Tenant setup 10 — Mobile app protection

Last time we set up auto-install of M365 apps on Windows. Today we secure the mobile O365 apps and the data inside them — without enrolling personal phones into MDM.

Last time I walked you through auto-installing O365 apps on Windows. Today we'll look at protecting mobile O365 apps and the data inside them. The first question that probably comes to mind: why bother with phones? And the second: are we doing this on PCs too?

The first answer is simple: almost everyone has a mobile phone, and not every company hands out a corporate one. That brings the personal-device problem — you can't manage the device fully, but you still need to secure corporate data and accounts. Several options exist: an enrollment profile that creates a separate "work profile" on the device and prevents copying between work and personal — great solution, but Android-only. So we'll create an App Protection Policy, which lets us granularly control what users can and can't do inside O365 apps.

To create the policy: Intune → Apps → Protection. Click Create → iOS/iPadOS. Name the policy, click Next, target All Microsoft Apps. Settings are on the lighter side here — start gentle if you're rolling this out: backup org data to iCloud → Block; send org data to other apps → Policy managed apps; encryption → Require. Set a numeric PIN (4+ digits, biometrics allowed). Under Conditional launch set wipe data after 180 days of offline grace as a safety net. Target the policy at users — they don't need to be on iOS for this assignment to work.

The Android policy is configured similarly. Same pattern: name → All Microsoft Apps → encryption required, screen capture blocked, paste between policy-managed apps only. Pin + biometrics. Wipe after 180 days of offline. Target users.