Issue – Attachments are getting uploaded to Safari Browser
Question
I created an app protection policy and applied them on Edge,Outlook,Onedrive and Word for iOS.
Main Polices related to transfer of data-
Send org data to other apps – Policy managed apps
Receive data from other apps – All apps
Restrict cut, copy, and paste between other apps -Policy managed apps with paste in
I can succesfully transfer my data to edge browser but i dont want to allow the data transfer to Safari or any browser.
Note – The normal cut,copy,paste was working fine,they were not getting copied.
The main concern was with the attachments. They are getting uploaded via Safari browser which was not expected as safari was not a managed app.
How it happened?
1. Created some files in onedrive for test.
2. Opened a website in Safari browser for uploading test attachments.
3. browsed through locations and selected Onedrive as a source.
4. Clicked on Onedrive test file and it got uploaded.
Summary – As per policy ,the data was not getting copied but the attachments are getting uploaded to unmanaged apps.
Tested device – iPad running on OS version 14.2
Want to know why this happened and the way to fix this issue.
Answer ( 1 )
I think the following are the two configurations you might need to look into to block app to app data transfer …especially corporate data
This is related to Intune MAM data transfer policies
Send Org data to other apps Specify what apps can receive data from this app:
All apps: Allow the transfer to any app. The receiving app will have the ability to read and edit the data.
Note: Do not allow data transfer to any app, including other policy-managed apps. If the user performs a managed open-in function and transfers a document, the data will be encrypted and unreadable.
Policy managed apps: Allow transfer only to other policy-managed apps.
Note: Users may be able to transfer content via Open-in or Share extensions to unmanaged apps on unenrolled devices or enrolled devices that allow sharing to unmanaged apps. Transferred data is encrypted by Intune and unreadable by unmanaged apps.
Policy managed apps with OS sharing: Only allow data transfer to other policy managed apps, as well as file transfers to other MDM managed apps on enrolled devices.
Note: The Policy managed apps with OS sharing value is applicable to MDM enrolled devices only. If this setting is targeted to a user on an unenrolled device, the behavior of the Policy managed apps value applies. Users will be able to transfer unencrypted content via Open-in or Share extensions to any application allowed by the iOS MDM allowOpenFromManagedtoUnmanaged setting, assuming the sending app has the IntuneMAMUPN configured; for more information, see How to manage data transfer between iOS apps in Microsoft Intune. See https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf for more information on this iOS/iPadOS MDM setting.
Policy managed apps with Open-In/Share filtering: Allow transfer only to other policy managed apps, and filter OS Open-in/Share dialogs to only display policy managed apps. To configure the filtering of the Open-In/Share dialog, it requires both the app(s) acting as the file/document source and the app(s) that can open this file/document to have the Intune SDK for iOS version 8.1.1 or above.
Note: Users may be able to transfer content via Open-in or Share extensions to unmanaged apps if Intune private data type are supported by the app. Transferred data is encrypted by Intune and unreadable by unmanaged apps.
In addition, when set to Policy managed apps or None, the Spotlight search (enables searching data within apps) and Siri shortcuts iOS features are blocked.
This policy can also apply to iOS/iPadOS Universal Links. General web links are managed by the Open app links in Intune Managed Browser policy setting.
There are some exempt apps and services to which Intune may allow data transfer by default. In addition, you can create your own exemptions if you need to allow data to transfer to an app that doesn’t support Intune APP. See data transfer exemptions for more information.
All apps
Select apps to exempt
This option is available when you select Policy managed apps for the previous option.
More details
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios