data from leaking to consumer apps and services
- Apply restrictions like save-as, clipboard, or PIN, to client apps
- Wipe company data when needed from apps without removing those apps from the device
Data protection with APP for devices without enrollment
The following diagram illustrates how the data protection policies work at the app level without MDM.
For BYOD devices not enrolled in any MDM solution, App protection policies can help protect company data at the app level.However, there are some limitations to be aware of, such as:
- You can't deploy apps to the device. The end user has to get the apps from the store.
- You can't provision certificate profiles on these devices.
- You can't provision company Wi-Fi and VPN settings on these devices.
Apps you can manage with app protection policies
Any app that has been integrated with the Intune SDK or wrapped by the Intune App Wrapping Tool can be managed using Intune app protection policies. See the official list of Microsoft Intune protected apps that have been built using these tools and are available for public use.
The Intune SDK development team actively tests and maintains support for apps built with the native Android, iOS/iPadOS (Obj-C, Swift), Xamarin, and Xamarin.Forms platforms. While some customers have had success with Intune SDK integration with other platforms such as React Native and NativeScript, we do not provide explicit guidance or plugins for app developers using anything other than our supported platforms.
End-user requirements to use app protection policies
The following list provides the end-user requirements to use app protection policies on an Intune-managed app:
The end user must have an Azure Active Directory (Azure AD) account. See Add users and give administrative permission to Intune to learn how to create Intune users in Azure Active Directory.
The end user must have a license for Microsoft Intune assigned to their Azure Active Directory account. See Manage Intune licenses to learn how to assign Intune licenses to end users.
The end user must belong to a security group that is targeted by an app protection policy. The same app protection policy must target the specific app being used. App protection policies can be created and deployed in the Microsoft Endpoint Manager admin center. Security groups can currently be created in the Microsoft 365 admin center.
The end user must sign into the app using their Azure AD account.
App protection policies for Microsoft Office apps
There are a few additional requirements that you want to be aware of when using App protection policies with Microsoft Office apps.
Outlook mobile app
The additional requirements to use the Outlook mobile app include the following:
The end user must have the Outlook mobile app installed to their device.
The end user must have an Microsoft 365 Exchange Online mailbox and license linked to their Azure Active Directory account.
Note
The Outlook mobile app currently only supports Intune App Protection for Microsoft Exchange Online and Exchange Server with hybrid modern authentication and does not support Exchange in Office 365 Dedicated.
Word, Excel, and PowerPoint
The additional requirements to use the Word, Excel, and PowerPoint apps include the following:
The end user must have a license for Microsoft 365 Apps for business or enterprise linked to their Azure Active Directory account. The subscription must include the Office apps on mobile devices and can include a cloud storage account with OneDrive for Business. Microsoft 365 licenses can be assigned in the Microsoft 365 admin center following these instructions.
The end user must have a managed location configured using the granular save as functionality under the 'Save copies of org data' application protection policy setting. For example, if the managed location is OneDrive, the OneDrive app should be configured in the end user's Word, Excel, or PowerPoint app.
If the managed location is OneDrive, the app must be targeted by the app protection policy deployed to the end user.
Note
The Office mobile apps currently only support SharePoint Online and not SharePoint on-premises.
Managed location needed for Office
A managed location (i.e. OneDrive) is needed for Office. Intune marks all data in the app as either 'corporate' or 'personal'. Data is considered 'corporate' when it originates from a business location. For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account).
Skype for Business
There are additional requirements to use Skype for Business. See Skype for Business license requirements. For Skype for Business (SfB) hybrid and on-prem configurations, see Hybrid Modern Auth for SfB and Exchange goes GA and Modern Auth for SfB OnPrem with Azure AD, respectively.
App protection Global policy
If a OneDrive administrator browses to admin.onedrive.com and selects Device access, they can set Mobile application management controls to the OneDrive and SharePoint client apps.
The settings, made available to the OneDrive Admin console, configure a special Intune app protection policy called the Global policy. This global policy applies to all users in your tenant, and has no way to control the policy targeting.
Once enabled, the OneDrive and SharePoint apps for iOS/iPadOS and Android are protected with the selected settings by default. An IT Pro can edit this policy in the Intune console to add more targeted apps and to modify any policy setting.
By default, there can only be one Global policy per tenant. However, you can use Intune Graph APIs to create extra global policies per tenant, but doing so isn't recommended. Creating extra global policies isn't recommended because troubleshooting the implementation of such a policy can become complicated.
While the Global policy applies to all users in your tenant, any standard Intune app protection policy will override these settings.
