You can use Intune app protection policies independent of any mobile-device management (MDM) solution which means ,if you device is already enrolled to airwatch ,mobile iron,black berry ,these devices can still be managed with intune using Mobile application Management (MAM).
we are into MAM (MAM-WE) and no enrollment . So when we setup intune MAM protection policy ,we choose Require PIN in Access requirements with value 4 (user is prompted to set up this PIN the first time they run the app in a work or school context.)
As you can see below ,the access requirement settings, we have setup the PIN length with 4 ,and also allowed touch ID .So users can use touch ID to access the work apps without entering the PIN always.
After few months ,due to security reasons ,we have decided to change the PIN to 6 digit from 4 digit but before we change it in production,we need to ensure ,how does it impact the end-user and what are the guidelines to send to them.
So as part of testing ,I have created new intune app protection policy and applied to AD sec group (test users) with select minimum PIN length to 6.
When the policy is deployed to users ,it wont apply immediately . Take a look at this article explaining about App Protection Policy delivery timing https://docs.microsoft.com/en-us/intune/app-protection-policy-delivery
you can also use intune App Protection Report for iOS, Android to see what MAM policies are applied to user with apps as well and it also tell you ,the next available policy to the user .
When i deployed the policy to myself, i need to wait for 30 min and try to launch intune managed application (teams, outlook etc) .
when i did that ,i was expecting ,the app will fetch new policies from intune and prompt me to change the PIN length from 4 to 6 but it simply ask for touch ID and entered into teams application.
so i decided to try one more time,after few min of app inactivity ,i relaunch the app again ,this time ,i cancel the touch ID and see what happens next.
Click on Cancel when it prompt for touch ID
You will be promoted with following screen, Update PIN :Your organization has made changes that require you to update your PIN.
Click on Reset PIN
Key in 6 digit PIN and press enter
It will prompt again to re-enter PIN for confirmation and you are done.
When you apply this policy to all your users ,make sure you inform how does this policy impact them and if possible with simple steps as said above for good end-user experience.
Unless the touchID or users click cancel touchID ,PIN change policy will never appear to users.
Hope it helps !
4 Comments
How can you reset PIN for the APP? (Once user forgot)
Hi,
On the MAM protected app, user can see reset PIN option and it will take through the authentication and ask for new PIN.
Thanks,
Eswar
This doesn't work on old Android phones on Teams, and at the same time you can't block old Android versions to use the Teams app.
You can use mam protection policies to block the os version when launching app. What you mean old andriod versions? Are they running 4.0 or so?