Let’s discuss Restrict Windows App Access to Read or Send Messages for Data Protection using Intune. Let Apps Access Messaging, controls whether Windows apps can access and interact with the device’s messaging functionality, specifically the ability to read or send messages (text or MMS).
With Microsoft Intune, Let Apps Access Messaging policy can be deployed to managed Windows devices to enforce organizational security and privacy standards. Organizations configure this policy based on their security needs, data handling requirements, and compliance obligations.
With this Windows App Access to Read or Send Messages, Admins can Prevents unauthorized or personal applications from accessing, reading, or sending sensitive corporate data via text/MMS messages, which could lead to data leakage. Admins can ensure a uniform, high-security baseline across all corporate devices.
This policy is valuable for Administrators, End-Users, and the Organization as a whole, primarily by enforcing granular control over data privacy and device security. This policy reduces the device’s attack surface by blocking a potential vector for malware to exfiltrate data or be controlled via messages.
Table of Contents
Restrict Windows App Access to Read or Send Messages for Data Protection using Intune
The Let Apps Access Messaging policy’s applicability is centered on Windows client operating systems and specifically targets Universal Windows Platform (UWP) apps that have the technical capability to access the device’s messaging features (text/MMS).
- Force to Deny Apps Sync with Devices Policy for Windows using Intune
- Enable or Disable Storage Locations in File Explorer using Intune Policy
- How to Configure Do not Add Shares of Recently Opened Documents to Network Locations Policy using Intune
How to Configure Policy with Intune Portal
You can easily start policy configuration with Microsoft Intune Portal. For this sign in to Microsoft Intune admin center. Then go to Devices > Configuration > +Create >+ New Policy. Look at the below screenshot.
Selecting Platform and Profile
Selecting Platform and Profile is the next step we have to do for Policy creation. It is a necessary step and you cannot skip it. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Adding Basic Tab
Basic tab is designed to add basic details like Name and description for Intune Policy. It is a necessary step that helps you to know the purpose of the policy. Here Name is Mandatory and Description is optional. After adding these details click on the Next button.
Configuration Settings Tab for Selecting Settings
From the Configuration Tab, you can see the +Add settings hyperlink to access specific settings. When you click on this hyperlink, you will get Settings Picker. Here, I would like to select the settings by browsing by Category. I choose Privacy. Then, I choose Let Apps Access Messaging settings.
Select Value
The policy setting offers three primary control mechanisms: a default setting for all apps, a per-app override using the Package Family Name (PFN), and the core enforcement options.
Adding Scope Tags
Scope Tags sections help you add restrictions to the visibility of the Policy. But it is not a mandatory step, so you can skip this step. Here, I don’t add scope tags for DO Absolute Max Cache Size Policy. Click on the Next button.
Selecting Group from the Assignment Tab
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Client Side Verification through Event Viewer
It helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
- You will get the successful result on Event ID 813
MDM PolicyManager: Set policy int, Policy: (LetAppsAccessMessaging), Area: (Privacy),
EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), Int: (0x2), Enrollment Type: (0x6), Scope: (0x0).
Removing the Assigned Group from Let Apps Access Messaging Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Let Apps Access Messaging
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
The Windows CSP Details page shows more information of Let Apps Access Messaging. This policy is applicable for different version. The table below shows the policy details.
| Name | Value |
|---|---|
| Name | LetAppsAccessMessaging |
| Friendly Name | Let Windows apps access messaging |
| Element Name | Default for all apps. |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, Microsoft Security, Career, etc.