Making the Most of App Protection Policies in Intune: New Functionality Section and Settings

As an IT professional, one of the tools I find myself recommending to every client is App Protection Policies in the Intune Admin Center. This tool is one of the most effective and straightforward ways to protect company data while still giving users the flexibility they expect when working across devices. Over the years, I’ve written about App Protection Policies multiple times, but Microsoft has recently added a new Functionality section that makes them even more powerful. This update, along with a handful of new settings, is worth taking a closer look at.

If you’re not familiar with App Protection Policies, you can read Microsoft’s full documentation here: https://learn.microsoft.com/en-us/intune/intune-service/apps/app-protection-policy

At a high level, these policies let organizations define what users can and cannot do with organizational data on their devices. For example, you can control whether company data can be saved locally, if it can be copied into personal apps, or whether features like printing or screen capturing are allowed. Think of them as a guardrail keeping sensitive data protected without necessarily requiring full device management.

Why I Recommend App Protection Policies

From my perspective, App Protection Policies strike an ideal balance. Many organizations want to support Bring Your Own Device (BYOD) scenarios, but don’t want to require full enrollment or impose heavy handed controls on personal phones. With App Protection Policies, you can let users install apps like Outlook or Teams on their personal devices while still ensuring corporate data is safe.

Controls like restricting cut/copy/paste, blocking backup to personal storage locations, or preventing unapproved apps from accessing organizational data are relatively easy to configure. Even better, users can continue to work the way they want, without IT having to compromise security standards. That’s why I’m such a strong advocate for deploying them.

The New Functionality Section

Microsoft recently introduced a dedicated Functionality section within App Protection Policies. At first glance, this may seem like a simple reorganization, but it really improves manageability by grouping certain settings that govern how apps behave when handling company data.

Some existing features like Sync Policy Managed App Data with Native Apps or Add ins were moved into this section. This particular setting controls whether company data in apps like Outlook can sync to native device features like contacts or calendars. Many organizations choose to allow this because users expect their work calendar and contacts to show up on their phone’s native apps. Still, the ability to block it is a powerful option for organizations that need stricter controls.

Other existing controls such as Printing Org Data and Restrict Web Content Transfer to Other Apps now also live here. While printing from a mobile device isn’t always recommended from a security perspective, many companies do allow it. Having these settings grouped together makes them easier to find, understand, and manage.

Four New Settings You Should Know About

Along with this reorganization, Microsoft has also added four new settings that make App Protection Policies even more flexible.

1. Org Data Notifications

This setting lets you control what organizational data appears in notifications. You can block notifications entirely, block only the data portion, or allow all notifications. Most organizations will choose to allow notifications since apps like Outlook or Teams are far less useful without them. Still, the option to block them is valuable for high security scenarios.

2. Genmoji

Apple’s new “Genmoji” feature can now be controlled inside policy managed apps. You can block or allow it. Personally, I recommend blocking it in most cases. While it’s a fun consumer feature, it introduces potential for non-work related content to enter the workspace, which isn’t usually a priority for IT.

3. Screen Capture

This is one of the most impactful additions. Screen capture has long been a pain point on iOS devices. In the past, IT admins had to create additional configuration policies to control it, which added complexity. Now, it’s simply an Allow or Block option directly in the App Protection Policy. For sensitive industries, blocking screen capture is the best choice, but for organizations that rely on screenshots as part of workflows, the option to allow it is equally important.

4. Writing Tools

Finally, Microsoft has added the ability to allow or block writing tools in policy managed applications. This matters most for devices like iPads or Surface tablets where stylus input is common. Most organizations will allow it, since blocking it could hinder productivity. But again, the flexibility to choose is what makes this feature useful.

Why These Updates Matter

While each of these changes might seem small in isolation, together they significantly improve how admins can fine tune App Protection Policies. Grouping related items into the new Functionality section reduces confusion and makes policies easier to manage. Meanwhile, the new controls, especially Screen Capture and Org Data Notifications, close important gaps that admins have been asking Microsoft to address for years.

For me, these updates reinforce why App Protection Policies remain one of the easiest and most impactful security measures available in Intune. They’re not just about locking things down; they’re about empowering organizations to strike the right balance between security and usability.

Final Thoughts

If you haven’t revisited your App Protection Policies recently, now is the perfect time. Review the new Functionality section, evaluate the four new settings, and decide what makes sense for your organization.

As always, I encourage clients to start with the most restrictive policies they can reasonably enforce, then relax controls only where it improves user experience without introducing unnecessary risk. The beauty of App Protection Policies is that they give you the flexibility to find that sweet spot. Microsoft continues to invest in this space, and these latest updates make an already great feature even better. If you’re looking for a straightforward way to protect company data on personal devices, App Protection Policies are absolutely worth your time.