App Protection Policy Summary
IBP‑iPhoneOS/iPadOS App Protection
Policy ID: T_1b366550‑a29c‑4da1‑898e‑5a36777591a9
Platform: iOS/iPadOS (MAM – App Protection)
Version: "5301fe38‑0000‑1a00‑0000‑695c525c0000"
Assigned: ✔️ Yes (1 group)
🎯 Purpose
This App Protection Policy (APP/MAM) enforces organisational data security on both managed and unmanaged iOS/iPadOS devices.
🧭 Assignments
Target
Group assignment: E8-IBP-App Protection
Scope Tags
Default/global (Tag ID: 0)
🔐 Data Protection Controls
Inbound/Outbound Data Transfer
Setting | Value | Outcome |
Allowed inbound | From all apps | Broad data ingestion allowed |
Allowed outbound | Only to managed apps | Prevents exfiltration to personal apps |
Clipboard | Managed apps with paste‑in | Protects outbound copy/paste |
"Save As" | Blocked | Stops insecure data export |
Data Storage & Backup
Setting | Value |
Allowed storage locations | OneDrive for Business, SharePoint, Camera, Photo Library |
Backup blocked | ❌ No |
Data ingestion restrictions | ❌ No restrictions on block ingestion into org docs |
App-Level Restrictions
Managed browser required: ✔️ Microsoft Edge
Restrict “Open In”: Partial — only for outbound
Screen capture: ❌ Blocked
Writing tools: ❌ Blocked
Genmoji: Not blocked
Printing: Allowed
Contact sync: Allowed
Third‑party keyboards: Allowed
🔐 Identity & Access Controls
Authentication
Setting | Value |
PIN required | ✔️ Yes |
Min length | 4‑digit numeric PIN |
Max retries | 5, then block |
Allow simple PIN | ✔️ Allowed |
Biometrics | Allowed (FaceID not blocked) |
“PIN Instead of Biometric” timeout | 30 minutes |
Organizational credentials required | ❌ No |
Offline Behaviour
Setting | Value |
Offline allowed before access check | 24 hours |
Offline allowed before wipe | 90 days |
Online access check frequency | 30 minutes |
📱 Device Compliance & Threat Protection
Requirement | Value |
Require device compliance | ✔️ Yes |
Action if not compliant | Block |
Maximum allowed threat level | Not configured |
MTD remediation | Block |
(Note: Threat-level control is neutral since not configured.)
🌐 Universal Links & Managed Browser Experience
Managed Universal Links:
Includes a large set of Microsoft 365, PowerApps, SharePoint, Teams, Yammer, ServiceNow, Stream, Tasks, Zoom, and other key SaaS providers.
This ensures organisational data flowing through those links stays within managed contexts.
Exempted Universal Links
FaceTime
Apple Maps
App Protocol Exemptions
Default Apple/system protocols (
skype,calshow,itms, etc.)
📦 App Targets (40 apps)
Applies across the full suite of Microsoft 365 mobile apps, including:
Outlook
Teams
OneDrive
SharePoint
OneNote
Word, Excel, PowerPoint
Power BI
Dynamics apps
Planner, ToDo
Intune‑managed Line‑of‑Business apps
…and several additional MS ecosystem and partner apps.