Set app protection settings for Android or iOS devices

Create an app management policy

  1. Sign in to Microsoft 365 Business with global admin credentials.

  2. In the admin center, on the Device policies card, choose Add policy.

    Device policies card in the admin center.
  3. On the Add policy pane, enter a unique name for this policy.

  4. Under Policy type, choose Application Management for Android or Application Management for iOS depending on which set of policies you want to create.

  5. Expand Protect work files when devices are lost or stolen and Manage how users access Office files on mobile devices > configure the settings how you would like. The Manage how users access Office files on mobile devices is Off by default, but it is recommended that you turn it On and accept the default values. See available settings for more information.

    You can always use the Reset default settings link to return to the default setting.

    Screenshot of Create a policy with Application management for Android selected
  6. Next decide Who will get these settings? If you don't want to use the default All Users security group, choose Change, choose the security groups who will get these settings > Select.

  7. Finally, choose Done to save the policy, and assign it to devices.

Edit an app management policy

  1. On the Policies card, choose Edit policy.

  2. On the Edit policy pane, choose the policy you want to change

  3. Choose Edit next to each setting to change the values in the policy. When you change a value, it is automatically saved into the policy

  4. When you are finished, close the Edit policy pane.

Delete an app management policy

  1. On the Policies card, choose Delete policy.

  2. On the Delete policy pane, choose the policies you want to delete > Select, then Confirm to delete the policy or policies you chose.

Available settings

The following tables give detailed information about the available settings to protect work files on devices and the settings that control how users access Office files from their mobile devices.

See How do protection features in Microsoft 365 Business map to Intune settings for more information.

Settings that protect work files

The following settings are available to protect work files if a user's device is lost or stolen:

Setting

Description

Delete work files from an inactive device after this many days

If a device is not used for the number of days that you specify here, any work files stored on the device will automatically be deleted.

Force users to save all work files to OneDrive for Business

If this setting is On, the only available save location for work files will be OneDrive for Business.

Encrypt work files

Keep this setting On so that work files are protected by encryption. Even if the device is lost or stolen, no one will be able to read your company data.

Settings that control how users access Office files on mobile devices

The following settings are available to manage how users access Office work files:

Setting

Description

Require a PIN or fingerprint to access Office apps

If this settings is On users have to provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile device.

Reset PIN when login fails this many times

To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify.

Require users to sign in again after Office apps have been idle for

This setting determines how long a user can be idle before they are prompted to sign in again.

Deny access to work files on jailbroken or rooted devices

Clever users may have a device that is jailbroken or rooted. This means that the user can modify the operating system, which can make the device more subject to malware. These devices are blocked when this setting is On.

Allow users to copy content from Office apps into personal apps

We do allow this by default, but if the setting is On, the user could copy information in a work file to a personal file. If the setting is Off, the user will be unable to copy information from a work account into a personal app or personal account. 

Related Topics

Microsoft 365 Business documentation and resources
Get started with Microsoft 365 Business
Manage Microsoft 365 Business
Validate MAM settings on Android devices
Validate MAM settings on iOS devices

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×