App protection features
Multi-identity
Multi-identity support allows an app to support multiple audiences. These audiences are both 'corporate' users and 'personal' users. Work and school accounts are used by 'corporate' audiences, whereas personal accounts would be used for consumer audiences, such as Microsoft Office users. An app that supports multi-identity can be released publicly, where app protection policies apply only when the app is used in the work and school ('corporate') context. Multi-identity support uses the Intune SDK to only apply app protection policies to the work or school account signed into the app. If a personal account is signed into the app, the data is untouched. App protection policies can be used to prevent the transfer of work or school account data to personal accounts within the multi-identity app, personal accounts within other apps, or personal apps.
For an example of 'personal' context, consider a user who starts a new document in Word, this is considered personal context so Intune App Protection policies are not applied. Once the document is saved on the 'corporate' OneDrive account, then it is considered 'corporate' context and Intune App Protection policies are applied.
Consider the following examples for the work or 'corporate' context:
- A user starts the OneDrive app by using their work account. In the work context, they can't move files to a personal storage location. Later, when they use OneDrive with their personal account, they can copy and move data from their personal OneDrive without restrictions.
- A user starts drafting an email in the Outlook app. Once the subject or message body is populated, the user is unable to switch the FROM address from the work context to the personal context as the subject and message body are protected by the App Protection policy.
Note
Outlook has a combined email view of both 'personal' and 'corporate' emails. In this situation, the Outlook app prompts for the Intune PIN on launch.
Important
Although Edge is in 'corporate' context, users can intentionally move OneDrive 'corporate' context files to an unknown personal cloud storage location. To avoid this, see Manage restricted web sites and configure the allowed/blocked site list for Edge.
Intune app PIN
The Personal Identification Number (PIN) is a passcode used to verify that the correct user is accessing the organization's data in an application.
PIN prompt
Intune prompts for the user's app PIN when the user is about to access 'corporate' data. In multi-identity apps such as Word, Excel, or PowerPoint, the user is prompted for their PIN when they try to open a 'corporate' document or file. In single-identity apps, such as line-of-business apps managed using the Intune App Wrapping Tool, the PIN is prompted at launch, because the Intune SDK knows the user's experience in the app is always 'corporate'.
PIN prompt, or corporate credential prompt, frequency
The IT admin can define the Intune app protection policy setting Recheck the access requirements after (minutes) in the Intune admin console. This setting specifies the amount of time before the access requirements are checked on the device, and the application PIN screen, or corporate credential prompt, is shown again. However, important details about PIN that affect how often the user will be prompted are:
- The PIN is shared among apps of the same publisher to improve usability:
On iOS/iPadOS, one app PIN is shared amongst all apps of the same app publisher. For example, all Microsoft apps share the same PIN. On Android, one app PIN is shared amongst all apps. - The Recheck the access requirements after (minutes) behavior after a device reboot:
A timer tracks the number of minutes of inactivity that determine when to show the Intune app PIN, or corporate credential prompt next. On iOS/iPadOS, the timer is unaffected by device reboot. Thus, device reboot has no effect on the number of minutes the user has been inactive from an iOS/iPadOS app with Intune PIN (or corporate credential) policy targeted. On Android, the timer is reset on device reboot. As such, Android apps with Intune PIN (or corporate credential) policy will likely prompt for an app PIN, or corporate credential prompt, regardless of the 'Recheck the access requirements after (minutes)' setting value after a device reboot. - The rolling nature of the timer associated with the PIN:
Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the timer gets reset for that PIN. Any app (app B) that shares this PIN will not prompt the user for PIN entry because the timer has reset. The prompt will show up again once the 'Recheck the access requirements after (minutes)' value is met again.
For iOS/iPadOS devices, even if the PIN is shared between apps from different publishers, the prompt will show up again when the Recheck the access requirements after (minutes) value is met again for the app that is not the main input focus. So, for example, a user has app A from publisher X and app B from publisher Y, and those two apps share the same PIN. The user is focused on app A (foreground), and app B is minimized. After the Recheck the access requirements after (minutes) value is met and the user switches to app B, the PIN would be required.
Note
In order to verify the user's access requirements more often (i.e. PIN prompt), especially for a frequently used app, it is recommended to reduce the value of the 'Recheck the access requirements after (minutes)' setting.
Built-in app PINs for Outlook and OneDrive
The Intune PIN works based on an inactivity-based timer (the value of Recheck the access requirements after (minutes)). As such, Intune PIN prompts show up independently from the built-in app PIN prompts for Outlook and OneDrive which often are tied to app launch by default. If the user receives both PIN prompts at the same time, the expected behavior should be that the Intune PIN takes precedence.
