.png)
Attribute | Description | Backed up | Restorable |
| allowedDataIngestionLocations | Data storage locations where a user may store managed data. Inherited from managedAppProtection | Yes | Yes |
| allowedDataStorageLocations | Data storage locations where a user may store managed data. Inherited from managedAppProtection | Yes | Yes |
| allowedInboundDataTransferSources | Sources from which data is allowed to be transferred. Inherited from managedAppProtection | Yes | Yes |
| allowedIosDeviceModels | Semicolon-separated list of device models allowed, as a string, for the managed app to work. (iOS only) | Yes | Yes |
| allowedOutboundClipboardSharingExceptionLength | Number of characters that may be cut or copied from Org data and accounts to any application. | Yes | Yes |
| allowedOutboundClipboardSharingLevel | The level to which the clipboard may be shared between apps on the managed device. Inherited from managedAppProtection. | Yes | Yes |
| allowedOutboundDataTransferDestinations | Destinations to which data is allowed to be transferred. Inherited from managedAppProtection. | Yes | Yes |
| allowWidgetContentSync | Indicates if content sync for widgets is allowed for iOS on app protection policies. | Yes | Yes |
| appActionIfAccountIsClockedOut | Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time). | Yes | Yes |
| appActionIfDeviceComplianceRequired | Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken( if DeviceComplianceRequired is set to true). | Yes | Yes |
| appActionIfIosDeviceModelNotAllowed | Defines a managed app behavior, either block or wipe, if the specified device model is not allowed. (iOS only) | Yes | Yes |
| appActionIfMaximumPinRetriesExceeded | Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts. Inherited from managedAppProtection. | Yes | Yes |
| appActionIfUnableToAuthenticateUser | Specifies what action to take in the case where the user is unable to check in because their authentication token is invalidbecause the user has been deleted or disabled. | Yes | Yes |
| appDataEncryptionType | Type of encryption which should be used for data in a managed app. (iOS only) | Yes | Yes |
| appGroupType | Public apps selection: group or individual . Inherited from targetedManagedAppProtection | Yes | Yes |
| blockDataIngestionIntoOrganizationDocuments | Indicates whether a user can bring data into org documents. Inherited from managedAppProtection | Yes | Yes |
| contactSyncBlocked | Indicates whether contacts can be synced to the user's device. Inherited from managedAppProtection | Yes | Yes |
| createdDateTime | The date and time the policy was created. Inherited from managedAppPolicy | Yes | Yes |
| customBrowserProtocol | A custom browser protocol to open internet links on iOS. (iOS only) | Yes | Yes |
| customDialerAppProtocol | Protocol of a custom dialer app to click-to-open a phone number on iOS. | Yes | Yes |
| dataBackupBlocked | Indicates whether the backup of a managed app's data is blocked. Inherited from managedAppProtection | Yes | Yes |
| deployedAppCount | Number of apps to which the current policy is deployed. | Yes | Yes |
| description | Description of the policy. Inherited from managedAppPolicy | Yes | Yes |
| deviceComplianceRequired | Indicates whether device compliance is required. Inherited from managedAppProtection | Yes | Yes |
| deviceLockRequired | Defines if any kind of lock must be required on Android devices. | Yes | Yes |
| dialerRestrictionLevel | Lists the classes of dialer apps that are allowed to click-to-open a phone number. Inherited from managedAppProtection. | Yes | Yes |
| disableAppPinIfDevicePinIsSet | Indicates whether use of the app pin is required if the device pin is set. Inherited from managedAppProtection | Yes | Yes |
| disableProtectionOfManagedOutboundOpenInData | Disables protection of data transferred to other apps through IOS OpenIn option. (iOS Only) | Yes | Yes |
| displayName | Policy display name. Inherited from managedAppPolicy | Yes | Yes |
| exemptedAppProtocols | Lists iOS apps that will be exempt from the policy and will be able to receive data from managed apps. (iOS only) | Yes | Yes |
| exemptedUniversalLinks | Lists custom URLs that are allowed to invoke an unmanaged app. | Yes | Yes |
| faceIdBlocked | Indicates whether the use of the FaceID is allowed in place of a pin if pinRequired is set to True. | Yes | Yes |
| filterOpenInToOnlyManagedApps | Defines if open-in operation is supported from the managed app to the file-sharing locations selected. (iOS only) | Yes | Yes |
| fingerprintBlocked | Indicates whether use of the fingerprint reader is allowed in place of a pin if PinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| gracePeriodToBlockAppsDuringOffClockHours | Specifies the grace period before app access is blocked during off clock hours. Inherited from managedAppProtection | Yes | Yes |
| id | Key of the entity. Inherited from managedAppPolicy | Yes | No |
| lastModifiedDateTime | Last time the policy was modified. Inherited from managedAppPolicy | Yes | Yes |
| managedBrowser | Indicates in which managed browser(s) internet links should be opened. | Yes | Yes |
| managedBrowserToOpenLinksRequired | Indicates whether internet links should be opened in the managed browser app or any custom browser specified by CustomBrowserProtocol (for iOS) or CustomBrowserPackageId / CustomBrowserDisplayName (for Android) Inherited from managedAppProtection | Yes | Yes |
