🎯 Purpose
✅ Enforce baseline mobile application protection for Android devices using Microsoft apps, aligned with Essential Eight – Initial Baseline Protections (IBP / Maturity Level 1).
➡️ This policy protects corporate data within apps, even on unenrolled or BYOD Android devices.
👥 Who is affected
✅ Users: All users (once assigned)
🚫 Exclusions: None
➡️ Any user accessing Microsoft apps on Android will be protected by app‑level controls.
☁️ What access is protected
✅ Applications: Microsoft mobile apps (Outlook, Teams, OneDrive, SharePoint, Office apps, etc.)
✅ Device types: Android (enrolled and unenrolled)
➡️ Corporate data inside Microsoft apps is protected regardless of device ownership.
🔐 How app protection is enforced
✅ App‑level PIN required (minimum 4 digits)
✅ Maximum 5 PIN retries before app access is blocked
✅ Biometric authentication allowed
✅ App data encrypted at rest
✅ Screen capture and screen recording blocked
✅ Device compliance required for app access
➡️ Corporate data remains protected even if the device itself is not fully managed.
ℹ️ Note: These controls provide lightweight security suitable for IBP while avoiding unnecessary user lockout or friction.
🔒 How data leakage is prevented
✅ Outbound data transfer restricted to managed apps only
✅ Clipboard sharing limited to managed apps (paste‑in allowed)
✅ Android data backup blocked
✅ Approved storage locations limited to OneDrive, SharePoint, camera, and photo library
➡️ Data can flow only within approved corporate boundaries.
⚙️ What this policy does NOT enforce
🚫 Managed browser requirement
🚫 VPN‑on‑launch
🚫 URL filtering
🚫 Advanced device integrity attestation (strong SafetyNet / Play Integrity)
➡️ These controls are intentionally excluded at IBP / Maturity Level 1 and introduced in M2/M3.
🟢 Policy status
✅ Created
❌ Not assigned
✅ Ready for assignment to users or groups
📘 Essential Eight Alignment
✅ Supports Essential Eight – Application Hardening, Data Protection, and Access Control (IBP / Maturity Level 1)
✅ Protects corporate data on mobile devices
✅ Prevents unauthorised data exfiltration
ℹ️ Stronger integrity checks and browser controls are addressed in Maturity Levels 2 and 3
📘 Practical Interpretation (Executive‑Friendly)
This App Protection policy ensures that:
✅ Corporate data in Microsoft apps
✅ On any Android device
✅ Is encrypted, access‑controlled, and protected from leakage
✅ Without requiring full device enrolment
This establishes a safe, low‑friction mobile security baseline suitable for Essential Eight Initial Baseline Protections and provides a clear foundation for uplift to stronger mobile controls in higher maturity levels.