Intune PIN security
The PIN serves to allow only the correct user to access their organization's data in the app. Therefore, an end user must sign in with their work or school account before they can set or reset their Intune app PIN. This authentication is handled by Azure Active Directory via secure token exchange and is not transparent to the Intune SDK. From a security perspective, the best way to protect work or school data is to encrypt it. Encryption is not related to the app PIN but is its own app protection policy.
Protecting against brute force attacks and the Intune PIN
As part of the app PIN policy, the IT administrator can set the maximum number of times a user can try to authenticate their PIN before locking the app. After the number of attempts has been met, the Intune SDK can wipe the 'corporate' data in the app.
Intune PIN and a selective wipe
On iOS/iPadOS, the app level PIN information is stored in the keychain that is shared between apps with the same publisher, such as all first party Microsoft apps. This PIN information is also tied to an end user account. A selective wipe of one app shouldn't affect a different app.
For example, a PIN set for Outlook for the signed in user is stored in a shared keychain. When the user signs into OneDrive (also published by Microsoft), they will see the same PIN as Outlook since it uses the same shared keychain. When signing out of Outlook or wiping the user data in Outlook, the Intune SDK does not clear that keychain because OneDrive might still be using that PIN. Because of this, selective wipes do not clear that shared keychain, including the PIN. This behavior remains the same even if only one app by a publisher exists on the device.
Since the PIN is shared amongst apps with the same publisher, if the wipe goes to a single app, the Intune SDK does not know if there are any other apps on the device with the same publisher. Thus, the Intune SDK does not clear the PIN since it might still be used for other apps. The expectation is that the app PIN should be wiped when last app from that publisher will be removed eventually as part of some OS cleanup.
If you observe the PIN being wiped on some devices, the following is likely happening: Since the PIN is tied to an identity, if the user signed in with a different account after a wipe, they will be prompted to enter a new PIN. However, if they sign in with a previously existing account, a PIN stored in the keychain already can be used to sign in.
Setting a PIN twice on apps from the same publisher?
MAM (on iOS/iPadOS) currently allows application-level PIN with alphanumeric and special characters (called 'passcode') which requires the participation of applications (i.e. WXP, Outlook, Managed Browser, Yammer) to integrate the Intune SDK for iOS. Without this, the passcode settings are not properly enforced for the targeted applications. This was a feature released in the Intune SDK for iOS v. 7.1.12.
In order to support this feature and ensure backward compatibility with previous versions of the Intune SDK for iOS/iPadOS, all PINs (either numeric or passcode) in 7.1.12+ are handled separately from the numeric PIN in previous versions of the SDK. Therefore, if a device has applications with Intune SDK for iOS versions before 7.1.12 AND after 7.1.12 from the same publisher, they will have to set up two PINs. The two PINs (for each app) are not related in any way (i.e. they must adhere to the app protection policy that's applied to the app). As such, only if apps A and B have the same policies applied (with respect to PIN), user may set up the same PIN twice.
This behavior is specific to the PIN on iOS/iPadOS applications that are enabled with Intune Mobile App Management. Over time, as applications adopt later versions of the Intune SDK for iOS/iPadOS, having to set a PIN twice on apps from the same publisher becomes less of an issue. Please see the note below for an example.
Note
For example, if app A is built with a version prior to 7.1.12 and app B is built with a version greater than or equal to 7.1.12 from the same publisher, the end user will need to set up PINs separately for A and B if both are installed on an iOS/iPadOS device.If an app C that has SDK version 7.1.9 is installed on the device, it will share the same PIN as app A.An app D built with 7.1.14 will share the same PIN as app B.
If only apps A and C are installed on a device, then one PIN will need to be set. The same applies to if only apps B and D are installed on a device.
App data encryption
IT administrators can deploy an app protection policy that requires app data to be encrypted. As part of the policy, the IT administrator can also specify when the content is encrypted.
How does Intune data encryption process
See the Android app protection policy settings and iOS/iPadOS app protection policy settings for detailed information on the encryption app protection policy setting.
Data that is encrypted
Only data marked as 'corporate' is encrypted according to the IT administrator's app protection policy. Data is considered 'corporate' when it originates from a business location. For the Office apps, Intune considers the following as business locations:
- Email (Exchange)
- Cloud storage (OneDrive app with a OneDrive for Business account)
For line-of-business apps managed by the Intune App Wrapping Tool, all app data is considered 'corporate'.
