Skip to content

Commit 7640bf0

Browse files
author
Angela Fleischmann
authored
Merge pull request #6567 from lenewsad/Android8Support
Updating docs with supported Android version
2 parents 909c1e7 + 879beca commit 7640bf0

27 files changed

Lines changed: 84 additions & 78 deletions

memdocs/intune/apps/app-protection-framework.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ Microsoft recommends the following deployment ring approach for the APP data pro
5252
| Deployment ring | Tenant | Assessment teams | Output | Timeline |
5353
|--------------------|------------------------|-------------------------------------------------------------------|----------------------------------------------------------|----------------------------------------|
5454
| Quality Assurance | Pre-production tenant | Mobile capability owners, Security, Risk Assessment, Privacy, UX | Functional scenario validation, draft documentation | 0-30 days |
55-
| Preview | Production tenant | Mobile capability owners, UX | End user scenario validation, user facing documentation | 7-14 days, post Quality Assurance |
55+
| Preview | Production tenant | Mobile capability owners, UX | End-user scenario validation, user facing documentation | 7-14 days, post Quality Assurance |
5656
| Production | Production tenant | Mobile capability owners, IT help desk | N/A | 7 days to several weeks, post Preview |
5757

5858
As the above table indicates, all changes to the App Protection Policies should be first performed in a pre-production environment to understand the policy setting implications. Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Rollout to production may take a longer amount of time depending on the scale of impact regarding the change. If there is no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.
@@ -106,7 +106,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
106106

107107
| Setting | Setting description | Value | Platform |
108108
|-----------------|--------------------------------------------------------|-----------------------|----------------------------------------|
109-
| Data Transfer | Backup org data to… | Allow | iOS/iPadOS, Android |
109+
| Data Transfer | Back up org data to… | Allow | iOS/iPadOS, Android |
110110
| Data Transfer | Send org data to other apps | All apps | iOS/iPadOS, Android |
111111
| Data Transfer | Receive data from other apps | All apps | iOS/iPadOS, Android |
112112
| Data Transfer | Restrict cut, copy, and paste between apps | Any app | iOS/iPadOS, Android |
@@ -129,7 +129,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
129129
| Simple PIN | Allow | iOS/iPadOS, Android | |
130130
| Select Minimum PIN length | 4 | iOS/iPadOS, Android | |
131131
| Touch ID instead of PIN for access (iOS 8+/iPadOS) | Allow | iOS/iPadOS | |
132-
| Fingerprint instead of PIN for access (Android 6.0+) | Allow | Android | |
132+
| Fingerprint instead of PIN for access (Android 9.0+) | Allow | Android | |
133133
| Override biometrics with PIN after timeout | Require | iOS/iPadOS | |
134134
| Override fingerprint with PIN after timeout | Require | Android | |
135135
| Timeout (minutes of activity) | 720 | iOS/iPadOS, Android | |
@@ -149,8 +149,8 @@ The policies in level 1 enforce a reasonable data access level while minimizing
149149
| App conditions | Offline grace period | 720 / Block access (minutes) | iOS/iPadOS, Android | |
150150
| App conditions | Offline grace period | 90 / Wipe data (days) | iOS/iPadOS, Android | |
151151
| Device conditions | Jailbroken/rooted devices | N/A / Block access | iOS/iPadOS, Android | |
152-
| Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android | <p>This setting configures Google's SafetyNet Attestation on end user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. </p><p> Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check.</p> |
153-
| Device conditions | Require threat scan on apps | N/A / Block access | Android | This setting ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end user will be blocked from access until they turn on Google's app scanning on their Android device. |
152+
| Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android | <p>This setting configures Google's SafetyNet Attestation on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity. </p><p> Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check.</p> |
153+
| Device conditions | Require threat scan on apps | N/A / Block access | Android | This setting ensures that Google's Verify Apps scan is turned on for end user devices. If configured, the end-user will be blocked from access until they turn on Google's app scanning on their Android device. |
154154
| Device conditions | Require device lock | N/A / Block access | Android | This setting ensures that Android devices have a device PIN, password, or pattern are set to enable a device lock. This condition does not distinguish between lock options or the complexity. |
155155

156156
#### Level 2 enterprise enhanced data protection
@@ -163,7 +163,7 @@ The policy settings enforced in level 2 include all the policy settings recommen
163163

