You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/apps/app-protection-policy-settings-android.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -120,16 +120,17 @@ For more information, see [Data transfer policy exceptions for apps](app-protect
120
120
|<ol><br>**PIN type**|Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter **or** at least 1 special character. <br><br> Default value = **Numeric**<br><br> **Note:** Special characters allowed include the special characters and symbols on the Android English language keyboard. |
121
121
|<ul><b> **Simple PIN**|Select **Allow** to allow users to use simple PIN sequences like *1234*, *1111*, *abcd* or *aaaa*. Select **Blocks** to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. If **Block** is configured, 1235 or 1112 would not be accepted as PIN set by the end user, but 1122 would be allowed. <br><br>Default value = **Allow** <br><br>**Note:** If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter **or** at least one special character in their PIN. If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number **and** one letter **and** at least one special character in their PIN. </li> |
122
122
|<ul><b> **Select minimum PIN length**|Specify the minimum number of digits in a PIN sequence. <br><br>Default value = **4**|
123
-
|<ul><b> **Fingerprint instead of PIN for access (Android 9.0+)** |Select **Allow** to allow the user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN for app access. <br><br>Default value = **Allow** <br><br>**Note:** This feature supports generic controls for biometric on Android devices. OEM-specific biometric settings, like Samsung Pass, *are not supported.* <br><br>On Android, you can let the user prove their identity by using [Android fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN. When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. <br><br> Android personally owned work profile enrolled devices require registering a separate fingerprint for the **Fingerprint instead of PIN for access** policy to be enforced. This policy takes effect only for policy-managed apps installed in the Android personally owned work profile. The separate fingerprint must be registered with the device after the Android personally owned work profile is created by enrolling in the Company Portal. Also, end-users must confirm their app protection policy (APP) PIN when a change in their fingerprint is detected. <p>For more information about personally owned work profile fingerprints using Android personally owned work profiles, see [Lock your work profile](https://support.google.com/work/android/answer/7029958). |
124
-
|<ul><b>**Override fingerprint with PIN after timeout**|To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require**|
125
-
|<ul><b><ul><b> **Timeout (minutes of inactivity)**|Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30**|
126
-
|<ul><b>**Biometrics instead of PIN for access**|Select **Allow** to allow the user to use Face Unlock to authenticate users on Android devices. If allowed, Face Unlock is used to access the app on Android 10 or higher devices. |
123
+
|<ul><b>**Biometrics instead of PIN for access**|Select **Allow** to allow the user to use biometrics to authenticate users on Android devices. If allowed, biometrics is used to access the app on Android 10 or higher devices. |
124
+
|<ul><b>**Override biometric with PIN after timeout**|To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require**|
125
+
|<ul><b><ul><b> **Timeout (minutes of inactivity)**|Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a biometric. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30**|
127
126
|<ul><b>**PIN reset after number of days**|Select **Yes** to require users to change their app PIN after a set period of time, in days. <br><br>When set to *Yes*, you then configure the number of days before the PIN reset is required. <br><br> Default value = **No**|
128
127
|<ul><b><ul><b> **Number of days**|Configure the number of days before the PIN reset is required. <br><br> Default value = **90**|
129
128
|<ul><b>**Select number of previous PIN values to maintain**|This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining. <br><br> Default value = **0**|
130
129
|<ul><b>**App PIN when device PIN is set**|Select **Not required** to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured. <br><br> Default value = **Require**. |
131
130
|**Work or school account credentials for access**|Choose **Require** to require the user to sign in with their work or school account instead of entering a PIN for app access. When set to **Require**, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown. <br><br>Default value = **Not required**|
132
131
|**Recheck the access requirements after (minutes of inactivity)**|Configure the following setting: <ul><li>**Timeout**: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. When using this setting, the user won't have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value. <br><br>This policy setting format supports a positive whole number. <br><br> Default value = **30 minutes** <br><br> **Note:** On Android, the PIN is shared with all Intune-managed apps. The PIN timer is reset once the app leaves the foreground on the device. The user won't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting. <br><br></li> |
132
+
|<ul><b> **Class 3 biometrics (Android 9.0+)**| Select **Require** to require the user to sign in with class 3 biometrics. For more information on class 3 biometrics, see [Biometrics](https://source.android.com/docs/security/biometric) in Google's documentation. |
133
+
|<ul><b> **Override biometrics with PIN after biometric updates** | Select **Require** to override the use of biometrics with PIN when a change in biometrics is detected.<p><p>**NOTE:**<br>Depending on the Android device manufacturer, not all forms of biometrics may be supported for cryptographic operations. Currently, cryptographic operations are supported for any biometric (e.g., fingerprint, iris, or face) on the device that meets or exceeds the requirements for Class 3 biometrics, as defined in the Android documentation. See the `BIOMETRIC_STRONG` constant of the [BiometricManager.Authenticators](https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#BIOMETRIC_STRONG) interface and the `authenticate` method of the [BiometricPrompt](https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt#authenticate(android.hardware.biometrics.BiometricPrompt.CryptoObject,%20android.os.CancellationSignal,%20java.util.concurrent.Executor,%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback)) class. You may need to contact your device manufacturer to understand the device-specific limitations. |
133
134
134
135
> [!NOTE]
135
136
> To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on Android, see [Intune MAM frequently asked questions](mam-faq.yml) and [Selectively wipe data using app protection policy access actions in Intune](app-protection-policies-access-actions.md).
0 commit comments