Selective wipe
Remotely wipe data
Intune can wipe app data in three different ways:
- Full device wipe
- Selective wipe for MDM
- MAM selective wipe
For more information about remote wipe for MDM, see Remove devices by using wipe or retire. For more information about selective wipe using MAM, see the Retire action and How to wipe only corporate data from apps.
Full device wipe removes all user data and settings from the device by restoring the device to its factory default settings. The device is removed from Intune.
Note
Full device wipe, and selective wipe for MDM can only be achieved on devices enrolled with Intune mobile device management (MDM).
Selective wipe for MDM
See Remove devices - retire to read about removing company data.
Selective wipe for MAM
Selective wipe for MAM simply removes company app data from an app. The request is initiated using Intune. To learn how to initiate a wipe request, see How to wipe only corporate data from apps.
If the user is using the app when selective wipe is initiated, the Intune SDK checks every 30 minutes for a selective wipe request from the Intune MAM service. It also checks for selective wipe when the user launches the app for the first time and signs in with their work or school account.
When On-Premises (on-prem) services don't work with Intune protected apps
Intune app protection depends on the identity of the user to be consistent between the application and the Intune SDK. The only way to guarantee that is through modern authentication. There are scenarios in which apps may work with an on-prem configuration, but they are neither consistent nor guaranteed.
Secure way to open web links from managed apps
The IT administrator can deploy and set app protection policy for Microsoft Edge, a web browser that can be managed easily with Intune. The IT administrator can require all web links in Intune-managed apps to be opened using a managed browser.
App protection experience for iOS devices
Device fingerprint or face IDs
Intune app protection policies allow control over app access to only the Intune licensed user. One of the ways to control access to the app is to require either Apple's Touch ID or Face ID on supported devices. Intune implements a behavior where if there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint, or face. If the Intune user does not have a PIN set, they are led to set up an Intune PIN.
The intent of this process is to continue keeping your organization's data within the app secure and protected at the app level. This feature is only available for iOS/iPadOS, and requires the participation of applications that integrate the Intune SDK for iOS/iPadOS, version 9.0.1 or later. Integration of the SDK is necessary so that the behavior can be enforced on the targeted applications. This integration happens on a rolling basis and is dependent on the specific application teams. Some apps that participate include WXP, Outlook, Managed Browser, and Yammer.
iOS share extension
You can use the iOS/iPadOS share extension to open work or school data in unmanaged apps, even with the data transfer policy set to managed apps only or no apps. Intune app protection policy cannot control the iOS/iPadOS share extension without managing the device. Therefore, Intune encrypts 'corporate' data before it is shared outside the app. You can validate this encryption behavior by attempting to open a 'corporate' file outside of the managed app. The file should be encrypted and unable to be opened outside the managed app.
Universal Links support
By default, Intune app protection policies will prevent access to unauthorized application content. In iOS/iPadOS, there is functionality to open specific content or applications using Universal Links.
Users can disable an app's Universal Links by visiting them in Safari and selecting Open in New Tab or Open. In order to user Universal Links with Intune app protection policies, it's important to re-enable the universal links. The end user would need to do an Open in <app name> in Safari after long pressing a corresponding link. This should prompt any additional protected app to route all Universal Links to the protected application on the device.
Multiple Intune app protection access settings for same set of apps and users
Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. In general, a wipe would take precedence, followed by a block, then a dismissible warning. For example, if applicable to the specific user/app, a minimum iOS/iPadOS operating system setting that warns a user to update their iOS/iPadOS version will be applied after the minimum iOS/iPadOS operating system setting that blocks the user from access. So, in the scenario where the IT admin configures the min iOS operating system to 11.0.0.0 and the min iOS operating system (Warning only) to 11.1.0.0, while the device trying to access the app was on iOS 10, the end user would be blocked based on the more restrictive setting for min iOS operating system version that results in blocked access.
When dealing with different types of settings, an Intune SDK version requirement would take precedence, then an app version requirement, followed by the iOS/iPadOS operating system version requirement. Then, any warnings for all types of settings in the same order are checked. We recommend the Intune SDK version requirement be configured only upon guidance from the Intune product team for essential blocking scenarios.
App protection experience for Android devices
Note
App protection policies are not supported on Intune managed Android Enterprise dedicated devices. If your users on Android Enterprise dedicated devices have APP policiesapplied for another device, then you'll want to take the following steps:
Ensure that the devices you want target are only Intune managed dedicated devices. The block policy does not take effect if the device is managed by a 3rd party MDMprovider.
Ensure that Company Portal is installed on the dedicated device. This is required for the APP block policy to take effect. No end-user interaction is needed in CompanyPortal app on dedicated devices to block APP functionality, so there is no requirement to make the Company Portal app launchable by end users. The Company Portal simply needsto be installed on the device. For example, you don't need to allow-list it on top of Managed Home Screen.
Note that users targeted with APP policies on non-dedicated devices will not be impacted.
Device biometric authentication
For Android devices that support biometric authentication, you can allow end users to use fingerprint or Face Unlock, depending on what their Android device supports. You can configure whether all biometric types beyond fingerprint can be used to authenticate. Note that fingerprint and Face Unlock are only available for devices manufactured to support these biometric types and are running the correct version of Android. Android 6 and higher is required for fingerprint, and Android 10 and higher is required for Face Unlock.
Company Portal app and Intune app protection
Much of app protection functionality is built into the Company Portal app. Device enrollment is not required even though the Company Portal app is always required. For mobile application management without enrollment (MAM-WE), the end user just needs to have the Company Portal app installed on the device.
Multiple Intune app protection access settings for same set of apps and users
Intune app protection policies for access will be applied in a specific order on end-user devices as they try to access a targeted app from their corporate account. In general, a block would take precedence, then a dismissible warning. For example, if applicable to the specific user/app, a minimum Android patch version setting that warns a user to take a patch upgrade will be applied after the minimum Android patch version setting that blocks the user from access. So, in the scenario where the IT admin configures the min Android patch version to 2018-03-01 and the min Android patch version (Warning only) to 2018-02-01, while the device trying to access the app was on a patch version 2018-01-01, the end user would be blocked based on the more restrictive setting for min Android patch version that results in blocked access.
When dealing with different types of settings, an app version requirement would take precedence, followed by Android operating system version requirement and Android patch version requirement. Then, any warnings for all types of settings in the same order are checked.
Intune app protection policies and Google's SafetyNet Attestation for Android devices
Intune app protection policies provide the capability for admins to require end-user devices to pass Google's SafetyNet Attestation for Android devices. A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune service. How often the service call is made is throttled due to load, thus this value is maintained internally and is not configurable. Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. If there is no data, access will be allowed depending on no other conditional launch checks failing, and Google Play Service 'roundtrip' for determining attestation results will begin in the backend and prompt the user asynchronously if the device has failed. If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a Google Play Service 'roundtrip' for determining attestation results will begin and prompt the user asynchronously if the device has failed.
Intune app protection policies and Google's Verify Apps API for Android devices
Intune App Protection Policies provide the capability for admins to require end-user devices to send signals via Google's Verify Apps API for Android devices. The instructions on how to do this vary slightly by device. The general process involves going to the Google Play Store, then clicking on My apps & games, clicking on the result of the last app scan which will take you into the Play Protect menu. Ensure the toggle for Scan device for security threats is switched to on.
Google's SafetyNet Attestation API
Intune leverages Google Play Protect SafetyNet APIs to add to our existing root detection checks for unenrolled devices. Google has developed and maintained this API set for Android apps to adopt if they do not want their apps to run on rooted devices. The Android Pay app has incorporated this, for example. While Google does not share publicly the entirety of the root detection checks that occur, we expect these APIs to detect users who have rooted their devices. These users can then be blocked from accessing, or their corporate accounts wiped from their policy enabled apps. Check basic integrity tells you about the general integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. Check basic integrity & certified devices tells you about the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check. Devices that will fail include the following:
- Devices that fail basic integrity
- Devices with an unlocked bootloader
- Devices with a custom system image/ROM
- Devices for which the manufacturer didn't apply for, or pass, Google certification
- Devices with a system image built directly from the Android Open Source Program source files
- Devices with a beta/developer preview system image
See Google's documentation on the SafetyNet Attestation for technical details.
SafetyNet device attestation setting and the 'jailbroken/rooted devices' setting
Google Play Protect's SafetyNet API checks require the end user being online, atleast for the duration of the time when the 'roundtrip' for determining attestation results executes. If end user is offline, IT admin can still expect a result to be enforced from the jailbroken/rooted devices setting. That being said, if the end user has been offline too long, the Offline grace period value comes into play, and all access to work or school data is blocked once that timer value is reached, until network access is available. Turning on both settings allows for a layered approach to keeping end-user devices healthy which is important when end-users access work or school data on mobile.
