Validate app protection settings on Android devices

Check that the App protection settings are working on user devices

After you set app configurations for Android devices to protect the apps, you can follow these steps to validate that the settings you chose work.

First, make sure that the policy applies to the app in which you are going to validate it.

  1. In the Microsoft 365 Business admin center go to Policies > Edit policy.

  2. Choose Application policy for Android for the settings you created at setup, or another policy you created, and verify that it is enforced for Outlook for example.

    Shows all the apps for which this policy protects files.

Validate Require a PIN or a fingerprint to access Office apps

In the Edit policy pane, choose Edit next to Office documents access control, expand Manage how users access Office files on mobile devices, and make sure that Require a PIN or fingerprint to access Office apps is set to On.

Make sure that the Require a PIN or fingerprint to acces Office apps is set to On.
  1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business credentials.

  2. You will also be prompted to enter a PIN or use a fingerprint.

    Enter a PIN on your Android device to access Office apps.

Validate Reset PIN after number of failed attempts

In the Edit policy pane, choose Edit next to Office documents access control, expand Manage how users access Office files on mobile devices, and make sure that Reset PIN after number of failed attempts is set to some number - this is 5 by default.

  1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business credentials.

  2. Enter an incorrect PIN as many times as specified by the policy. You will see a prompt that states PIN Attempt Limit Reached to reset the PIN.

    After too many incorrect PIN attempts, you need to reset your PIN.
  3. Press Reset PIN. You will be prompted to sign in with the user's Microsoft 365 Business credentials, and then required to set a new PIN.

Validate Force users to save all work files to OneDrive for Business

In the Edit policy pane, choose Edit next to Protection against lost or stolen devices, expand Protect work files when devices are lost or stolen, and make sure that Force users to save all work files to OneDrive for Business is set to On.

Verify that Force users to save all work files to OneDrive for Business is set to On.
  1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business credentials, and enter a PIN if requested.

  2. Open an email that contains an attachment and tap the down arrow icon next to the attachment's information.

    Tap the down arrow next to an attachment to try to save it.

    You will see Cannot save to device on the bottom of the screen.

    Warning text that indicates cannot save a file locally to an Android.

    Note: Saving to OneDrive for Business is not enabled for Android at this time, so you can only see that saving locally is blocked.

Validate Require user to sign in again if Office apps have been idle for a specified time

In the Edit policy pane, choose Edit next to Office documents access control, expand Manage how users access Office files on mobile devices, and make sure that Require users to sign in again after Office apps have been idle for is set to some number of minutes - this is 30 minutes by default.

  1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business credentials, and enter a PIN if requested.

  2. You should now see Outlook’s inbox. Let the Android device idle untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.

  3. Re-access Outlook on the Android device.

  4. You will be prompted to enter your PIN before you can access Outlook again.

Validate Protect work files with encryption

In the Edit policy pane, choose Edit next to Protection against lost or stolen devices, expand Protect work files when devices are lost or stolen, and make sure that Protect work files with encryption is set to On, and Force users to save all work files to OneDrive for Business is set to Off.

  1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business credentials, and enter a PIN if requested.

  2. Open an email which contains a few image file attachments.

  3. Tap the down arrow icon next to the attachment’s info to save it.

    Tap the down arrow to save the figure file to the Android device.
  4. You may be prompted to allow Outlook to access photos, media, and files on your device. Tap Allow.

  5. At the bottom of the screen, choose to Save to Device and then open the Gallery app.

  6. You should see an encrypted photo (or more, if you saved multiple image file attachments) in the list. It may appear in the Pictures list as a gray square with a white exclamation point within a white circle in the center of the gray square.

    An encrypted image file in the Gallery app.

Related Topics

Microsoft 365 Business documentation and resources
Get started with Microsoft 365 Business
Manage Microsoft 365 Business

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×