If you are responsible for creating Entra Conditional Access policies, you may have noticed that Microsoft has put the “Require approved client app” control on the soon-to-be-extinct list. Instead, the newer “Require app protection policy” control should be used.
Microsoft stated that the older control will stop being enforced in March 2026, so it will be as if it does not exist (more information can be found here: Migrate approved client app to application protection policy in Conditional Access - Microsoft Entra ID | Microsoft Learn). This knowledge base article focuses on migrating from one control to the other. The migration path has you selecting both controls (illustrated above) and requires one of the selected controls. This provides a simple and smooth migration path.
Knowing that the older control will soon be eliminated, you may want to configure new Conditional Access policies with only the “Require app protection policy” control. This article focuses on the idiosyncrasies of using the newer control with iOS devices enrolled in Intune, which offers benefits over the older control – but also requires additional planning and configuration.
The “Require app protection policy” control requires that a given app has an Intune app protection policy applied to the app. The app protection policies provide control over how data is accessed and shared with other apps on mobile devices (iOS or Android). Additionally, they can apply restrictions or monitor activities within the app. Some benefits of app protection policies are:
- They can disallow copying and pasting of data into an app that is not managed and does not have its own app protection policy (personally owned apps)
- Restrict access to corporate data
- Prevent backing up of data
- Require a pin or biometrics to access the app
- Device enrollment is not required to protect corporate data
Using the “Require app protection” control is simple and seamless on Android devices. For iOS devices, however, using this control requires some additional configuration work to ensure users clear the Conditional Access policy. It is not sufficient to simply create the policy to satisfy the Conditional Access policy. If the proper steps are not followed, users will receive the message shown below when trying to access data.
For the example above, a Conditional Access policy was configured with the following settings:
- Name: Block ActiveSync Access
- Users: All users
- Target resources: Office 365 Exchange Online
- Conditions: Device platforms à Android and iOS
- Grant: Require app protection policy
A general app protection policy has been configured that applies to all iOS managed apps. Despite this, users receive the misleading message shown above that suggests that an app protection policy has not been assigned.
To prevent this from happening, here are the steps that must be performed for iOS devices.
The first requirement is that Apple volume purchase program (VPP) apps must be used to satisfy the Conditional Access policy. Although app protection policies are applied to iOS store apps, only managed apps with app protection policies satisfy the Conditional Access policy and only VPP apps can be managed. This means iOS store apps cannot be installed on the device. If an iOS version of the app is installed at the time of device enrollment, a VPP app will not be pushed down via Intune. The user will not be notified and the user will fail the Conditional Access policy. The fix is to uninstall the iOS store version of the app and allow Intune to reinstall if the app is required. The user can also install the app via the Company Portal if the app is assigned.
The next requirement is that an app configuration policy needs to be created for each app that will be subjected to the Conditional Access policy. The app configuration policy needs to include the following configuration keys:
Once these steps are completed, iOS users will successfully pass a Conditional Access policy with the “Require app protection policy” control. This will ensure that users will only be allowed to use apps that have corresponding app protection policies that, in turn, allow organizations to control how users are accessing organization data and what they are doing with it.