You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/apps/app-protection-policy-settings-android.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -123,14 +123,14 @@ For more information, see [Data transfer policy exceptions for apps](app-protect
123
123
|<ul><b>**Biometrics instead of PIN for access**|Select **Allow** to allow the user to use biometrics to authenticate users on Android devices. If allowed, biometrics is used to access the app on Android 10 or higher devices. |
124
124
|<ul><b>**Override biometric with PIN after timeout**|To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require**|
125
125
|<ul><b><ul><b> **Timeout (minutes of inactivity)**|Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a biometric. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30**|
126
+
|<ul><b> **Class 3 biometrics (Android 9.0+)**| Select **Require** to require the user to sign in with class 3 biometrics. For more information on class 3 biometrics, see [Biometrics](https://source.android.com/docs/security/biometric) in Google's documentation. |
127
+
|<ul><b> **Override biometrics with PIN after biometric updates** | Select **Require** to override the use of biometrics with PIN when a change in biometrics is detected.<p><p>**NOTE:**<br>Depending on the Android device manufacturer, not all forms of biometrics may be supported for cryptographic operations. Currently, cryptographic operations are supported for any biometric (e.g., fingerprint, iris, or face) on the device that meets or exceeds the requirements for Class 3 biometrics, as defined in the Android documentation. See the `BIOMETRIC_STRONG` constant of the [BiometricManager.Authenticators](https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#BIOMETRIC_STRONG) interface and the `authenticate` method of the [BiometricPrompt](https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt#authenticate(android.hardware.biometrics.BiometricPrompt.CryptoObject,%20android.os.CancellationSignal,%20java.util.concurrent.Executor,%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback)) class. You may need to contact your device manufacturer to understand the device-specific limitations. |
126
128
|<ul><b>**PIN reset after number of days**|Select **Yes** to require users to change their app PIN after a set period of time, in days. <br><br>When set to *Yes*, you then configure the number of days before the PIN reset is required. <br><br> Default value = **No**|
127
129
|<ul><b><ul><b> **Number of days**|Configure the number of days before the PIN reset is required. <br><br> Default value = **90**|
128
130
|<ul><b>**Select number of previous PIN values to maintain**|This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining. <br><br> Default value = **0**|
129
131
|<ul><b>**App PIN when device PIN is set**|Select **Not required** to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured. <br><br> Default value = **Require**. |
130
132
|**Work or school account credentials for access**|Choose **Require** to require the user to sign in with their work or school account instead of entering a PIN for app access. When set to **Require**, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown. <br><br>Default value = **Not required**|
131
133
|**Recheck the access requirements after (minutes of inactivity)**|Configure the following setting: <ul><li>**Timeout**: This is the number of minutes before the access requirements (defined earlier in the policy) are rechecked. For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. When using this setting, the user won't have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value. <br><br>This policy setting format supports a positive whole number. <br><br> Default value = **30 minutes** <br><br> **Note:** On Android, the PIN is shared with all Intune-managed apps. The PIN timer is reset once the app leaves the foreground on the device. The user won't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting. <br><br></li> |
132
-
|<ul><b> **Class 3 biometrics (Android 9.0+)**| Select **Require** to require the user to sign in with class 3 biometrics. For more information on class 3 biometrics, see [Biometrics](https://source.android.com/docs/security/biometric) in Google's documentation. |
133
-
|<ul><b> **Override biometrics with PIN after biometric updates** | Select **Require** to override the use of biometrics with PIN when a change in biometrics is detected.<p><p>**NOTE:**<br>Depending on the Android device manufacturer, not all forms of biometrics may be supported for cryptographic operations. Currently, cryptographic operations are supported for any biometric (e.g., fingerprint, iris, or face) on the device that meets or exceeds the requirements for Class 3 biometrics, as defined in the Android documentation. See the `BIOMETRIC_STRONG` constant of the [BiometricManager.Authenticators](https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#BIOMETRIC_STRONG) interface and the `authenticate` method of the [BiometricPrompt](https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt#authenticate(android.hardware.biometrics.BiometricPrompt.CryptoObject,%20android.os.CancellationSignal,%20java.util.concurrent.Executor,%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback)) class. You may need to contact your device manufacturer to understand the device-specific limitations. |
134
134
135
135
> [!NOTE]
136
136
> To learn more about how multiple Intune app protection settings configured in the Access section to the same set of apps and users work on Android, see [Intune MAM frequently asked questions](mam-faq.yml) and [Selectively wipe data using app protection policy access actions in Intune](app-protection-policies-access-actions.md).
0 commit comments