You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/apps/app-protection-policy-settings-ios.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,7 +63,7 @@ There are three categories of policy settings: *Data relocation*, *Access requir
63
63
| **Third party keyboards** | Choose **Block** to prevent the use of third-party keyboards in managed applications.<p>When this setting is enabled, the user receives a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applications, and all other keyboard options are disabled. This setting will affect both the organization and personal accounts of multi-identity applications. This setting does not affect the use of third-party keyboards in unmanaged applications.<p>**Note:** This feature requires the app to use Intune SDK version 12.0.16 or later. Apps with SDK versions from 8.0.14 to, and including, 12.0.15, will not have this feature correctly apply for multi-identity apps. For more details, see [Known issue: Third party keyboards are not blocked in iOS/iPadOS for personal accounts](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Updated-Known-issue-Third-party-keyboards-are-not-blocked-in-iOS/ba-p/339486). | **Allow** |
64
64
65
65
> [!NOTE]
66
-
> An app protection policy is required with IntuneMAMUPN for managed devices.
66
+
> An app protection policy is required with IntuneMAMUPN for managed devices. This applies for any setting that requires enrolled devices as well.
67
67
68
68
### Encryption
69
69
| Setting | How to use | Default value |
@@ -155,7 +155,7 @@ If you don't want to allow the default managed Universal Links, you can delete t
155
155
| <ul><ul>**Face ID instead of PIN for access (iOS 11+)**| Select **Allow** to allow the user to use facial recognition technology to authenticate users on iOS/iPadOS devices. If allowed, Face ID must be used to access the app on a Face ID capable device. |**Allow**|
156
156
| <ul>**PIN reset after number of days**| Select **Yes** to require users to change their app PIN after a set period of time, in days. <br><br>When set to *Yes*, you then configure the number of days before the PIN reset is required. |**No**|
157
157
| <ul><ul> **Number of days**| Configure the number of days before the PIN reset is required. |**90**|
158
-
| <ul>**App PIN when device PIN is set** | Select **Disable** to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.<br><br> **Note:** *Requires app to have Intune SDK version 7.0.1 or above.* <br><br>On iOS/iPadOS devices, you can let the user prove their identity by using [Touch ID](https://support.apple.com/HT201371) or [Face ID](https://support.apple.com/HT208109) instead of a PIN. Intune uses the [LocalAuthentication](https://developer.apple.com/documentation/localauthentication/) API to authenticate users using Touch ID and Face ID. To learn more about Touch ID and Face ID, see the [iOS Security Guide](https://www.apple.com/business/docs/iOS_Security_Guide.pdf). <br><br> When the user tries to use this app with their work or school account, they're prompted to provide their fingerprint identity or face identity instead of entering a PIN. When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account. If there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint or face for authentication. If the Intune user does not have a PIN set, they are led to set up an Intune PIN. | **Enable** |
158
+
| <ul>**App PIN when device PIN is set** | Select **Disable** to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.<br><br> **Note:** *Requires app to have Intune SDK version 7.0.1 or above. The IntuneMAMUPN setting must be configured for applications to detect the enrollment state.* <br><br>On iOS/iPadOS devices, you can let the user prove their identity by using [Touch ID](https://support.apple.com/HT201371) or [Face ID](https://support.apple.com/HT208109) instead of a PIN. Intune uses the [LocalAuthentication](https://developer.apple.com/documentation/localauthentication/) API to authenticate users using Touch ID and Face ID. To learn more about Touch ID and Face ID, see the [iOS Security Guide](https://www.apple.com/business/docs/iOS_Security_Guide.pdf). <br><br> When the user tries to use this app with their work or school account, they're prompted to provide their fingerprint identity or face identity instead of entering a PIN. When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account. If there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint or face for authentication. If the Intune user does not have a PIN set, they are led to set up an Intune PIN. | **Enable** |
159
159
|**Work or school account credentials for access**| Select **Require** to require the user to sign in with their work or school account instead of entering a PIN for app access. If you set this to **Require**, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown. |**Not required**|
160
160
|**Recheck the access requirements after (minutes of inactivity)**| Configure the number of minutes of inactivity that must pass before the app requires the user to again specify the access requirements. <br><br> For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. When using this setting, the user would not have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value. <br><br>**Note:***On iOS/iPadOS, the PIN is shared amongst all Intune-managed apps of the **same publisher**. The PIN timer for a specific PIN is reset once the app leaves the foreground on the device. The user wouldn't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting. This policy setting format supports a positive whole number.*|**30**|
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments