Intune Lab: Block Printing of Corporate Data on iOS (Managed Apps)

Lab Goal

Prevent users from printing corporate data from managed iOS apps by configuring an App Protection Policy (MAM) in Microsoft Intune.

Lab Scenario

Your Microsoft 365 subscription has 1,000 iOS devices and includes Microsoft Intune. You must stop users from printing corporate content from apps like Outlook, Word, Excel, Teams, and other managed apps.

Correct solution: Configure an App Protection Policy (APP) for iOS.

Prerequisites

  • Intune admin access (or Endpoint Security / Policy role with APP permissions)
  • iOS users have supported apps installed (example: Outlook, Word, Teams)
  • Users sign into apps using their corporate account
  • Devices can be corporate-owned or BYOD (APP works for both)

Lab Plan

  1. Create an iOS App Protection Policy
  2. Configure data transfer restrictions to block printing
  3. Assign the policy to users
  4. Validate on an iPhone/iPad
  5. Troubleshoot common issues

Step 1: Create the iOS App Protection Policy

  1. Go to Intune admin center
  2. Navigate to:
    Apps โ†’ App protection policies
  3. Select: Create policy
  4. Choose:
    • Platform: iOS/iPadOS
    • Policy type: (Standard) App protection policy

Step 2: Select Target Apps (Managed Apps)

Choose the apps you want to protect, such as:

  • Microsoft Outlook
  • Microsoft Teams
  • Microsoft Word / Excel / PowerPoint
  • OneDrive (optional depending on your data flow needs)

Best practice: Start with Microsoft 365 apps only, then expand.

Step 3: Configure Printing and Data Sharing Restrictions

Go to Data protection settings in the policy and configure:

A) Block printing via the iOS Share sheet

Look for settings related to restricting data transfer to unmanaged apps or share actions.

Set the policy to prevent corporate data from being shared outside managed contexts.

Common setting to use:

  • Send org data to other apps = Policy-managed apps (or stricter)
  • Restrict cut, copy, and paste between other apps = Policy-managed apps

This prevents corporate data from being passed to unmanaged print workflows through the iOS share menu.

B) Optional: Add extra DLP controls (recommended)

  • Save copies of org data = Block (if you want to prevent saving to Files app)
  • Allow backup = Block (for BYOD)
  • Allow screen capture = Block (if needed)

Note: Exact setting labels can vary slightly as Microsoft updates the UI, but all controls are within the iOS App Protection Policy โ€œData protectionโ€ section.

Step 4: Configure Access Requirements (Recommended)

Go to Access requirements and set:

  • PIN for access = Required
  • Minimum PIN length = 6
  • Biometric instead of PIN = Allow (recommended)
  • Recheck access requirements = 30 minutes (or your standard)

This ensures protected data is not easily accessed and reinforces the policy.

Step 5: Configure Conditional Launch (Recommended)

Go to Conditional launch and configure:

  • Jailbroken/rooted devices = Block access
  • Minimum iOS version = Set to your org standard
  • Offline grace period = 24 hours (typical)

Step 6: Assign the Policy

  1. Open the policy
  2. Go to Assignments
  3. Target:
    • A pilot group first (recommended)
    • Then expand to larger user groups

Important: APP is applied to users, not device groups.

Step 7: Validate on an iPhone/iPad (Test Procedure)

On the test iPhone:

  1. Install Microsoft Outlook (or another targeted app)
  2. Sign in with the corporate user included in the assignment
  3. Open a corporate email with an attachment or text
  4. Try to print:
    • Use the Share button
    • Attempt Print

โœ… Expected result:

  • Print option is blocked or unavailable for protected content
  • Corporate data cannot be routed to unmanaged print actions

Step 8: Monitoring and Verification

In Intune

  • Go to: Apps โ†’ Monitor โ†’ App protection status
  • Review:
    • User status
    • App status
    • Errors and last check-in

On device

In the app (Outlook/Teams):

  • Look for โ€œYour organization is now protecting its dataโ€ type prompts
  • Confirm PIN prompt appears when launching the app (if configured)

Troubleshooting (Fast Fix Checklist)

Issue: Policy doesnโ€™t apply

  • Confirm user is targeted
  • Confirm the app is included in the policy
  • Confirm user signed into the app with the corporate account
  • Wait for policy sync (or restart the app)

Issue: Printing still works

  • Ensure โ€œSend org data to other appsโ€ isnโ€™t set to โ€œAll appsโ€
  • Make sure youโ€™re testing with corporate data inside a managed app
  • Confirm youโ€™re not testing a non-managed app

Issue: BYOD device not enrolled

Thatโ€™s fine. APP does not require device enrollment.

Rollback Plan (Safe)

To revert:

  1. Remove the user from the assignment group, or
  2. Delete/disable the App Protection Policy
  3. Have the user close and reopen the apps

Lab Result

You successfully prevented printing of corporate data from managed iOS apps using an iOS App Protection Policy, which is the correct Intune control for app-level data handling restrictions.

LinkedInCopyPinterestRedditTelegramChatGPTSMS

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *