Intune – Adding Client apps and configure App protection policy.

When companies wants to make some mobile apps available to their workforce, they need to add the application to Intune and then Intune can deliver the application to the company portal for users to get a hold on. The device can be iOS, Android and Windows 10. Client applications comes in many forms, like line of Business (LOB), web, built-In or store for business applications.

In this scenario a bring your own device (BYOD) – “Android” device will be presented for a custom web link and Microsoft Word from the company portal. We will also protect Microsoft Word by an app protection policy.

Important: When we talk enrollment and manage of Android devices there are some prerequisites that most been meet. First setup and “link your managed Google Play account to Intune”:

Note: Follow this guideline for setting up the Google play account to Intune ->

Now lets start adding and configure the Microsoft Word app and web link.

  • Choose Android:
  • Click on App Information and fill out the configuration:
  • Copy the market link and paste it into the Appstore URL line under App Information configure.
  • Now click OK and then Add for finish the configuration of the app:

  • Assign a group click on Assignments:
  • Select Available for enrollment devices and then include a user group – click OK and Save:

That was the Microsoft Word part – Now its time for configure the web link.

  • Now once more click on Client apps:
  • Click Apps and then Add:
  • Now choose Web link from the dropdown box:
  • Define all the informations about the web link and click OK:
  • Now it’s created and presented at the overview:
  • Assign a group by clicking Add group:
  • Fill out the options that is relevant for a your custom setup:

Note: In this test lab we are aiming to use enrolled device type for the manage part. Bring your own device (BYOD) with enrollment – the join type in Azure Active directory (AAD) will be Azure registered.

Important notes: In this scenario the groups that we used to assignments only contains users and not devices. We also is going for “Device enrolled with Intune” for the manage part as mentioned before. The following table lists the various options for assigning apps to users and devices:

Clouddeployment Devices enrolled with IntuneDevices not enrolled with Intune
Assign to usersYesYes
Assign to devicesYesNo
Assign wrapped apps or apps that incorporate the Intune SDK (for app protection policies)YesYes
Assign apps as AvailableYesYes
Assign apps as RequiredYesNo
Uninstall appsYesNo
Receive app updates from IntuneYesNo
End users install available apps from the Company Portal appYesNo
End users install available apps from the web-based Company PortalYesYes

Now download and login to the company portal from the Android mobile device.

  • Goto Play store on the Android device:
  • Click Accept (if asked):

Note: Remember this company portal can also be downloaded to iOS and Windows devices. Again we using an Android devices for testing. Remember its also required that a Microsoft account is used to login at Microsoft Store for Business to be able to download the company portal.

  • Start the company portal on the Android device and Sign in with a corporate user:
  • Type in the password for the user:
  • After sign in click Continue for the enrollment part:
  • Read the privacy statement from the company then click Continue:
  • Click Next:
  • Click Allow and Next:
  • Click Allow and Next:
  • Click Activate:
  • The Android device is now being Azure Active directory registered:
  • You´re all set – click Done:
  • Now at the APPs tab we see our two applications:
  • Verify the device stat in Azure Active directory:

Now lets configure the App Protection policies

  • Under Client apps – click App Protection policies:
  • Click Create policy – fill out the Name, Description, Platform and App type:

Note: As mentioned earlier in this scenario we are making a App protection policy for Microsoft Word only. We also selected all app types – see avaliable types:

  • Under data proctection we disable the Screen capture function and keep the default settings – Click OK:
  • No custom settings are made under Access requirements – Click OK:
  • Also under Conditional launch we used the default settings – Click OK and Create:
  • The last thing that needs to be done is to Assign the policy to a group:

Note: Now Microsoft Word is app protected and data loss provention is less likely.

When trying to access corperate data from the Android device though Microsoft Word it’s now required that you to make a pin code etc – The App protection policy works.

Note: Remember as Intune service admin or global admin the mange possibilities from Intune or Azure portals:

Happy deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *