Conditional launch in App Protection Policy - Best Practise
Conditional launch in Intune allows you to define specific requirements for the deployment of apps or policies on managed devices. By setting conditions based on factors like device properties, user groups, or compliance status, you can ensure that apps and policies are only deployed to devices that meet the specified criteria. This helps customize and control the deployment process, ensuring the right resources are delivered to the right devices in your organization.
Conditional Launch List of Actions:
Managed apps can check certain parameters at startup and then perform defined actions (e.g. wipe or block access). The below list provides a common list of actions
Max PIN attempts:6, Wipe data
After six unsuccessful login attempts, a wipe of the respective app will be performed. The user can then set up the app fresh (full Azure AD login required, usually with MFA).
?
Offline grace period: 720 min., Block access
If the managed apps have no contact with the Internet for more than 720 minutes, access is temporarily blocked (until a connection is re-established). This ensures that the apps are not used offline for a long time (e.g. when requesting a wipe).
60 days, Wipe data
After an offline period of 60 days, a wipe of the apps is finally triggered.
?
Jailbroken/rooted devices: Wipe data
If a corresponding device is detected, the company data is deleted.
?
Min. OS version:8.0 (Android), 12.4.8(iOS/iPadOS), Wipe data
If an older Android or iOS/iPadOS version is used, a wipe is performed on the corresponding application until it is updated and meets the requirements again.
Min. OS version:8.0 (Android), 12.4.8(iOS/iPadOS), Block access
If an older Android or iOS/iPadOS version is used, the access will be blocked.
领英推荐
Min. OS version:9.0 (Android), 13.6(iOS/iPadOS), Warn
When using an older Android or iOS/iPadOS version, the user is warned to update his device to meet the requirements again.
?
Min. patch version(Android): 2019-11-01, Warn
This setting generates a warning message if the patch is not newer than the specified date. An adjustment is possible at any time. It is also possible to block access.
SafetyNet device attestation(Android): Basic integrity, Warn
The SafetyNet Attestation API is as an interface to retrieve the trustworthiness of a device. The API checks the hardware and software environment and compares it with reference values3. In this configuration the integrity is queried and a warning message is displayed if necessary.
?
Require threat scan on apps (Android): Warn
This condition checks if the Android feature "Verify Apps" is enabled and displays a warning message accordingly.Google Play Protect is used to protect against malicious apps.This check is problematic for devices without Google Play Services.
Best Practices of Conditional Launch:
Shady Khorshed?is a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals.
Currently seeking new roles.
1 年Great article. However it should be noted that there is a known issue for ~3 years now where users will receive a 607 error code, which then causes an Authentication loop. e.g. user hasn't used O365 app for more than 720 minutes or for 90 days, but goes to open an attachment from Outlook -> O365 app they receive the error about data removal. https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-known-issue-occasionally-occurring-with-ios-mam-and/ba-p/2617909 https://learn.microsoft.com/en-us/troubleshoot/mem/intune/known-issues#users-are-signed-out-of-managed-ios-office-apps While these conditions are always configured based off of company policies, this known issue is only resolve by either clearing the login credentials or deleting reinstalling the app. Settings?>?[app]?>?Reset [app]>?Delete Login Credentials