| managedUniversalLinks | Lists custom URLs that are allowed to invoke a managed app. | Yes | Yes |
| maximumAllowedDeviceThreatLevel | Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection. | Yes | Yes |
| maximumPinRetries | Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped. Inherited from managedAppProtection | Yes | Yes |
| maximumRequiredOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| maximumWarningOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| maximumWipeOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| messagingRedirectAppUrlScheme | Defines the app URL redirect schemes which are allowed to be used when a redirection is enforced by protectedMessagingRedirectAppTyp. | Yes | Yes |
| minimumPinLength | Minimum pin length required for an app-level pin if PinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredAppVersion | Versions lower than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredOsVersion | Versions lower than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredSdkVersion | Versions lower than the specified version will block the managed app from accessing company data. (iOS only) | Yes | Yes |
| minimumWarningAppVersion | Versions lower than the specified version will result in a warning message on the managed app. Inherited from managedAppProtection | Yes | Yes |
| minimumWarningOsVersion | Versions lower than the specified version will result in a warning message on the managed app. Inherited from managedAppProtection | Yes | Yes |
| minimumWarningSdkVersion | Versions lower than the specified version will result in warning message on the managed app when accessing company data. (iOS only) | Yes | Yes |
| minimumWipeAppVersion | Versions lower than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection | Yes | Yes |
| minimumWipeOsVersion | Versions lower than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection | Yes | Yes |
| minimumWipeSdkVersion | Versions lower than the specified version will block the managed app from accessing company data. | Yes | Yes |
| mobileThreatDefensePartnerPriority | Indicates how to prioritise which mobile threat defense partner is enabled for a given platform, when more than one is enabled. | Yes | Yes |
| mobileThreatDefenseRemediationAction | Determines what action to take if the mobile threat defense threat threshold isn't met. | Yes | Yes |
| notificationRestriction | Specifies the level of restriction for app notifications. Inherited from managedAppProtection. | Yes | Yes |
| organizationalCredentialsRequired | Indicates whether organisational credentials are required for app use. Inherited from managedAppProtection | Yes | Yes |
| periodBeforePinReset | Specifies the time period before the all-level pin must be reset if PinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| periodOfflineBeforeAccessCheck | Specifies the time period after which access is checked when the device is not connected to the internet. Inherited from managedAppProtection | Yes | Yes |
| periodOfflineBeforeWipeIsEnforced | Specifies the time period an app is allowed to remain disconnected from the internet before all managed data is wiped. Inherited from managedAppProtection | Yes | Yes |
| periodOnlineBeforeAccessCheck | Specifies the time period after which access is checked when the device is connected to the internet. Inherited from managedAppProtection | Yes | Yes |
| pinCharacterSet | Character set which may be used for an app-level pin if PinRequired is set to True. Inherited from managedAppProtection. | Yes | Yes |
| pinRequired | Indicates whether an app-level pin is required. Inherited from managedAppProtection | Yes | Yes |
| pinRequiredInsteadOfBiometricTimeout | Timeout in minutes for an app pin when required instead of a non-biometric passcode. Inherited from managedAppProtection | Yes | Yes |
| previousPinBlockCount | Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection | Yes | Yes |
| printBlocked | Indicates whether printing is allowed from managed apps. Inherited from managedAppProtection | Yes | Yes |
| protectedMessagingRedirectAppType | Defines how app messaging redirection is protected by an app protection policy. Inherited from managedAppProtection. | Yes | Yes |
| protectInboundDataFromUnknownSources | Protects incoming data from unknown sources. (iOS only) | Yes | Yes |
| roleScopeTagIds | List of scope tags for this entity instance. Inherited from managedAppPolicy | Yes | Yes |
| saveAsBlocked | Indicates whether users may use the "Save As" menu item to save a copy of protected files. Inherited from managedAppProtection | Yes | Yes |
| simplePinBlocked | Indicates whether simplePin is blocked. Inherited from managedAppProtection | Yes | Yes |
| targetedAppManagementLevels | The intended app management levels for this policy. Inherited from targetedManagedAppProtection. | Yes | Yes |
| thirdPartyKeyboardsBlocked | Defines if third party keyboards are allowed while accessing a managed app. (iOS only) | Yes | Yes |
| version | Version of the entity. Inherited from managedAppPolicy | Yes | Yes |
1622 - Microsoft Intune supported attributes: iOS app protection policy Print
Modified on: Wed, 6 Aug, 2025 at 2:44 PM
Did you find it helpful? Yes No
Send feedbackSorry we couldn't be helpful. Help us improve this article with your feedback.
 1.png)