Google Play Protect APIs and Google Play Services
The app protection policy settings that leverage Google Play Protect APIs require Google Play Services to function. Both the SafetyNet device attestation, and Threat scan on apps settings require Google determined version of Google Play Services to function correctly. Since these are settings that fall in the area of security, the end user will be blocked if they have been targeted with these settings and are not meeting the appropriate version of Google Play Services or have no access to Google Play Services.
Next steps
See also
Third-party apps such as the Salesforce mobile app work with Intune in specific ways to protect corporate data. To learn more about how the Salesforce app in particular works with Intune (including MDM app configurations settings), see Salesforce App and Microsoft Intune.
This page covers Intel-based Macs – all models since 2006, including MacBooks and ?MacBook Pros
The most delicate part of installing operating systems, other than drive partitioning (which can destroy data), is configuring the boot loader, which can render your system unbootable. Best practice on ?IntelMacs has been changing with improved development of GRUB and supporting software.
This page only covers changing boot loaders, and does not cover the far more dangerous process of partitioning. For partitioning Intel Macs, see ?IntelMac/Partitioning.
On an Intel Mac, currently the best stable (lenny) configuration is:
chain loading by first loading rEFIt (in EFI), then using the BIOS version of GRUB 2 (grub-pc) to load Linux (or Windows).
This allows multi-booting to Linux, Mac OS X, and Windows, yields accelerated graphics, and does not require LILO to be run every time a kernel or init ramdisk change occurs.
In future, this may be replaced by:
a single stage boot, with the EFI version of GRUB 2 (grub-efi).
This is similar to rEFIt + GRUB 2 (BIOS version), but somewhat simpler. Currently there are limitations in Linux and X.org which need addressing (their video drivers need BIOS to initial video hardware for acceleration), but longer-term this should be an acceptable solution.
In the past, (etch?), practice was:
- chain loading by first loading rEFIt (in EFI), then using LILO.
This worked, but had the usual limitations of LILO (system wouldn’t boot if forgot to run lilo after kernel changes, etc.), and was necessary because GRUB Legacy does not (easily) support Intel Macs.
Any OS can be selected as default if you use rEFIt (version 0.14+) then the BIOS version of GRUB 2, or just GRUB 2 in EFI.
First, make a rescue CD/DVD, or get a Live DVD (or Live CD, or Live USB) and test it by booting with it. If rEFIt is properly configured, you will be able to boot from discs or USB drives from the rEFIt screen. Alternatively, holding the Option key during boot should start the Apple Startup Manager, while holding the ‘C’ key during boot should boot to CD (or DVD) – these should work even if rEFIt is broken.
Having a separate working computer available is wise, in case of difficulty it allows you to research the problem without needing to reboot the non-working computer.
Worst case
Likely worst case – assuming you do not change partitions, which can destroy data – is to render the hard drive unbootable, requiring the use of a boot CD/DVD.
Booting from a CD/DVD should always work (assuming firmware is ok: you do not need to change firmware in any way to install Debian or change the boot loader), but in worst case scenario, you can always remove the hard drive, connect it to another computer (such as in a USB hard drive enclosure), and fix it there.
Similarly, if the firmware is corrupt, you can restore the firmware as described at Apple support (About the Firmware Restoration CD (Intel-based Macs)) or by taking it to an Apple store, but this should not prove necessary.
This is mentioned simply to alleviate fears – if you’re only changing boot loaders, not booting from hard drive (and requiring rescue CD/DVD) is likely the worst case.
Complexity in Intel Mac booting is due to the transition from BIOS firmware to the EFI system.
- Mac Books now use EFI to boot
- GRUB Legacy (prior to GRUB 2) cannot boot from EFI
In parallel with this is the transition from the BIOS system of partitioning (MBR) to the EFI system of partitioning (GPT). During this transition you’ll want to use a GPT/MBR hybrid system, but these are potentially very painful. Notably, the GPT and MBR partition tables can get out of sync, so after using non-GPT aware partitioning tools, you must use gptsync (either in Mac OS X or Debian) to sync the partition information. In squeeze, gdisk is a GPT-aware fdisk, but in lenny, you’ll need to use gptsync in addition to fdisk, and gptsync is useful if you’ve used Mac OS X partitioning.
Components
There are 3 components in the boot process, as described here:
- Mac firmware
rEFIt (EFI bootloader) – chooses partition
GRUB (BIOS bootloader) – boots Debian
In general, once set up, you will not need to touch the firmware or rEFIt, but you can safely upgrade these without harm, and they will not touch your Linux partition.
Mac firmware
You mostly needn’t concern yourself with this, except as backup.
