+The information captured in audit log records differs from that in [Microsoft 365 usage reports](#user-last-activity-table). It's important to note that audit logs are not designed for assessing user engagement in Microsoft 365, and they should not be used to replace or augment information in Microsoft 365 usage reports. To learn more about audit logs, see [Export, configure, and view audit log records](/purview/audit-log-export-records#step-1-export-audit-log-search-results).

+Customers can assign users of SharePoint Online/OneDrive for Business to any _Satellite Geography_ supported by Multi-Geo (see Section 4.1.3). The following customer data is stored in the relevant _Satellite Geography_:

+After the move completes, you might see some of the following effects.

+- After the SharePoint Online content is moved, there's a time frame when videos aren't able to be played.

+In the course of moving your SharePoint Online data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint Online data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after your move completes. From this point and onwards, we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after your move completes, but some customers might experience reduced freshness in the first 24-48 hours.

+As part of the migration, the _Primary Provisioned Geography_ changes and all new content are stored at rest in the new _Primary Provisioned Geography_. Existing content moves in the background with no impact to you for up to 90 days after the first change to the SharePoint Online data location in the admin center.

+When a user creates a SharePoint group-connected site in a multi-geo environment, their PDL is used to determine the _Macro Region Geography_ or _Local Region Geography_ location where the site and its associated Group mailbox are created. (If the user's PDL value isn't set, or is set to _Macro Region Geography_ or _Local Region Geography_ location that isn't configured as a _Satellite Geography_ location, then the site and mailbox are created in the _Primary Provisioned Geography_.)

+Microsoft 365 services other than Exchange, OneDrive, SharePoint, and Teams aren't available with Multi-Geo. However, Microsoft 365 Groups that are created by these services are configured with the PDL of the creator and their Exchange Group mailbox, SharePoint site are provisioned in the corresponding _Macro Region Geography_ or _Local Region Geography_.

+With the SharePoint geo storage quota setting, you can manage the storage quota for each _Geography_ location. When you allocate a storage quota for a _Geography_ location, it becomes the maximum amount of storage available for that _Geography_ location, and is deducted from the available _Tenant_ storage quota. The remaining available _Tenant_ storage quota is then shared across the configured _Geography_ locations for which a specific storage quota hasn't been allocated.

+The SharePoint storage quota for any _Geography_ location can be allocated by the SharePoint Online administrator by connecting to the _Primary Provisioned Geography_. _Geography_ administrators for _Satellite Geography_ locations can view the storage quota but can't allocate it.

+To allocate the storage quota for a _Geography_ location, use the [Microsoft SharePoint Online Management Shell](https://www.microsoft.com/download/details.aspx?id=35588) and connect to the _Primary Provisioned Geography_ location.

+The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive is moved from the source to destination _Geography_ location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive is restored as soon as the destination OneDrive is available.

+During OneDrive _Geography_ move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint Online. After OneDrive _Geography_ move is complete, the user is automatically connected to their OneDrive at the destination _Geography_ location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app automatically begins syncing from the new location.

+- File permissions and sharing don't change as a result of the move.

+Be sure to send your users an email when the move completes, informing them that they can resume working in OneDrive.

+You can schedule OneDrive site moves in advance (described later in this article). We recommend that you start with a small number of users to validate your workflows and communication strategies. Once you're comfortable with the process, you can schedule moves as follows:

+- The maximum size of a OneDrive that can be moved is 5 terabytes (5 TB).

+You will see a list of your _Geography_ locations and whether content can be moved between is denoted as "Compatible". If the command returns "Incompatible", please retry validating the status later.

+If a OneDrive contains a subsite, for example, it can't be moved. You can use the `Start-SPOUserAndContentMove` cmdlet with the `-ValidationOnly` parameter to validate if the OneDrive is able to be moved:

+ This returns Success if the OneDrive is ready to be moved or Fail if there's a legal hold or subsite that would prevent the move. Once you have validated that the OneDrive is ready to move, you can start the move.

+|NotStarted|The move is pending|

+|Success|The move completed successfully.|

+Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions continue to work as expected once the move is completed.

+While the move is in progress, the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new _Geography_ location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser.

+Users with permissions to OneDrive content continue to have access to the content during the move and after it's complete.

+The OneDrive sync app automatically detects and seamlessly transfers syncing to the new OneDrive location once the OneDrive _Geography_ move is complete. The user doesn't need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.) If a user updates a file while the OneDrive _Geography_ move is in progress, the sync app notifies them that file uploads are pending while the move is underway.

+Upon OneDrive _Geography_ move completion, the existing shared links for the files that were moved automatically redirect to the new _Geography_ location.

+Upon OneDrive _Geography_ move completion, users have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive before the _Geography_ move continue to work after move is complete.

+Followed sites and groups show up in the user's OneDrive regardless of their _Geography_ location. Sites and groups hosted in another _Geography_ location will open in a separate tab.

+Users are sent to the Delve _Geography_ corresponding to their PDL only after their OneDrive has been moved to the new _Geography_.

+There's a read-only window during the SharePoint site _Geography_ move of approximately 4-6 hours, depending on site contents.

+- Validate whether the site can be moved before scheduling or performing the move.

+- Communicate with impacted users before the sites move.

+- File permissions and sharing don't change because of the move.

+Be sure to send your sites' users an email when the move completes, informing them that they can resume working on their sites.

+- The maximum size of a SharePoint site that can be moved is 5 terabytes (5 TB).

+We don't support moving sites with:

+This returns _Success_ if the site is ready to be moved or _Fail_ if any of blocked conditions are present.