164164
| Setting | Setting description | Value | Platform | Notes |
165165
|---------------|----------------------------------------------------------|-----------------------------------------------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
166-
| Data Transfer | Backup org data to… | Block | iOS/iPadOS, Android | |
166+
| Data Transfer | Back up org data to… | Block | iOS/iPadOS, Android | |
167167
| Data Transfer | Send org data to other apps | Policy managed apps | iOS/iPadOS, Android | <p>With iOS/iPadOS, administrators can configure this value to be "Policy managed apps", "Policy managed apps with OS sharing", or "Policy managed apps with Open-In/Share filtering". </p><p>Policy managed apps with OS sharing is available when the device is also enrolled with Intune. This setting allows data transfer to other policy managed apps, as well as file transfers to other apps that have are managed by Intune. </p><p>Policy managed apps with Open-In/Share filtering filters the OS Open-in/Share dialogs to only display policy managed apps. </p><p> For more information, see [iOS app protection policy settings](app-protection-policy-settings-ios.md).</p> |
168168
| Data Transfer | Select apps to exempt | Default / skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services; | iOS/iPadOS | |
169169
| Data Transfer | Save copies of org data | Block | iOS/iPadOS, Android | |

memdocs/intune/apps/app-protection-policy-settings-android.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ For more information, see [Data transfer policy exceptions for apps](app-protect
120120
| <ol><br>**PIN type** | Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter **or** at least 1 special character. <br><br> Default value = **Numeric**<br><br> **Note:** Special characters allowed include the special characters and symbols on the Android English language keyboard. |
121121
| <ul><b> **Simple PIN** | Select **Allow** to allow users to use simple PIN sequences like *1234*, *1111*, *abcd* or *aaaa*. Select **Blocks** to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. If **Block** is configured, 1235 or 1112 would not be accepted as PIN set by the end user, but 1122 would be allowed. <br><br>Default value = **Allow** <br><br>**Note:** If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter **or** at least one special character in their PIN. If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number **and** one letter **and** at least one special character in their PIN. </li> |
122122
| <ul><b> **Select minimum PIN length** | Specify the minimum number of digits in a PIN sequence. <br><br>Default value = **4** |
123-
| <ul><b> **Fingerprint instead of PIN for access (Android 6.0+)** | Select **Allow** to allow the user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN for app access. <br><br>Default value = **Allow** <br><br>**Note:** This feature supports generic controls for biometric on Android devices. OEM-specific biometric settings, like Samsung Pass, *are not supported.* <br><br>On Android, you can let the user prove their identity by using [Android fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN. When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. <br><br> Android personally-owned work profile enrolled devices require registering a separate fingerprint for the **Fingerprint instead of PIN for access** policy to be enforced. This policy takes effect only for policy-managed apps installed in the Android personally-owned work profile. The separate fingerprint must be registered with the device after the Android personally-owned work profile is created by enrolling in the Company Portal. For more information about personally-owned work profile fingerprints using Android personally-owned work profiles, see [Lock your work profile](https://support.google.com/work/android/answer/7029958). |
123+
| <ul><b> **Fingerprint instead of PIN for access (Android 9.0+)** | Select **Allow** to allow the user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN for app access. <br><br>Default value = **Allow** <br><br>**Note:** This feature supports generic controls for biometric on Android devices. OEM-specific biometric settings, like Samsung Pass, *are not supported.* <br><br>On Android, you can let the user prove their identity by using [Android fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN. When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. <br><br> Android personally-owned work profile enrolled devices require registering a separate fingerprint for the **Fingerprint instead of PIN for access** policy to be enforced. This policy takes effect only for policy-managed apps installed in the Android personally-owned work profile. The separate fingerprint must be registered with the device after the Android personally-owned work profile is created by enrolling in the Company Portal. For more information about personally-owned work profile fingerprints using Android personally-owned work profiles, see [Lock your work profile](https://support.google.com/work/android/answer/7029958). |
124124
| <ul><b>**Override fingerprint with PIN after timeout**| To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require** |
125125
| <ul><b><ul><b> **Timeout (minutes of inactivity)**| Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30** |
126126
| <ul><b>**Biometrics instead of PIN for access** | Select **Allow** to allow the user to use Face Unlock to authenticate users on Android devices. If allowed, Face Unlock is used to access the app on Android 10 or higher devices. |

memdocs/intune/apps/app-protection-policy-settings-log.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -191,7 +191,7 @@ The following tables list the App protection policy setting name and supported v
191191
| SimplePINAllowed​ | false = Block<br>true = Allow​​ | **Section**: Access requirements<br>**Setting**: Simple PIN​ |
192192
| SpecificDialerDisplayName | Dialer app name​​ | **Section**: Data protection<br>**Setting**: Dialer app name​ |
193193
| SpecificDialerPackageID | Dialer app bundle ID | **Section**: Data protection<br>**Setting**: Dialer App Package ID​ |
194-
| TouchIDEnabled​ | false = Block<br>true = Allow​ | **Section**: Access requirements<br>**Setting**: Fingerprint instead of PIN for access (Android 6.0+) |
194+
| TouchIDEnabled​ | false = Block<br>true = Allow​ | **Section**: Access requirements<br>**Setting**: Fingerprint instead of PIN for access (Android 9.0+) |
195195
| UnmanagedBrowserDisplayName | Unmanaged web browser display name​ | **Section**: Data protection<br>**Setting**: Unmanaged Browser name |
196196
| UnmanagedBrowserPackageID | Unmanaged web browser package ID | **Section**: Data protection<br>**Setting**: Unmanaged Browser ID |
197197
| UserStatusPollInterval | N/A | **Note**: Not actively used by the Intune service. |

0 commit comments

Comments
 (0)