This is sometimes upgraded, which is a reason to keep Mac OS X around; see #Upgrading EFI Firmware, below.
It is also possible to:
- use the built-in boot loader (hold “Option” on start up)
- boot directly to CD (hold “C” on start up)
- restore original firmware (erase settings and upgrades), in dire situations
See:
http://support.apple.com/kb/ht1379
http://www.hackerskitchen.com/mac-old/nvram-detailed.html#nvram
http://www.hackerskitchen.com/mac-old/#specific
for details on firmware hacking. These should not be necessary, but are included for reference.
rEFIt
rEFIt is an EFI bootloader, particularly for Intel Macs.
rEFIt can be installed via Mac OS X, which is the easiest way to use it. There is also refit, which is a re-packaging that has licensing that is conformant to Debian Free Software standards (rEFIt itself does not). The Debian package is not necessary to use rEFIt, and requires manual installation in Mac OS X, but it may prove useful.
rEFIt 0.14 (2010 March) has some useful enhancements, notably more configurable default boot, and detection of GRUB 2, so it is a recommended upgrade.
A subtlety is that the Mac firmware (specifically the PRAM (Programmable RAM), which stores variables) stores which partition to boot, which it calls “blessing”. Mac OS X is in the second partition, while rEFIt is installed in the first (EFI boot) partition (it also has files in the OS X partition, but copies these to the EFI boot partition). Blessing is done so the Mac will use rEFIt (or other EFI-capable bootloader) to boot.
A sub-subtlety is that when returning from Safe Sleep, Macs will boot – which should always be the Mac partition, not rEFIt, but due to a bug they may boot into the “blessed” partition, rather than into Mac. Thus rEFIt includes a program “rEFItBlesser” which blesses the Mac partition on startup, then blesses the rEFIt partition on shutdown. Thus you may sometimes boot into OS X instead of into the rEFIt menu, particularly after installing or upgrading rEFIt or following power loss or OS X Safe Sleep. Rebooting should bless rEFIt on shutdown and thus reboot into rEFIt. On reinstall you may need to reboot twice – the first time rEFItBlesser now starts, and blesses on shutdown, the second time it boots into rEFIt.
See No rEFIt menu after Safe Sleep or power loss for details.
There are many possible configurations, depending on whether you want to boot only Debian or wish to multi-boot, and what boot loader you use in EFI.
For concreteness and maximal compatibility, one may assume that one wishes to triple-boot to Mac OS X, Debian, and Windows (possibly non-EFI aware, e.g., prior to 2008). In that case one:
- partitions in hybrid GPT/MBR (as is done by Boot Camp), with a GPT partition, the Mac OS X partition, the Debian Linux partition, and (optionally) a Windows partition,
- boots via rEFIt in EFI, then GRUB 2 (BIOS version) on the Linux partition.
The other boot options, in order of complexity:
- elilo (EFI LILO) in EFI, booting to Debian only
- GRUB 2 in EFI, multi-booting, but not to Windows prior to 2008, and not providing accelerated graphics
- rEFIt in EFI, multi-booting, using LILO on the Linux partition to boot Debian
- rEFIt in EFI, multi-booting, using GRUB 2 (BIOS version) on the Linux partition to boot Debian
Note the key distinction between installing GRUB 2 in EFI versus on the partition. Concretely, grub-install /dev/sda installs GRUB 2 to the hard drive (EFI), while grub-install /dev/sda3 (note the “3”, indicating partition) installs GRUB 2 to the partition. (Formally, when installing in the partition, GRUB is in the “Partition Boot Record” or “PBR”; see Volume boot record.)
It is also possible to multi-boot without using rEFIt (holding down the “Option” key at boot to access the built-in Mac multi-boot), but rEFIt makes matters much easier.
On top of this is the distinction between using a pure GPT system (which to the eyes of MBR has only a single partition) versus using a hybrid GPT/MBR system, which to the eyes of MBR has up to 4 primary partitions, consisting of a GPT partition, the Mac OS X partition, the Debian Linux partition, and optionally a Windows partition.
If you wish to retain OS X, which you may desire either to use OS X applications, to easily upgrade EFI firmware, or simply as a backup system, then easiest is to use Boot Camp to resize/repartition, and retain the Mac OS X partition. Alternatively, you can wipe the hard drive and use Debian only (or Debian and Windows, or other combinations).
One can set any OS as the default, as follows:
- If GRUB 2 is in EFI, one can set the default OS by configuring GRUB 2.
If rEFIt is in EFI, use rEFIt version 0.14+ and configure the refit.config file as documented there to select default system.