+Once you update the PDL, you can start the site move:

+You can determine the status of a site move in our out of the _Geography_ that you're connected to by using the following cmdlets:

+|Ready to Trigger|The move is pending.|

+|Scheduled|The move is in queue but is yet to start.|

+|Success|The move completed successfully.|

+Site users should notice minimal disruption when their site is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions continue to work as expected once the move is completed.

+Users with permissions to site continue to have access to the site during the move and after it's complete.

+If a user updates a file while the move is in progress, the sync app notifies them that file uploads are pending while the move is underway.

+When the SharePoint site _Geography_ move completes, the existing shared links for the files that were moved automatically redirect to the new _Geography_ location.

+When the SharePoint site _Geography_ move completes, users have access to their Microsoft 365 group site files on the Teams app. Additionally, files shared via Teams chat from their site before the _Geography_ move continue to work after move is complete.

+SharePoint site _Geography_ move doesn't support moving sites backing Private and Shared Channels from one _Geography_ to another, when using the `Start-SPOUnifiedGroupMove` command. Sites backing Private and Shared Channels remain in the original _Geography_. To move those sites individually, admins can initiate direct moves using the `Start-SPOSiteContentMove` command.

+If you're moving a site with apps, you must reinstantiate the app in the site's new _Geography_ location as the app and its connections may not be available in the destination _Geography_ location.

+In most cases, Power Automate Flows continue to work after a SharePoint site _Geography_ move. We recommend that you test them once the move completes.

+This article is for Global or SharePoint administrators who created a Multi-Geo _Satellite Geography_ location **before** SharePoint Multi-Geo capabilities became generally available on March 27, 2019, and who have not enabled SharePoint Multi-Geo in their _Satellite Geography_ location(s).

+> If you have added a new _Geography_ location **after March 27th, 2019**, you don't need to perform these instructions, as your new _Geography_ location will already be enabled for OneDrive and SharePoint Multi-Geo.

+These instructions allow you to enable SharePoint in your _Satellite Geography_ location, so your Multi-Geo satellite users can take advantage of both OneDrive and SharePoint Multi-Geo capabilities in Microsoft 365.

+This operation usually takes about an hour while we perform various publish backs in the service and restamp your _Tenant_. After at least 1 hour, please perform a Get-SPOMultiGeoExperience. This shows you whether this _Geography_ location is in SPO mode.

+> Certain caches in the service update every 24 hours, so it is possible that for a period of up to 24 hours, your _Satellite Geography_ may intermittently behave as if it was still in ODB mode. This doesn't cause any technical issues.

+You can find the actual data location in Microsoft 365 admin center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to **Admin->Settings->Org Settings->Organization Profile->Data Location**. If you don't have a _Tenant_ created, you can have a _Tenant_ created when signing up for a Microsoft 365 trial.

+|Quarantine management|Restore a file from the quarantine with Threat ID. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat quarantine restore threat-id --id [threat-id] --destination-path [destination-folder]`|

+|Quarantine management|Restore a file from the quarantine with Threat Original Path. Available in Defender for Endpoint version 101.23092.0012 or higher.|`mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder]`|

+### Using JAMF Pro

+To uninstall Microsoft Defender for Endpoint on macOS using JAMF Pro upload the **offboarding profile**.

+The **offboarding profile** should be uploaded without any modifications, and with Preference Domain name set to **com.microsoft.wdav.atp.offboarding**:

+ :::image type="content" source="../../media/defender-endpoint/jamf-pro-offboarding.png" alt-text="Screenshot of the JAMF offboarding screen" lightbox="../../media/defender-endpoint/jamf-pro-offboarding.png":::

+Updates are released monthly using a gradual release process. This process helps to enable early failure detection to identify issues as they occur and address them quickly before a larger rollout.

+- Learn more about how to use solutions such as WSUS and MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security](microsoft-defender-antivirus-updates.md#product-updates).

+|Beta Channel - Prerelease|Test updates before others|Devices set to this channel are the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only.|

+|Current Channel (Preview)|Get Current Channel updates **earlier** during gradual release|Devices set to this channel are offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments.|

+|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. This means Microsoft assigns a channel to the device. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which isn't suitable for devices in a production or critical environment.|

+### Update channels for security intelligence updates

+You can also assign a machine to a channel to define the cadence in which it receives SIUs (formerly referred to as signature, definition, or daily updates). Unlike the monthly process, there's no Beta channel and this gradual release cycle occurs multiple times a day.

+|(default)||If you disable or don't configure this policy, the device remains in Current Channel (Default): Stay up to date automatically during the gradual release cycle. This means Microsoft assigns a channel to the device. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which isn't suitable for devices in a production or critical environment.|

+>[!NOTE]

+>Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode.

+ Title: Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action.

+description: What is XDR security? How can you evaluate a Microsoft XDR in Microsoft Defender XDR? Use this blog series to plan your Microsoft Defender XDR trial lab or pilot environment and test and pilot a security solution designed to protect devices, identity, data, and applications. Take that XDR seccurity test to production.

+# Evaluate and pilot Microsoft Defender XDR security

+This series is designed to step you through the entire process of setting up a trial XDR environment, *end-to-end*, so you can evaluate the features and capabilities of Microsoft Defender XDR and even promote the evaluation environment straight to production when you're ready.

+If you're new to thinking about XDR security, you can scan the 7 linked articles in this series to get a feel for how comprehensive the solution is.

+## What is XDR and Microsoft Defender XDR?

+XDR security is a step forward in cyber security because it takes the threat data from systems that were once isolated and unifies them so that you can see patterns and act on them faster.

+For example, Microsoft XDR unifies endpoint (endpoint detection and response or EDR), email, app, and identity security in one place.

+Microsoft Defender XDR is an **eXtended detection and response (XDR) solution** that automatically collects, correlates, and analyzes signal, threat, and alert data from *across* your Microsoft 365 environment, including *endpoint, email, applications, and identities*. It leverages **artificial intelligence (AI) and automation to *automatically* stop attacks**, and remediate affected assets to a safe state.

