How to Create Application Configuration Policies for Managed Apps in Intune

Hello everyone, we are back with another interesting topic how to Create Application Configuration Policies for Managed Apps in Intune. Our previous blog discussed creating application configuration policies for the Outlook app on managed devices.

Intune allows admins to configure Application Configuration policies in 2 ways, and one is for Managed Devices, these kinds of policies are applied to devices managed by Intune. The other one is for Managed Applications. These policies can also be targeted to devices managed by third-party MDM solutions.

Application Configuration policies can be used to customize the application behavior as per your organizational requirements. These application configuration policies configured for Managed Apps are delivered to devices using the Mobile Application Management channel.

When we create Application Configuration policies for managed apps and assign them to users, Intune doesn’t consider the device enrollment state or how the application is delivered to the device as they are delivered via the MAM channel. The applications must be integrated with Intune SDK or Wrapped with Intune APP Wrapping Tool to support the Application Configuration policies.

Patch My PC

NOTE! When App Configuration Policies are deployed along with App Protection Policies, the managed apps will check in every 30 minutes, else the application configuration policies check in every 720 minutes.

Create Application Configuration Policies

Intune allows admins to configure Application Configuration policies for managed apps for both Android and iOS applications in a single policy. These policies can be created for the below applications.

Type of appsApplications included
All Managed ApplicationsAll the Public apps which support App Protection Policies or apps that are integrated with Intune SDK
All Microsoft appsWhen we select this option, it includes all the Microsoft apps
All Core AppsCore apps include Edge, Excel, Office, OneDrive, OneNote, Outlook, PowerPoint, SharePoint, Teams, To Do, and Word.
How to Create Application Configuration Policies for Managed Apps in Intune Table: 1

Now let’s see how we can create Application configuration for managed apps in the below steps.

How to Create Application Configuration Policies for Managed Apps in Intune Fig: 1
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 1

Now on the Basics page, enter the name and Description for the policy. You can see Device enrolment type is set as Managed apps. Now we need to select the Target apps, and Target apps can be all managed apps or selected apps. I have selected the Outlook app for Android and iOS for our testing. You can also add custom apps. Click on Next.

Adaptiva
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 2
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 2

Now on the Settings page, you will be presented with General Configuration Settings and Microsoft Tunnel for Mobile Application Management settings, these two sections are common for most applications, and there would be additional settings like Outlook configuration settings and S/MIME.

General Configuration Settings

Now let’s see what options are available in General Configuration Settings. In General configuration settings, we need to define the key/value pairs. These values can be obtained from the application developer. The Intune SDK helps developers have key/value pairs for application configurations. Configure the values based on the application key/values.

Microsoft Tunnel for Mobile Application Management Settings

Microsoft Tunnel for MAM extends the usage of Tunnel VPN gateway solutions for Android and iOS devices. If we deploy the configurations, users can use their devices securely to on-premise corporate data and apps without enrolling in Intune. This feature is available as an add-on to Intune, and additional billing will be added to your organization.

Outlook Configuration Settings

The Managed app application configuration policies support settings that can restrict or enable the default features of the Outlook app based on your organization’s requirements. Let’s see the restrictions that can be configured. These configurations are specific to the Outlook app.

  • Focused Inbox: Focused Inbox separates important and regular emails by creating two tabs in the Outlook app Focused and Others. All important emails reside in the Focused tab. When selected OFF, the focused tab in the inbox is removed.
  • Require Biometrics to Access app: When we set the value as Yes, users are forced to use Touchid, face id, or fingerprint before accessing the app. We can allow or block users to override the configuration. Avoid using this setting if you enabled the PIN requirement in Application Protections policies.
  • Save Contacts: When selected ON, the Outlook app lets users save contacts to the local address book. We can choose to allow users to change the settings by selecting YES.
  • Suggested Replies: When set ON, users will get suggested replies while replying to an email. We can choose to allow users to change the settings by selecting YES.
  • Block External images: If you want to block downloading images embedded in the Email and hosted over the Internet, select ON.
  • Organize mail by Thread: Outlook app organizes emails as conversations. Select OFF to show the emails as individual mail instead of conversations.
  • Sync calendar: Select the value ON if you want to allow the Outlook calendar to sync with Native Calendar.
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 3
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 3

Data Protection Configuration: These configuration settings help organizations protect the application data.

  • Org Data on Wearable: When we set the values as YES, the application data will sync on wearables
  • Calendar Notification: When the value is set to YES, Outlook displays calendar notifications s to display full details when the App Protection Policy setting “Org data notifications” is set to “Block Org Data.”
  • Allow Calendar Sync: When set to YES, this setting allows organizations to sync their Outlook calendar to the native calendar.
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 4
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 4

Sync contact fields to native contacts app configuration: Intune provides a granular control on what fields of contact can be synced to the native contact app. When we set the value to Yes, the particular field will be synced to Contact apps else, It will not sync.

How to Create Application Configuration Policies for Managed Apps in Intune Fig: 5
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 5

S/MIME

Intune also allows us to configure Secure Multipurpose Internet Mail Extensions, allowing users to send and receive digitally signed and encrypted. Let’s see the available settings that can be configured.

  • Enable S/MIME: Select Yes. To enable S/MIME while composing an email, Admins can choose to allow users to change the settings by selecting YES.
  • Encrypt all emails: Select Yes, to encrypt all emails. This will convert the data to cipher text that can only be read by the intended recipients.
  • Sign all emails: When selecting YES, a digital signature verifies all the emails for authenticity and ensures that the Email is not tampered with while receiving from the sender.
  • LDAP URL: Define the LDAP hostname where the clients can get the public encryption key for email recipients.
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 6
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 6

Now, click Next, and on the Assignments page, assign the configuration policy for the User group (device groups are not supported). Click on Next, Review the settings, and Create the policy.

How to Create Application Configuration Policies for Managed Apps in Intune Fig: 7
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 7

We have taken Outlook app and Word for configurations in our above discussion. If we have selected the Edge browser, we will get a few additional configuration settings for the Edge browser, like adding Bookmarks, Blocking websites, etc. These settings are specific to the Edge browser.

How to Create Application Configuration Policies for Managed Apps in Intune Fig: 8
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 8

Intune provides application-specific configurations, as shown for Edge and Outlook, which can be used to change the application’s default behavior as per your requirements. If you have custom apps/Line of Business apps, we can apply the configurations per the application’s documentation.

User Experience

Let’s see how the user sees the app’s behavior after applying the Application Configuration policies on both the Outlook app and Edge browser.

How to Create Application Configuration Policies for Managed Apps in Intune Fig: 9
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 9

After setting up the Outlook app, I was prompted to encrypt the data and click apply now. After completing the Syc, the Focused Inbox is removed. Users can enable the Focused Inbox again from Outlook app settings. Let’s see the behavior on the Edge browser.

How to Create Application Configuration Policies for Managed Apps in Intune Fig: 10
How to Create Application Configuration Policies for Managed Apps in Intune Fig: 10

As soon as I signed in to Edge browser, I was presented with the Home Page shortcut icon below the address bar, which you can observe in the second screenshot of the above image. The Bookmarks we configured can be observed under Favourites >> Organization Favorites. This way, we can deploy Bookmarks to help users access important organizational sites without any user intervention.

Conclusion

Well, that’s all for this article. I hope you found it informative and helpful. If you have any questions or comments, feel free to leave them below. Thanks for reading! We will be back with another interesting topic. Until next time! Have a good learning.

Author

About AuthorNarendra Kumar Malepati (Naren) has 11+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.

2 thoughts on “How to Create Application Configuration Policies for Managed Apps in Intune”

  1. I’m working with a client to enable the Contact Sync for Outlook and we applied the policies to our pilot group yesterday (18 hours ago), and the option to enable “Save contacts” is still not enabled (default Outlook setting). However, if a user removes the email profile from Outlook and adds it back, these policies then take effect immediately and the contacts are successfully syncing.

    I’m questioning the timing of when this policy will enable this for the users. Microsoft says that if we have an App Protection Policy applied to the same users (and we do), then it should only take 30 minutes. Maybe we’re just not waiting long enough, but I’m curious if these policies actually do retroactively apply to email accounts already setup in Outlook and under an App Protection Policy.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.