You can also triple-chain: first rEFIt → GRUB 2 on the Linux partition, then GRUB 2 to another OS (such as Windows).
See: MacBook/DebianInstallTutorial
Installing Grub2 has also been fine for Lenny. This is the grub-pc version which boot through rEFIt (not grub-efi). This is tested on amd64 and i386.
Lenny install CD can install GRUB as bootloader. Its dialogue can be misleading if you wish to install bootloader to MBR. You must create proper MBR/GPT hybrid. It can be done by:
gptsync command on Linux
menu from rEFIt boot loader
Switching from LILO to GRUB
If you wish to switch from lilo to GRUB (BIOS version), while still using rEFIt in EFI:
First, please read and understand some basics at: Debian Reference: 3.3. Stage 2: the boot loader.
Second, make rescue media (a rescue CD) using grub-rescue-pc, or some Live CD/DVD, such as Knoppix, and test it.
Third, check which partition Linux is on, either using gparted in Debian or the disc tool in Mac OS X. It is probably /dev/sda3 (third partition ‘3’ on primary drive ‘a’), assuming you’re also booting into Mac OS X (EFI is partition 1, Mac OS X is partition 2), but please check.
Also, you will need to ensure the rEFIt is at least at version 0.9 (0.14 is preferred); previous versions don’t play nice with GNU parted and GRUB 2; see [http://refit.sourceforge.net/doc/c4s5_parted.html rEFIt: Linux partition shows as EFI System (FAT)] for details.
Testing Live CD/DVD
To test your Live CD/DVD:
- boot with it (via rEFIt or by holding ‘C’ during boot)
- mount your Linux partition via
…or similar (above works in Knoppix), and then chroot to it:
At this point you should be booted as usual into your system, and should be able to edit files, run aptitude, etc.
Installing GRUB
Barony: Blessed Addition Mac Os Catalina
Now you are ready to install the packages:
This is safe – it installs the packages, but does not change the boot loader.
grub-pc is GRUB 2 (BIOS version), while os-prober detects other OSes and automatically includes them in your GRUB menu (lenny version detects Windows, while squeeze version detects Windows and Mac OS X), and gptsync ensures that GPT and MBR partition information are in sync, just like it says on the tin.
Now for the actual installation:
Note that:
- gptsync is likely no longer necessary in squeeze,
- grub-install will likely warn you against installing in a partition (which we need for multi-boot) and need to be run with --force
you cannot use reiserfs in your main partition (or rather, should not); this is potentially very dangerous and risks FILESYSTEM DESTRUCTION (quoting grub-install), and you are recommended to instead convert your filesystem to ext3, as per Serverfault: How to convert a reiserfs partition to ext3? (make sure to update fstab to read ext3 instead of reiserfs)
At this point GRUB should be correctly installed.
The need for gptsync to be run in Linux is as follows: for GRUB 2 to successfully load, the partition number must be 83 (Linux). However, the gptsync included in rEFIt in Mac OS X does not set this partition number, and thus will not load GRUB 2; this may be fixed in rEFIt 0.14.
You may instead be able to run grub-install '(hd0)' ((hd0) in GRUB = sda in Linux), but this may instead install GRUB to EFI. Alternatively, grub-install '(hd0,3)' ((hd0,3) in GRUB = sda3 in Linux) may work.
To ensure that the menu is correctly updated, edit /etc/kernel-img.conf to include the following lines (these were previously documented at zless /usr/share/doc/grub/README.Debian.gz):
You can test that this updates GRUB by reconfiguring your running kernel:
(BTW, the difference between GRUB and LILO is that GRUB can successfully load the kernel even if the menu hasn’t been updated, since it can read the file system, while LILO simply fails. However, this requires manually finding and entering the path to the kernel.)
If you are ready to reboot, cross your fingers, and reboot, either interactively or via the command line:
(If you find yourself here after your system failed to reboot, we are very sorry – if you can identify the problem, please correct it above.)
Upgrading EFI Firmware
Upgrading EFI Firmware (which Apple does through Software Update) does not affect boot loaders in any way, and is completely fine – rEFIt, GRUB 2, elilo, LILO, and Windows should continue to work exactly as before.
In fact, upgrading EFI Firmware may improve boot loaders – early firmwares sometimes caused problems with failing to recognize keyboards, preventing you from selecting different boot options in GRUB 2.
You can see the latest EFI Firmware at Apple Support here: EFI and SMC firmware updates for Intel-based Macs.
/GRUB Legacy – out of date, but kept for reference
CategoryMacintoshComputer