+## Microsoft recommendations for evaluating Microsoft Defender XDR security

+- (GA) **Assigning severity to incidents**, **assigning an incident to a group**, and the ***go hunt*** option from the attack story graph are now generally available. Guides to learn how to [assign or change incident severity](manage-incidents.md#assign-or-change-incident-severity) and [assign an incident to a group](manage-incidents.md#assign-an-incident) are in the [Manage incidents](manage-incidents.md) page. Learn how you can use the *go hunt* option by exploring [attack story](investigate-incidents.md#attack-story).

+> The features described in this article are currently in Public Preview, aren't available in all organizations, and are subject to change.

+ :::image type="content" source="../../media/air-automatic-feedback-no-threats-found-email.png" alt-text="An example notification email for No threats found." lightbox="../../media/air-automatic-feedback-no-threats-found-email.png":::

+ :::image type="content" source="../../media/air-automatic-feedback-spam-email.png" alt-text="An example notification email for spam found." lightbox="../../media/air-automatic-feedback-spam-email.png":::

+ - **Phishing**: The investigation creates no pending actions, but the user still receives a notification email that the message was found to be phishing. The notification email looks like this:

+ :::image type="content" source="../../media/air-automatic-feedback-phishing-or-malware-email.png" alt-text="An example notification email for phishing or malware found." lightbox="../../media/air-automatic-feedback-phishing-or-malware-email.png":::

+ Title: "Understand app protection access requirements using Microsoft Intune"

+audience: ITPro

+description: Understand app protection access requirements using Microsoft Intune.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Understand app protection access requirements

+The **Access requirements** settings allow you to configure the PIN and credential requirements that users must meet to access apps in a work context. As the admin, you can control whether to use a PIN for app access, require work or school account credentials for access, and how often to recheck access requirements.

+> [!NOTE]

+> The **Access requirement** settings only apply to iOS/iPadOS and Android app protection policies.

+## Access requirements for app protection policies

+For iOS/iPadOS and Android app protection policies, the available app access settings are similar between iOS/iPadOS and Android. Differences include details for biometrics and PIN reset.

+### iOS access requirement settings

+You'll see that iOS/iPadOS offer slightly different app protection functionality.

+### Android access requirement settings

+Android offers similar functionality to iOS/iPadOS functionality.

+ Title: "Understand app protection conditional launch using Microsoft Intune"

+audience: ITPro

+description: Understand app protection conditional launch using Microsoft Intune.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Understand app protection conditional launch

+The **Conditional launch** settings allow you to select the sign-in security requirements for your access protection policy. App protection policies offer both app and device conditions.

+You must select a setting and enter the value that users must meet to sign in to your company app. Then select the Action you want to take if users don't meet your requirements. In some cases, multiple actions can be configured for a single setting. Learn more about conditional launch actions.

+Conditional launch settings offer similarities between iOS/iPadOS and Android.

+## Conditional launch for iOS/iPadOS and Android app protection policy

+iOS/iPadOS app conditional settings allow the similar settings configuration as Android, however you can also set a **Min SDK version** for iOS/iPadOS.

+| App condition setting | iOS/iPadOS | Android |

+|::|::|::|

+| Max PIN attempts | Γ£ö | Γ£ö |

+| Office grace period | Γ£ö | Γ£ö |

+| Min app version | Γ£ö | Γ£ö |

+| Max SDK version | Γ£ö | Γ£û |

+| Disabled account | Γ£ö | Γ£ö |

+In addition, Android device condition settings offer several more setting configuration options compared to iOS/iPadOS.

+| Device condition setting | iOS/iPadOS | Android |

+|::|::|::|

+| Jailbroken/rooted devices | Γ£ö | Γ£ö |

+| Min OS version | Γ£ö | Γ£ö |

+| Max OS version | Γ£ö | Γ£ö |

+| Min patch version | Γ£ö | Γ£ö |

+| Device model(s) | Γ£ö | Γ£û |

+| Device manufacturer(s) | Γ£û | Γ£ö |

+| SafetyNet device attestation | Γ£û | Γ£ö |

+| Require threat scan on apps | Γ£û | Γ£ö |

+| Required SafetyNet evaluation type | Γ£û | Γ£ö |

+| Require device lock | Γ£û | Γ£ö |

+| Min Company Portal version | Γ£û | Γ£ö |

+| Max Company Portal version age (days) | Γ£û | Γ£ö |

+| Samsung Knox device attestation | Γ£û | Γ£ö |

+| Max allowed device threat level | Γ£ö | Γ£ö |

+| Primary MTD service | Γ£ö | Γ£ö |

+ Title: "Understand app data protection using Microsoft Intune"

+audience: ITPro

+description: Understand app data protection using Microsoft Intune.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Understand app data protection

+The **Data Protection** settings in Intune determine how users interact with org data and context in policy-managed apps. As the admin, you can control the movement of data into and out of the context of org protection. The org context is defined by documents, services, and sites accessed by the specified org account (Microsoft Entra ID) owned by the end-user. The app protection policy settings help control external data received into the org context and org data sent out of the org context.

+> [!NOTE]

+> The term *policy-managed apps* refers to apps that are configured with app protection policies.

+Data protection is available for policy-managed apps that support the [iOS/iPadOS](/mem/intune/apps/app-protection-policy-settings-ios#data-protection), [Android](/mem/intune/apps/app-protection-policy-settings-android#data-protection), and [Windows](/mem/intune/apps/app-protection-policy-settings-windows#data-protection) platforms. Each platform offers a different set of settings related to data protection.

