Application protection policies (APP) in Microsoft 365 are a critical component of the MS-101 Microsoft 365 Mobility and Security exam. These policies form a crucial section of any enterprise-level security approach and focus on securing corporate data at the application level.
Understanding Application Protection Policies
Application protection policies aim to safeguard your organization’s data within an application, regardless of the device’s enrollment status to Microsoft Endpoint Manager. APP applies to both mobile apps and desktop clients.
There are two types of APP:
- Mobile Application Management (MAM) Policy: App-level policy targeted to the signed-in user. It allows the control of organizational data in an application but doesn’t control the user’s personal apps or data.
- Mobile Device Management (MDM) Policy: Device-level policy aimed at protecting corporate data at the device level.
Implementing these policies requires thorough planning and an understanding of the protection features they provide.
Planning Application Protection Policies
The planning phase involves understanding the organization’s data protection needs and choosing the right policy (MAM or MDM).
Here are some considerations:
- Determine the apps to be protected.
- Identify the users who will be using these apps.
- Define data protection settings.
- Plan which apps can share data with each other.
- Determine how you will handle Protect work data when the device is lost or stolen.
Implementing Application Protection Policies
After planning, the Application Protection Policies can then be implemented. While the specific steps may depend on the organization’s requirements, generally, the policy setup in the Microsoft 365 admin center involves the following steps:
- Navigate to the Microsoft 365 admin center, select “Endpoint security,” then select “App protection policies.”
- Select “Create a policy,” choose the platform (iOS/iPadOS or Android), and select “Configure.”
- Fill in the name and description of the policy.
- Add applications that need to be protected under “Public apps” (you can also add “Custom apps” if needed).
- Configure settings under “Data protection,” “Access requirements,” and “Conditional launch.”
- Review your settings and click “Create” to finalize the policy.
- Assign this policy to the relevant user groups.
Using these steps, organizations can define the policy as per their requirements, selecting from a wide array of data protection settings such as Data relocation, Access requirements, and Conditional launch.
Testing and Refining Policies
Once implemented, it’s important to continually evaluate and adjust your Application protection policies. Consider conducting periodic audits, monitoring for any security incidents, and adjusting policies accordingly. Tools like Microsoft’s “Policy set” and “Report” can be instrumental in this process.
To conclude, planning and implementing application protection policies is a necessary skill for anyone preparing for the MS-101 Microsoft 365 Mobility and Security exam. This knowledge not only helps in passing the exam but also in practical application scenarios, effectively protecting the organization’s data at the app level.
Practice Test
True or False: Application protection policies in Microsoft 365 are implemented at the device level.
- Answer: False
Explanation: Application protection policies are implemented at the application level, and do not rely on device-level controls.
Which of the following tools is used to implement application protection policies in Microsoft 365?
- A. Microsoft Intune
- B. Microsoft Teams
- C. Microsoft SharePoint
- D. Microsoft Outlook
- Answer: A. Microsoft Intune
Explanation: Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM) which implements application protection policies.
True or False: Application protection policies cannot control access to on-premises resources.
- Answer: False
Explanation: Application protection policies can be configured to restrict or allow access to on-premises resources based on certain conditions.
Multiple select: Which of the following features can be implemented as part of an application protection policy?
- A. Data encryption
- B. Restriction of copying and pasting of data
- C. Restricting access to VPN
- D. Both A and B
- Answer: D. Both A and B
Explanation: Application protection policies can implement features such as data encryption and restriction of copying and pasting of data, but they cannot restrict access to a VPN.
True or False: You can create different application protection policies for different groups?
- Answer: True
Explanation: Application protection policies in Microsoft 365 can be scoped to different user groups, providing flexibility and granularity in application security settings.
Which of the following is not a component of an application protection policy?
- A. Targeting
- B. Conditions
- C. Control Actions
- D. Antivirus Definition
- Answer: D. Antivirus Definition
Explanation: An application protection policy includes elements like scoping (targeting), conditions, and control actions. Antivirus definition isn’t part of an application protection policy.
True or False: Blocking screen capture and screen recording of company data is a setting that cannot be implemented under an application protection policy.
