Hi Guys ,
Recently i worked on a engagement where i worked on MAM polices on Microsoft Intune for Data protection . I had this scenario where my client wanted to know and understand the data transfer policy between managed and unmanaged Apps by using Intune MAM . Here are a few queries and answers . There might be some confusion online so i thought to post this blog to clear any queries .
Query 1 – “Within an Intune Application Protection Policy, setting Allow app to transfer data to other apps to Policy managed apps means that the app can transfer data only to apps managed by Intune. If you need to allow data to be transferred to specific apps that don’t support Intune APP, you can create exceptions to this policy by using Select apps to exempt. Exemptions allow applications managed by Intune to invoke unmanaged applications based on URL protocol (iOS)”
Answer1 – So this article basically means that if you select the option to allow data transfer to Policy managed apps you can create an exemption to invoke the application from Outlook or Intune managed apps. So basically if you add the exemption for Workday , you will be able to invoke the workday link from outlook but since you have not added an exemption for WhatsApp , you cannot invoke WhatsApp from outlook. That means after this exemption Data transfer is still restricted in other unmanaged apps.
The issue is reproduced in my lab: Web link (e.g. www.google.com) is redirected and opened in Safari in iOS device when “Send Org data to other apps” set as “Policy managed apps”.
Next, please change setting “Share web content with policy managed browsers” to “Require”. General web links will be requested to be opened in managed browsers, e.g. Microsoft Edge or Intune Managed Browser. (Microsoft Edge is more recommended as Intune Managed Browser is decommissioned)
Then add apps to exempt, the web link shall be opened directly in the exempted apps. The test done in the lab in explained step by step. If you do not select “Share web content with policy managed browsers” then all links will be opened directly in the corresponding applications.
- There’s no Intune managed browser installed.
- Open Outlook, click one webex meeting link. I’m required to open with Intune managed browser.
- Install Microsoft Edge from Apple Store. Sign in Microsoft Edge using the same credentials as in Outlook.
- Open Outlook and click the webex meeting link again. I’m redirected to Edge and then auto-redirected to Webex application, and auto-connected into that meeting.
- The first URL started with https:// is auto opened with Edge and the second URL started with comgooglemaps:// is auto opened with Google Maps application.
Although Edge is redirected firstly, namely Webex is not opened directly, finally Webex is opened and meeting is joined automatically without additional manual clicks.
For your information, in App Protection Policy, general web links are managed by policy setting “Share web content with policy managed browsers”.
Query 2- Cut copy paste between O365 and other apps.
Answer – In Restrict cut, copy and paste between other apps policy we cannot put exemptions .Either we can select cut copy paste between any app or only policy managed apps. But there is an exception if you choose Policy managed app with Paste in which means you will allow paste in from your other corporate apps but outflow of data to these apps is not allowed.