+The **Data Protection** settings within app protection policies provides the following categories for each platform:

+| Data Protection | Categories |

+|||

+| iOS/iPadOS | [Data Transfer](#data-transfer-for-iosipados-app-protection-policy), [Encryption](#encryption-for-iosipados-app-protection-policy), [Functionality](#functionality-for-iosipados-and-android-app-protection-policy) |

+| Android | [Data Transfer](#data-transfer-for-android-app-protection-policy), [Encryption](#encryption-for-android-app-protection-policy), [Functionality](#functionality-for-iosipados-and-android-app-protection-policy) |

+| Windows | [Data Transfer](#data-transfer-for-windows-app-protection-policy), [Functionality](#functionality-for-windows-app-protection-policy) |

+## Data Transfer

+### Data Transfer for iOS/iPadOS app protection policy

+The **Data Transfer** section of the **Data Protection** settings for a iOS/iPadOS specific app protection policy has settings that are specific to the iOS/iPadOS platform. These settings determine how end-users interact with org data in the iOS/iPadOS apps on a device. You select settings to allow or block iTunes and iCloud backups, determine how apps can send and receive org data, restrict end-user initiated data movement between apps, and prevent third-party keyboards.

+### Data Transfer for Android app protection policy

+The **Data Transfer** section of the **Data Protection** settings for an Android specific app protection policy has settings that are also specific to the Android platform. In addition to the commonly offered app protection settings, Android app protection provides additional settings, such as allowing screen capture and Google Assistant.

+### Data Transfer for Windows app protection policy

+The **Data Transfer** section of the **Data Protection** settings for a Windows specific app protection policy has settings that are specific to the Windows platform. These DLP settings provide three main options for Android apps. These settings involve how data is received, sent, and moved between apps.

+## Encryption

+Encryption is available for iOS/iPadOS and Android as part of an app protection policy. The **Encryption** section under the **Data Transfer** section, is also part of the **Data Protection** settings.

+> [!IMPORTANT]

+> You must choose **Require** to enable encryption of work or school data in an app.

+### Encryption for iOS/iPadOS app protection policy

+ Intune enforces iOS/iPadOS device encryption to protect app data while the device is locked. Applications may optionally encrypt app data using Intune APP SDK encryption. Intune APP SDK uses iOS/iPadOS cryptography methods to apply 128-bit AES encryption to app data.

+When you enable this setting, the user may be required to set up and use a PIN to access their device. If there's no device PIN and encryption is required, the user is prompted to set a PIN with the message "Your organization has required you to first enable a device PIN to access this app."

+> [!NOTE]

+> Go to the official Apple documentation to see which iOS encryption modules are FIPS 140-2 compliant or pending FIPS 140-2 compliance.

+### Encryption for Android app protection policy

+Intune uses a wolfSSL, 256-bit AES encryption scheme along with the Android Keystore system to securely encrypt app data. Data is encrypted synchronously during file I/O tasks. Content on the device storage is always encrypted. New files will be encrypted with 256-bit keys. Existing 128-bit encrypted files will undergo a migration attempt to 256-bit keys, but the process is not guaranteed. Files encrypted with 128-bit keys will remain readable.

+> [!NOTE]

+> The encryption method is FIPS 140-2 compliant.

+## Functionality

+The **Functionality** section is the last section in the **Data Protection** settings of an app protection policy. This section provides additional data protection settings.

+> [!TIP]

+> Apps may provide additional configuration capability with app configuration policies. For more information, see the app developer's documentation.

+### Functionality for iOS/iPadOS and Android app protection policy

+For iOS/iPadOS and Android app protection policies, you can choose to block policy managed apps from saving data to the device's native apps (like Contacts, Calendar and widgets), or to prevent the use of add-ins within the policy managed apps. If you choose **Allow**, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.

+Additionally, you can allow or block printing org data, restrict web content transfer with other apps, and determine how org data notifications are handled. When you restrict transferring web content, consider allowing web content to open only in Microsoft Edge.

+> [!NOTE]

+> Android and iOS/iPadOS offer sightly different options when restricting transferring web content using app protection policies. For iOS/iPadOS, you can enter a specific protocol for a single unmanaged browser. For Android, You can enter an unmanaged browser ID, or an unmanaged browser name.

+You'll see that iOS/iPadOS offer slightly different app protection functionality:

+Android offers similar functionality to iOS/iPadOS functionality:

+Additionally, Android allows you to select a connection to Microsoft Tunnel VPN when the app specified by your app protection policy is launched.

+### Functionality for Windows app protection policy

+For Windows app protection policies, you can choose to allow or block printing org data.

+> [!IMPORTANT]

+> Windows app protection policies allow only Microsoft Edge as the managed app specified in the policy.

+ Title: "Use the app protection framework with Microsoft Intune"

+audience: ITPro

+description: Use the app protection framework with Microsoft Intune.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Use the app protection framework

+Your organization's data protection requirements may differ from other organizations. For this reason, you can tailor the app protection that you deploy from Intune based on your organization's specific needs. You can use the App protection policy (APP) data protection framework to apply app protection across your organization. The APP data protection framework is organized into three distinct configuration levels, with each consecutive level building off the previous level.

+| Protection level | Description |

+|||

+| Enterprise basic data protection<br>(Level 1) | This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces you and your IT admins APP. Microsoft recommends this configuration as the minimum data protection configuration for an enterprise device. |

+| Enterprise enhanced data protection<br>(Level 2) | This protection level, which builds on the previous level, is applicable to most mobile users accessing work or school data. Microsoft recommends this configuration for devices where users access sensitive or confidential information. |

+| Enterprise high data protection<br>(Level 3) | This protection level, which also builds on the previous level, is desirable for users that are accessing high risk data. Microsoft recommends this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. |

+> [!IMPORTANT]

+> Because each protection level builds on the previous, you should consider implementing them in order.