- Answer: False
Explanation: One of protections offered under an application protection policy includes blocking screen capture and screen recording on Android devices.
Multiple select: Which among the following pertains to an application protection policy?
- A. Enforcing multi-factor authentication
- B. Allowing data sharing with other apps
- C. Restricting network access
- D. Both A and B
- Answer: D. Both A and B
Explanation: An application protection policy controls features like multi-factor authentication enforcement and data sharing with other apps. Network access restriction is more in the purview of network policies.
Single-select: Which is essential before you can create and deploy an app protection policy?
- A. Setting up an Intune subscription
- B. Installing Microsoft Teams
- C. Creating a Microsoft Outlook Account
- D. Configuring a SharePoint site
- Answer: A. Setting up an Intune subscription
Explanation: Microsoft Intune is used to create and deploy app protection policies, hence an active Intune subscription is an essential prerequisite.
True or False: It is not possible to set conditions based on user location for an app protection policy.
- Answer: False
Explanation: App protection policies can include conditions based on various factors including user location, allowing for location-based restrictions or permissions.
Interview Questions
What is the purpose of application protection policies in Microsoft 365?
Application protection policies in Microsoft 365 are designed to safeguard corporate data at the application level. They provide controls to ensure data protection, restrict data sharing between apps, and manage data access on personal or company-owned devices.
Where can you create and manage Application Protection Policies?
Application Protection Policies can be created and managed in the Microsoft Endpoint Manager admin center.
What are the types of application protection policies available in Microsoft 365?
There are two types of application protection policies in Microsoft 365: Managed Application policies and Windows Information Protection (WIP) policies.
What types of applications are covered by application protection policies in Microsoft 365?
Application protection policies in Microsoft 365 cover both managed apps (apps that have been integrated with the Azure AD for identity and access management) and personal apps (apps that a user has installed for personal use).
What is the purpose of Manage Application Policies?
Managed Application Policies provide controls to enforce corporate data protection without intervening in the user’s personal data. They manage data transfer between apps and protect data upon app closure.
How does Windows Information Protection (WIP) fit into the Application Protection Policy picture?
Windows Information Protection (WIP) is a type of application protection policy that is specifically designed to protect against data leaks on Windows 10 devices. It can be used to control which apps have access to business data and define what they can do with that data.
Can you use both Managed Application Policies and WIP Policies simultaneously in your Microsoft 365 environment?
Yes, you can implement both Managed Application Policies and WIP Policies in your Microsoft 365 environment, depending on the specifics of your security and data protection needs.
What steps are required to implement application protection policies in Microsoft 365?
To implement application protection policies in Microsoft 365, you need to identify the applications that need protection, create and configure the policies in the Microsoft Endpoint Manager admin center, and assign the policies to relevant user groups.
How do Application Protection Policies protect data when an application is not in use?
Application Protection Policies can be configured to enforce encryption or require an additional access code whenever a managed app is closed or moved to the background, thereby securing the data at rest.
Can Application Protection Policies block the copy-paste function between applications?
Yes, Application Protection Policies can be used to restrict data sharing functions such as copy-pasting between managed and personal apps to prevent data leakage.
What is a Conditional Launch in Application Protection Policy?
Conditional Launch is a setting in Application Protection Policy that checks certain conditions in the device or app before launching. If any device or app fails to meet these conditions, certain defined actions will be enforced.
What is the purpose of Data relocation in Application Protection Policy?
Data relocation setting in Application Protection Policy prevents sensitive information from being moved from a managed application to any non-managed application, thereby securing its breach.
Can Application Protection Policies manage personal applications?
While Application Protection Policies can technically be applied to personal applications, it’s generally preferable to use them for managing corporate, managed apps, leaving personal apps unaffected.
How do you assign an Application Protection Policy to users in Microsoft 365?
You assign an Application Protection Policy to users in the Microsoft Endpoint Manager admin center by selecting groups of users who should receive the policies.
Do application protection policies require devices to be enrolled in Device Management?
No, application protection policies protect data at the application level and can be applied to apps on both enrolled and non-enrolled devices.