iOS: No Application Protection Policies have been assigned

By On



Hello Everyone, In this blog let's see how to resolve issue of app protection policy assignment on managed apps installed on ADE (Automated device enrollment) aka DEP iOS devices.

App Protection Policy
App Protection Policies are part of Intune MAM solution that are used to protect corporate data n managed applications on both managed and unmanaged devices. These policies can control access to corporate data and prevent data leakage within managed applications on mobile devices.

Client Requirement
I was working with my client on MDM restructuring project where we had to re-frame their existing mobile device enrollment solution with best practices that are offered by Microsoft on Intune. Client wanted to enroll all their purchased devices to Intune by integrating with Apple business manager. Hence for all their already purchased devices we use apple configurator app to add devices in ABM by following Microsoft blog, we also purchased business VPP apps from ABM to deploy on iOS devices.

Current Scenario
In the current client environment, they already had app protection policy created for managed and unmanaged devices and it was deployed to all company users (All Users group). Hence for DEP enrolled devices also we used the same app protection policy.
For our initial testing we created new enrollment profile with settings as :

Enroll with User affinity
Supervised: Yes
User authentication:  Company Portal
Setup Assistant: Hide All

We assigned profile to our testing device, created dynamic device group and assigned VPP apps as "Required" to device group. App protection policy and app configuration policy both were applied to "All Users" group. App configuration policy was created for managed devices targeting every individual Microsoft 365 apps like Teams, Outlook, excel, List, Planner etc. with configuration key IntuneMAMUPN.

Real Challenge
As soon as device enrollment completed all the required VPP apps like Teams, Outlook, Sharepoint, OneDrive etc. installed automatically within 10-15 mins on iOS device and when I launched Teams app and entered my Azure AD credentials, I immediately got pop up message saying " No application protection policies have been assigned."


The very initial thought I had was maybe app protection policy was not targeted to All users group or maybe I am not member of group 😟, but the assignment was correct, and I was also part of group assigned. 

I then launched edge and in the address bar entered about:intunehelp to see which policies are applied to which apps and interestingly for Teams app no policy assignment was found. I could see Outlook had app protection and configuration policy settings applied but other apps like Teams,Onedrive,List,Planner were empty.

If you have conditional access policy created with grant control as "Require app protection policy" then if protection policy is not applied on app then it wont let you to access the app. I later checked app protection policy monitoring report in Intune and for logged in user I dint find Teams app policy on iOS device, also interestingly app configuration policy was also not found, and this led me to look into app configuration policies that were created for all managed apps.

By default, when creating and assigning separate policies for managed devices and managed apps, every iOS device will apply app protection policies that are assigned to managed apps. That behavior is caused by the fact that the device will only be identified as a managed device when a specific configuration is in place. That configuration is the user UPN setting.

The user UPN setting is used to make sure that the management type of the app is recognized as a managed device. 

So, what's the cause of the issue? 😢

In client Intune environment app configuration policies were created for all managed app with UPN setting configured but the target app type was iOS Store App, however on DEP enrolled iOS device we had installed iOS VPP App (Volume purchase program) and hence app configuration policy with UPN setting was not applied on all the apps installed as required app on device. The user UPN setting is required for managed devices to identify the enrolled user account and due to the missing UPN, device was not recognized as a managed device and hence app protection policy was failed to install. (Unmanaged app protection was also not applied here because its target group was different)

Solution
We newly created app configuration policy for every managed app by selecting target app as iOS VPP app (for previous policies it was iOS Store app) and deployed to All users group. On the next device sync we could see now both app configuration and app protection policy applied on apps and allowed us to launch Teams,OneDrive,Sharepoint etc. apps on DEP device without any error message.










If you have any thoughts, then feel free to comment. Happy Learning! 😊

Comments

Post a Comment

Popular posts from this blog

iOS: Conditional Access Policy Filter for Shared iPad

By On
Image
  What is Shared iPad? Enrolling device as a shared iPad sets it up so that it can be shared with more than one employee. Company owned iPads enrolled in Intune (or any other MDM) using automated device enrollment and without user affinity can be provisioned as shared iPads. This option is typically used for kiosk, point of sale (POS), or shared utility devices. In company where front line workers or blue-collar  workers works in a rotational shift  and when they don't  have desktop client assigned then Shared iPad can be big collaboration tool for them to access company resources like emails, quick chat, docs, reports etc. In this blog, we are not going to talk about how to setup shared iPad or enrolled them in Intune as those details are already available on Microsoft Intune documentation . But this is mostly about excluding shared iPad devices from conditional access policies that might prevent users accessing company apps if device doesn't  meet the required...
Read more