+## Steps before applying the app protection framework

+Once you have followed the [prerequisites](apps-protect-overview.md#prerequisites) and understood the different app data protection settings available for each support platform, you can use the following process to add app protection policies.

+Process to add app data protection:

+1. **Determine which platforms you must support at your organization** - For more information about app platforms, see [Supported platforms](apps-protect-overview.md#supported-platforms).

+2. **Add one or more protected apps to Intune** - For more information, see [Intune protected apps](/mem/intune/apps/apps-supported-intune-apps). These apps have been enhanced to support Intune app protection policies. If you are uncertain, start with a Core Microsoft App. For more information, see [Apps to include in the App Protection Policies](/mem/intune/apps/app-protection-framework) and [Microsoft apps](/mem/intune/apps/apps-supported-intune-apps#microsoft-apps).

+3. **Determine the level of app protection your organization requires**:

+ 1. [Minimum data protection](apps-protect-step-1.md)

+ 2. [Enhanced data protection](apps-protect-step-2.md)

+ 3. [High data protection](apps-protect-step-3.md)

+> [!TIP]

+> For more information about protected apps, suppported platforms, app store links, supported app configuration, and supported protection, see [Microsoft apps](/mem/intune/apps/apps-supported-intune-apps#microsoft-apps).

+## Steps to apply the app protection framework

+This solution steps you through the process of creating app protection policies in Microsoft Intune for specific apps and assigning those policies to members of your organization. Once you've completed the above [prerequisites](apps-protect-overview.md#prerequisites), you're ready to create app protection policies for your organization in Intune. Using configuration and protection policies as part of your app management efforts allows members of your organization to safely use apps. By managing apps at your organization, you help to protect and secure your organizationΓÇÖs data.

+Follow these steps to add the recommended settings when adding app protection policies in Intune:

+1. [Apply minimum data protection](apps-protect-step-1.md)

+2. [Apply enhanced data protection](apps-protect-step-2.md)

+3. [Apply high data protection](apps-protect-step-3.md)

+4. [Understand app protection delivery](apps-protect-step-4.md)

+5. [Verify and monitor app protection](apps-protect-step-5.md)

+6. [Use app protection actions](apps-protect-step-6.md)

+[:::image type="content" source="../medi)

+After you completed the above steps, you are ready to deploy, manage, and monitor the managed apps your organization uses.

+ Title: "Understand app protection health checks using Microsoft Intune"

+audience: ITPro

+description: Understand app protection health checks using Microsoft Intune.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Understand app protection health checks

+Much like **Conditional Launch** settings for iOS/iPadOS and Android app protection policies, **Health checks** for Windows app protection policies allow you to also configure conditional launch capabilities. To do this, you must set the health check conditions for your app protection policy. Select a **Setting** and enter the **Value** that users must meet to access your org data. Then select the **Action** you want to take if users do not meet your conditionals. In some cases, multiple actions can be configured for a single setting.

+## Health checks for Windows app protection policy

+Windows app condition settings allow similar settings configuration to the other supported platforms, however you cannot set a **Max PIN attempts**.

+| App condition setting | Windows | iOS/iPadOS | Android |

+|::|::|::|::|

+| Max PIN attempts | Γ£û | Γ£ö | Γ£ö |

+| Office grace period | Γ£ö | Γ£ö | Γ£ö |

+| Min app version | Γ£ö | Γ£ö | Γ£ö |

+| Max SDK version | Γ£ö | Γ£ö | Γ£û |

+| Disabled account | Γ£ö | Γ£ö | Γ£ö |

+Windows device condition settings are also available for Windows app protection settings.

+ Title: "Secure and protect apps using Microsoft Intune"

+audience: ITPro

+description: Secure and protect apps using Microsoft Intune.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Secure and protect apps using Microsoft Intune

+Once you've [set up and deployed the capabilities of Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune), [added the apps you want to manage to Intune](/microsoft-365/solutions/apps-add-overview), and [configured the apps that you manage in Intune](/microsoft-365/solutions/apps-config-overview), you can begin the process of creating app protection policies. App protection policies (APP) are rules that ensure your organization's data remains safe and contained in a managed app. These policies enforce how your end-users access and move "corporate" data, as well as how you control actions that are prohibited or monitored when end-users are using the app. This enforcement allows you to control how data is accessed and shared by apps on mobile devices at your organization.

+The content provided in this solution will help you understand the different aspects of app protection for each of the supported platforms. In addition, this solution will step you through creating your app protection policies based on our recommended settings for basic, enhanced, and high level app protection.

+Managed apps are apps that you have assigned to users via a unified endpoint management provider, such as Intune. Managed apps support app protection policies, as well as app configuration policies. These apps use mobile application management (MAM) that is provided by the unified endpoint management provider. MAM enables organizations to manage and protect their data within an application. A managed app in Intune is a [protected app](/mem/intune/apps/apps-supported-intune-apps) that has Intune app protection policies applied to it and is assigned and managed by Intune. A managed app has either integrated the Intune App SDK or has been wrapped using the Intune Wrapping Tool to support App Protection Policies (APP) and/or app configuration policies. You can use MAM policies to configure and protect apps on unmanaged devices, which are your end-user's personal devices that aren't MDM enrolled in Intune.

+> [!TIP]

+> For information about when you should consider deploying MAM policies, see [Migration guide: Set up or move to Microsoft Intune](/mem/intune/fundamentals/deployment-guide-intune-setup).

