037: Conditional launch

Overview

Conditional Launch Settings for MAM in Microsoft Intune

Conditional Launch settings in Microsoft Intune's Mobile Application Management (MAM) policies help ensure that only compliant users can access corporate data via MAM protected apps. These settings validate various aspects of the app and device before allowing access to work or school account data.

The App Protection Policy Conditional Launch settings in Microsoft Intune for Android devices provide a way to enforce security requirements for accessing corporate applications. Here’s a detailed overview of the available options:

1. Max PIN Attempts

Description: Set the maximum number of incorrect PIN attempts before access is blocked.
Actions: You can choose to block access or wipe corporate data if the limit is exceeded.

2. Offline Grace Period

Description: Define how long a user can be offline before access to managed apps is restricted.
Actions: Options include blocking access or wiping corporate data after the grace period expires.

3. Jailbroken/Rooted Devices

Description: Determine whether access is allowed on devices that are jailbroken or rooted.
Actions: You can block access or wipe corporate data if a device is detected as compromised.

4. Minimum OS Version

Description: Specify the minimum Android OS version required for accessing managed apps.
Actions: If the device does not meet this requirement, you can block access or wipe data.

5. Maximum OS Version

Description: Set a maximum OS version for accessing managed apps.
Actions: Similar to the minimum version, you can block access or wipe data if the device exceeds this version.

6. Minimum App Version

Description: Specify the minimum version of the app required for access.
Actions: If the app version is outdated, you can block access or wipe data.

7. Device Manufacturer(s)

Description: Allow or block access based on specific device manufacturers.
Actions: You can set actions to block access or wipe data for non-compliant manufacturers.

8. Play Integrity Verdict

Description: Use Google Play Integrity API to assess the integrity of the app and device.
Actions: Depending on the verdict, you can block access or wipe data.

9. Require Threat Scan on Apps

Description: Ensure that apps are scanned for threats before access is granted.
Actions: You can block access or wipe data if a threat is detected.

10. Minimum Company Portal Version

Description: Specify the minimum version of the Intune Company Portal app required.
Actions: If the version is below the specified threshold, you can block access or wipe data.

11. Disabled Account

Description: Block access if the user’s account is disabled.
Actions: Automatically block access to managed apps.

Benefits

Enhanced Security: Ensures that only users meeting specific criteria can access sensitive data in procted apps, reducing the risk of data breaches.
Data Protection: Allows for selective wiping of corporate data atthe application level(e.g., jailbroken/rooted devices).
Compliance Enforcement: Helps organizations enforce compliance with security policies across MAM protected apps.
Flexibility: Offers a range of settings to tailor security measures to specific organizational needs.

Drawbacks

Complex Configuration: Setting up and managing these policies can be complex and may require significant administrative effort.
User Disruption: Users may experience disruptions if their devices or apps do not meet the compliance requirements, potentially impacting productivity.
Resource Intensive: Implementing and maintaining these policies can be resource-intensive, requiring dedicated IT staff.

Impact on End Users

Improved Security: Users benefit from enhanced security measures, protecting their personal and corporate data with almost no impact to end users.
Access Restrictions: Users may face access restrictions if their devices do not comply with the set policies, which could limit their ability to work.

Relation to Zero Trust

Zero Trust is a security model that assumes breaches are inevitable and focuses on verifying every request as though it originates from an open network. Conditional Launch settings in Intune support Zero Trust principles in several ways:

Verify Explicitly: Policies ensure that every device and user is verified before granting access.
Least Privilege Access: Policies enforce the principle of least privilege, ensuring users have only the access they need.
Assume Breach: Intune integrates with threat detection and response services to monitor and respond to potential threats in real-time.

Reference

App protection policy conditional launch improvements - blog: https://techcommunity.microsoft.com/t5/intune-customer-success/app-protection-policy-conditional-launch-improvements/ba-p/2209022
Wipe data using app protection policy conditional launch actions: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies-access-actions
Understand app protection conditional launch using Microsoft Intune: https://learn.microsoft.com/en-us/microsoft-365/solutions/apps-protect-conditional-launch?view=o365-worldwide

Overview​

Conditional Launch Settings for MAM in Microsoft Intune​

1. Max PIN Attempts​

2. Offline Grace Period​

3. Jailbroken/Rooted Devices​

4. Minimum OS Version​

5. Maximum OS Version​

6. Minimum App Version​

7. Device Manufacturer(s)​

8. Play Integrity Verdict​

9. Require Threat Scan on Apps​

10. Minimum Company Portal Version​

11. Disabled Account​

Benefits​

Drawbacks​

Impact on End Users​

Relation to Zero Trust​

Reference​