App Protection Policy Exemptions

Within Microsoft Intune there is the capability to apply App Protection Policies to apps that are used to access your corporate content. Apps such as Microsoft Outlook, Word, SharePoint etc can be protected by requiring a PIN to access the corporate profile and preventing content from be copied or transferred outside of managed applications.

But what happens when you want to allow traffic between a protected and unprotected app? Once example I recently came across was that a client had a PowerApp that was to be used internally that had several links to external sources. These links would work OK if the URI used was for Microsoft Edge, the link would open in the managed browser fine. However, if the URI was to use the external app, nothing would happen.

To get around this it is possible to add exclusions in to the App Protection Policy. The apps added in to the exclusions would not adhere to the data transfer settings in the policy. This can be useful to get around issues like above, but also opens up other potential risks. If you allow data to be transferred between apps through the exclusion there is the chance that corporate data could be leaked. So this is a configuration that should be thought about with risks analysed before implementation.

Depending on the Operating System the App Protection Policy applies to (iOS or Android) depends on how exclusions can be added:

Android: The Package ID of the app needs to be added in to the exceptions. For example, The Package ID for an Android app can be found by browsing the app in the google play store and analysing the URL. For instance –

iOS: For iOS, the URL protocol must be configured in the exceptions. There is no easy way to obtain this information, so you would be best off contacting the vendor of the app to discover it. As an example, to add Webex as an exception, the URL protocol if wbx.

About the author