Let’s talk about something that doesn’t usually come up during your morning coffee chat—but probably should if you’re handling sensitive client data on mobile devices.
Law firms, accounting offices, healthcare providers—anyone dealing with confidential information—need to take mobile device security seriously.
The problem? Most employees don’t want to carry two phones (one for work, one for personal use). And most firms don’t want to manage personal devices. So how do you protect sensitive client information on devices you don’t own?
This is where Microsoft Intune’s App Protection Policies come in. They let you separate work data from personal data—without locking down the entire phone. That means your team can use their own devices (BYOD-style), and you can still control what happens with your firm’s data.
And if you’re working in a firm that lives and breathes confidentiality, this isn’t just useful—it’s essential.
In this guide, we’re walking through how to set up App Protection Policies in Microsoft Intune step-by-step. No buzzwords. No IT-speak. Just real advice from a cybersecurity team that works with law firms and regulated businesses every day.
Let’s get into it.
What Exactly Is an App Protection Policy?
App Protection Policies (APPs) are rules you set up in Intune to make sure your organization’s data stays safe—even on devices you don’t manage.
For example, let’s say one of your paralegals checks Outlook on their personal iPhone. With App Protection Policies, you can:
- Prevent them from copying and pasting client emails into personal apps
- Wipe corporate data from the device if they leave the firm
- Require a PIN to open work apps
And all of this happens without touching their personal photos, texts, or apps. Think of it like putting your firm’s data in a secure container that rides along with the app—not the device.
Why Should Law Firms (And Similar Businesses) Care?
Because data leaks don’t just cost money—they destroy trust.
One accidental copy-paste from Outlook into Notes, and boom—you’ve just put confidential client info at risk. The legal industry is under increasing pressure to keep data secure, and regulators are cracking down harder every year.
App Protection Policies are a way to keep your firm secure without making your team’s lives miserable. You’re not asking them to carry two phones.
You’re not invading their privacy. You’re simply saying, “If you want to access client data from your phone, it has to follow our rules.”
This is about balance: security and flexibility.
How Do I Set Up App Protection Policies in Microsoft Intune?
Let’s break this down into real steps. No fluff.
1. Log Into Microsoft Intune Admin Center
Go to: https://intune.microsoft.com
Use your admin credentials. You’ll land on the Microsoft Endpoint Manager dashboard.
📝 Tip: Make sure you have the right Intune licenses assigned before setting policies. Microsoft 365 Business Premium includes this.
2. Navigate to App Protection Policies
Once you’re in the Intune dashboard:
- Select Apps
- Then choose App protection policies
From here, you’ll see a list (probably empty if you’re just starting). Click + Create Policy.
3. Choose Platform
You’ll need to select a platform. Your options are:
- iOS/iPadOS
- Android
- Windows (preview)
Start with the platform most commonly used by your team. You can always duplicate the policy for other platforms later.
4. Define the Policy Settings
Here’s where the magic happens.
You’ll go through a series of tabs:
a) Name & Description
Something clear like “iOS App Protection – Legal Team”
b) Target Apps
Choose the apps where you want this policy applied. Microsoft apps like Outlook, OneDrive, and Teams are common picks.
You can also include approved third-party apps that support Intune policies.
c) Data Protection
These settings control what users can and can’t do with work data. Some key ones:
-
Prevent copy/paste: Yes (but maybe allow paste into the app)
-
Restrict save-as: Yes
-
Encrypt app data: Always
d) Access Requirements
Set how users access these apps:
-
Require PIN for access: Yes
-
Fingerprint or Face ID: Optional but recommended
-
Recheck access after idle: Yes (set time limit)
e) Conditional Launch
What happens if a device doesn’t meet the policy?
You can block access or wipe data from the app.
5. Assign the Policy
Now you assign the policy to a group of users. Ideally, you’ve already created user groups in Azure AD like:
- Legal Team
- HR Team
- All Staff
Choose the appropriate group and click Next, then Create.
You’re done!
The policy will now apply the next time users open those apps.
Common Mistakes to Avoid
Even with a step-by-step guide, things can still go sideways. Here are a few things we see firms mess up:
Assigning Policies to Devices Instead of Users
App Protection Policies are user-based, not device-based. Assign them to users—not devices.
Skipping Conditional Access
Without Conditional Access policies, users might bypass protections by logging into unmanaged browsers. Pair APPs with Conditional Access to block that.
Not Communicating With Staff
Don’t roll out new policies without telling your team. Be transparent: explain what the policy does (and doesn’t do). Reassure them their data isn’t touched.
FAQs
Will this wipe a user’s data if they leave the firm?
Nope. It only wipes the corporate data inside the managed apps.
What if a staff member uses Gmail or another personal app for work email?
You should block that. Only allow approved apps (like Outlook) for work accounts. That’s part of the policy.
Do we need Company Portal installed?
Yes, users will typically need the Microsoft Company Portal app to register their device—even if it’s not being fully managed.
Can I enforce different rules for partners vs paralegals?
Absolutely. Just create separate policies and assign them to different groups.
Real Talk: Why AKAVEIL Recommends This
At AKAVEIL Technologies, we help law firms and professional services secure their data without turning their teams into IT experts. And honestly, App Protection Policies are one of the smartest, easiest ways to do that.
You don’t have to lock down entire devices. You don’t need to micromanage every click. You just protect the data where it lives—inside the apps your team uses every day.
We can help you set this up, test it, train your team, and keep everything secure behind the scenes.
Because at the end of the day, you should be focused on clients—not worrying if someone just emailed a brief from their Gmail account.
Conclusion
App Protection Policies in Microsoft Intune are a smart way to protect your firm’s data, even when your team is using personal devices.
They give you the power to control access, prevent leaks, and wipe sensitive info—without overreaching into your employees’ stuff.
It’s flexible security that works in the real world. So, now that you know what App Protection Policies can do and how to set them up…
What’s holding your firm back from putting these protections in place?