+Using app protection policies provides the benefit of protecting your organization's data at the app level. For end-users, productivity isn't affected and app protection policies don't apply when end-users are using the app in a personal context. There are several situations where you commonly should use app protection policies. For instance, if your end-users are using their personal device, you may want to use an app protection policy to control the access to the app by using a PIN. You may want to enforce data sharing restrictions that your organization's data isn't shared with nonmanaged apps. Also, you may want to prevent end-users from saving organization data to personal locations. For more information, see [Benefits of using App protection policies](/mem/intune/apps/app-protection-policy#benefits-of-using-app-protection-policies).

+> [!IMPORTANT]

+> You can use Intune to help enforce a [Zero Trust](/security/zero-trust/zero-trust-overview) security strategy for your organization. Zero Trust is an approach to use when designing and implementing a set of security principles. For more information, see [Zero Trust with Microsoft Intune](/mem/intune/fundamentals/zero-trust-with-microsoft-intune) and [Zero Trust identity and device access configurations](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview).

+Organizations can use app protection policies with and without Mobile Device Management (MDM) at the same time. For example, consider an end-user (employee or organization member) that uses both a phone issued by the company, and their own personal tablet. The organization issued phone is enrolled in MDM and protected by app protection policies, while the personal device is protected by app protection policies only.

+## Supported platforms

+There are three primary platforms that are supported when creating an app protection policy in Intune.

+| Platform | Description |

+|||

+| iOS/iPadOS | You can apply app protection policies to iOS/iPadOS apps that have been developed to support Intune app protection capabilities. You can apply app protection to groups of users that sign into iOS/iPadOS devices. Specifically, you can apply app protection based on data protection, access requirements, and conditional launch settings within an app protection policy for iOS/iPadOS. For more information, see [iOS app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-ios). |

+| Android | You can apply app protection policies to Android apps that have been developed to support Intune app protection capabilities. You can apply app protection to groups of users that sign into Android devices. Specifically, you can apply app protection based on data protection, access requirements, and conditional launch settings within an app protection policy for Android. For more information, see [Android app protection policy settings in Microsoft Intune](/mem/intune/apps/app-protection-policy-settings-android). |

+| Windows | Currently, you can apply app protection policies to Microsoft Edge for Windows devices. Using Microsoft Edge, you can control how your organization's data is accessed. You can apply app protection to groups of users that sign in to Windows devices. Specifically, you can apply app protection based on data protection and health checks settings within an app protection policy for Windows. Data protection settings allow you to control how the movement of data into and out of your organization (org) context. The org context is defined by documents, services, and sites accessed by the specified org account. You can use app protection policy settings to help control external data received into the org context and org data sent out of the org context. These settings include receiving and sending org data. Also, you can implement Data Loss Prevention (DLP) controls, like cut, copy, paste, and save-as restrictions. Additionally, you can allow or block printing of org data. For more information, see [App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). |

+For a more information about supported platforms, see [App management capabilities by platform](/mem/intune/apps/app-management#app-management-capabilities-by-platform).

+## Supported apps

+For iOS/iPadOS and Android platforms, you can apply app protection policies to any managed app that has been developed to support Intune app protection capabilities. The managed app has either integrated the [Intune App SDK](/mem/intune/developer/app-sdk) or has been wrapped using the [Intune App Wrapping Tool](/mem/intune/developer/apps-prepare-mobile-application-management#intune-app-wrapping-tool). For the Windows platform, you can enable data protection of corporate data on personal Windows devices using [Windows MAM](/mem/intune/apps/protect-mam-windows). Windows MAM is where you apply app protection policies to Microsoft Edge for Windows. Microsoft Edge, as well as most Microsoft applications, have been integrated to support Intune by using the Intune App SDK. For a list of apps that include SDK integration, see [Microsoft Intune protected apps](/mem/intune/apps/apps-supported-intune-apps).

+## Prerequisites

+Before you can protect apps with Microsoft Intune, you must follow a few prerequisites to set up Intune, as well as understand key app management configurations.

+> [!NOTE]

+> If you're new to Intune, start with the [Microsoft Intune free trial](/mem/intune/fundamentals/free-trial-sign-up). Trying out Intune is free for 30 days. When you complete the sign-up process, you'll have a new tenant that you can use to evaluate Intune. A tenant is a dedicated instance of [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) (Microsoft Entra ID) where your subscription to Intune is hosted. You can then configure the tenant, which involves many capabilities that you can use to protect your organization. One of those involves adding and configuring apps for Intune.

+Follow these steps if you haven't already set up Intune and added the apps you need to manage and protect:

+1. Set up and [deploy Intune](/microsoft-365/solutions/apps-guide-overview#deploying-intune&preserve-view=true)

+2. Understand [application protection](apps-protect-overview.md#app-protection)

+3. [Understand app types](/microsoft-365/solutions/apps-guide-overview#understand-app-types&preserve-view=true)

+4. [Add apps to Intune](/microsoft-365/solutions/apps-add-overview)

+> [!IMPORTANT]

+> To use Microsoft Intune beyond the free trial, you'll need to acquire a license from Microsoft. For more information about licenses that include Microsoft Intune, see [Microsoft Intune licensing](/mem/intune/fundamentals/licenses).

+>

+> Although many apps that you can deploy to the members of your organization are free, some apps may require either a license, subscription, or account for each user to use the app. For more information about app licenses, see [Understand app licenses used in Intune](/microsoft-365/solutions/apps-license-overview).

+## App protection

+App protection can be applied to supported managed apps on supported device platforms that are either enrolled with Microsoft Intune, enrolled in a third-party Mobile device management (MDM) solution, or aren't enrolled in any mobile device management solution.

+When creating an app protection policy, you choose the following details in the following order:

+1. The platform

+2. The app you want to protect

+3. The data protection settings for the app

+4. The access requirements for the app

+5. The conditional launch settings for the app

+In addition to the above list, you can also choose [scope tags](/mem/intune/fundamentals/scope-tags) and [app assignments](/mem/intune/apps/apps-deploy).

+> [!IMPORTANT]

+> The Intune Company Portal app is required on Android devices because it enables device users to receive app protection policies as a [Device Policy Controller](https://support.google.com/work/android/answer/6192678). It enables device users to receive app protection policies. For more information, see [How to configure the Intune Company Portal apps, Company Portal website, and Intune app](/mem/intune/apps/company-portal-app) and [Customize and configure the Company Portal](/microsoft-365/solutions/apps-config-step-1).

+### App protection categories by platform

+Different app protection settings are available for each supported platform. It's important to recognize that the iOS/iPadOS and Android platform have the same app protection categories. However, Windows is different. The Windows platform protects organization data by managing the flow of data through Microsoft Edge to your organization's storage locations.

+> [!TIP]

+> To see where app protection and compliance policies fit into the overall Intune architecture, see [High-level architecture for Microsoft Intune](/mem/intune/fundamentals/high-level-architecture).

+When you create an app protection policy, you choose the platform, the app to target, as well as the specific settings from the app protection categories.

+### How app protection policies protect app data

+Your end-users (members of your organization) use mobile devices for both personal and work tasks. While making sure your end-users can be productive, you want to prevent your organization's data from moving to locations where you cannot secure it, for both intentional and unintentional situations. You'll also want to protect company data that is accessed from devices that aren't managed by you. You can use Intune app protection policies independent of any mobile device management (MDM) solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution. By implementing app-level protection policies, you can restrict access to company resources and keep data within the purview of your IT department.

+When apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. The following table provides details about data, device, and app protection.

+| Data, device, and app protection | Description |

+|||

+| Apps without app protection policies | When apps are used without restrictions, company and personal data can get intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. |

+| Data protection with app protection policies | You can use App protection policies to prevent company data from saving to the local storage of the device. You can also restrict data movement to other apps that aren't protected by App protection policies. |

+| Data protection with app protection policies on managed devices | Provides both app and device management and protection. |

+| Data protection with app protection policies for devices without enrollment | App protection policies can help protect company data at the app level. However, there are limitations related to deploying apps, provisioning device certificate profiles, and provisioning device organization settings. You can avoid these limitations by enrolling and managing the devices in Intune. |

+For more information, see [How app protection policies protect app data](/mem/intune/apps/app-protection-policy#how-app-protection-policies-protect-app-data).

+## What's in this solution

+This solution helps you understand app data protection in Microsoft Intune. In addition, this solution provides recommended steps for creating app protection policies in Intune for specific apps and assigning those policies to members of your organization. Once you've completed the above [prerequisites](#prerequisites), you're ready to create app protection policies for your organization in Intune. Using configuration and protection policies as part of your app management efforts allows members of your organization to safely use apps. By managing apps at your organization, you help to protect and secure your organizationΓÇÖs data.

+To learn about app protection in Intune, see the following topics:

+- [Understand app data protection](apps-protect-data-protection.md)

+- [Understand app protection access requirements](apps-protect-access-requirements.md)

+- [Understand app protection conditional launch](apps-protect-conditional-launch.md)

+- [Understand app protection health checks](apps-protect-health-checks.md)

+To follow the recommended settings when adding app protection policies in Intune, see the following topics:

+1. [Apply minimum data protection](apps-protect-step-1.md)

+2. [Apply enhanced data protection](apps-protect-step-2.md)

+3. [Apply high data protection](apps-protect-step-3.md)

+4. [Understand app protection delivery](apps-protect-step-4.md)

+5. [Verify and monitor app protection](apps-protect-step-5.md)

+6. [Use app protection actions](apps-protect-step-6.md)

+[:::image type="content" source="../medi)

+After you've completed the above steps, you're ready to deploy, manage, and monitor the managed apps your organization uses.

+ Title: "Step 1. Apply minimum data protection"

+audience: ITPro

+description: Step 1. Apply minimum data protection.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Step 1. Apply enterprise basic data protection

+Once you have followed the [prerequisites](apps-protect-overview.md#prerequisites), determined which platforms you must support at your organization, understood the different [app data protection categories available for each support platform](apps-protect-overview.md#app-protection-categories-by-platform), and completed the [steps needed before applying the app protection framework](apps-protect-framework.md#steps-before-applying-the-app-protection-framework), you're ready to add app protection policies.

+Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.

+The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.

+## Recommended app protection settings

+Use the following recommended app protection settings when creating and applying Intune app protection for Level 1 enterprise basic data protection.

+## Next step

+[:::image type="content" source="../medi)

+Continue with [Step 2](apps-protect-step-2.md) to apply enhanced data protection in Microsoft Intune.

+ Title: "Step 2. Apply enhanced data protection"

+audience: ITPro

+description: Step 2. Apply enhanced data protection

+ms.localizationpriority: high

+- highpri

+keywords:

+# Step 2. Apply enhanced data protection

+Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios.

+The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.

+## Recommended app protection settings

+Use the following recommended app protection settings when creating and applying Intune app protection for Level 2 enterprise enhanced data protection.

+## Next step

+[:::image type="content" source="../medi)

+Continue with [Step 3](apps-protect-step-3.md) to apply high data protection in Microsoft Intune.

+ Title: "Step 3. Apply high data protection"

+audience: ITPro

+description: Step 3. Apply high data protection

+ms.localizationpriority: high

+- highpri

+keywords:

+# Step 3. Apply high data protection

+## Recommended app protection settings

+Use the following recommended app protection settings when creating and applying Intune app protection for Level 3 enterprise high data protection.

+## Next step

+[:::image type="content" source="../medi)

+Continue with [Step 4](apps-protect-step-4.md) to understand app protection delivery in Microsoft Intune.

+ Title: "Step 4. Understand app protection delivery"

+audience: ITPro

+description: Step 4. Understand app protection delivery.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Step 4. Understand app protection delivery

+> [!IMPORTANT]

+> You can require that an Intune app protection policy is present for the client app before access is available to the selected applications. For more information, see [Require app protection policy](/entra/identity/conditional-access/concept-conditional-access-grant#require-app-protection-policy).

+Before an app protection policy can be used to protect an app on a device, the policy must be delivered and applied to the user at your organization. There are several timing reasons and remedies that impact app protection policy delivery.

+Common user state issues that impact the delivery of app protection policies:

+- **Issue**: Tenant not on-boarded.<br>

+ **Solution**: You must set up your tenant for Intune.

+- **Issue**: User isn't licensed.<br>

+ **Solution**: You must assign an Intune license to the user.

+- **Issue**: User isn't assigned app protection policies.<br>

+ **Solution**: You must assign app protection policy settings to the user.

+- **Issue**: User is assigned an app protection policy, but the related app isn't included in the policy.<br>

+ **Solution**: You must include the app that you want to protect in the app protection policy.

+- **Issue**: User successfully registered for Intune MAM, however they haven't had the app protection policy applied yet.<br>

+ **Solution**: Intune typically takes 30 minutes to register users.

+For specific timing for each of the above issues, see [Delivery timing summary](/mem/intune/apps/app-protection-policy-delivery#delivery-timing-summary).

+## Limiting app extensions

+You can limit Outlook add-ins and LinkedIn account connections as a method of protecting your organization's data. Outlook add-ins are available to integrate extended functionality for Outlook. These add-ins are available on the web. You can't directly manage these add-ins using Intune. However, you can remove specific roles for your end-users that will prevent them from installing and side-loading add-ins.

+Additionally, you can disable LinkedIn account connections for your entire organization, or you can enable LinkedIn account connections for selected user groups in your organization. These settings affect LinkedIn connections across Microsoft 365 apps on all platforms (web, mobile, and desktop).

+For more information, see [Protecting application extensions](/mem/intune/apps/app-protection-policy-extensions).

+## Next step

+[:::image type="content" source="../medi)

+Continue with [Step 5](apps-protect-step-5.md) to verify and monitor app protection in Microsoft Intune.

+ Title: "Step 5. Verify and monitor app protection"

+audience: ITPro

+description: Step 5. Verify and monitor app protection

+ms.localizationpriority: high

+- highpri

+keywords:

+# Step 5. Verify and monitor app protection

+You can verify and monitor the status of the app protection policies that you've applied to users from Intune. The **App protections status** report provides the name and email of the user, the app protection status, the app protection policy targeted to the related app for the user, and the timestamp of the last sync of the app with Microsoft Intune. Additionally, there are several other details provided in the **App protection status** report that can be used to filter the success of applied app protection policies.

+> [!NOTE]

+> App protection data is retained for a minimum of 90 days. Any app instances that have checked in to the Intune service within the past 90 days is included in the app protection status report.

+Before checking on successfully deployed app protection policies, check to make sure the user has installed the app. For more information, see the following reports:

+- [App Install Status report](/mem/intune/fundamentals/reports#app-install-status-report-operational)

+- [User Install Status for apps report](/mem/intune/fundamentals/reports#user-install-status-for-apps-report-operational)

+- [Managed Apps report](/mem/intune/fundamentals/reports#user-install-status-for-apps-report-operational)

+To verify an app protection policy, start by viewing the **App protection status** report in Intune (**Apps** > **Monitor** > **App protection status**). Next, export your data so you can filter and sort the results. You will need to filter the **App Protection Status** column to determine whether the related app is unprotected by not being targeted with a MAM policy. You will want to sort the list by **App**. Determine whether the end-user is licensed for app protection and Microsoft 365. If they are not licensed, assign an [Intune license](/mem/intune/fundamentals/licenses) and/or a [Microsoft 365 license](/mem/intune/fundamentals/licenses) to the user. If a user's app is listed as **Not checked in**, check if you've correctly configured the app protection policy for that app. In addition, look for issues based on **App version** and **Platform**. If you find a particular set of users that need an app protection policy for a specific app, verify the last sync of the app with Intune.

+> [!NOTE]

+> Ensure that the conditions of your app protection policy applies across all end-users that must have the policy.

+For more information, see [How to validate your app protection policy setup in Microsoft Intune](/mem/intune/apps/app-protection-policies-validate).

+## App protection logs

+You can enable and collect app protection logs by enabling Intune Diagnostics on the end-user's device. Each platform has a different process to enable and collect app logs. For more information, see [Review client app protection logs](/mem/intune/apps/app-protection-policy-settings-log).

+## Intune diagnostics

+The Intune Company Portal app has multiple options for gathering diagnostic information.

+The Company Portal includes UI that:

+- Enables end users to gather Company Portal logs.

+- Displays device and account metadata.

+- Includes per-app information about the current MAM policy.

+End users can also launch the Company Portal's diagnostic console through Microsoft Edge, by entering `about:intunehelp` in the address bar to assist in debugging.

+> [!IMPORTANT]

+> Diagnostics information for the device is only available when the Company Portal is installed on device.

+## Next step

+[:::image type="content" source="../medi)

+Continue with [Step 6](apps-protect-step-6.md) to use app protection actions in Microsoft Intune.

+ Title: "Step 6. Use app protection actions"

+audience: ITPro

+description: Step 6. Use app protection actions.

+ms.localizationpriority: high

+- highpri

+keywords:

+# Step 6. Use app protection actions

+In addition to applying conditional launch actions as part of your app protection policy, you can remove organizational or corporate app data by creating a device based wipe request or a user based wipe request. Applying this form of protection is done when either a member of your organization leaves, the devices is lost, or the device is stolen. This method only removes your organization data, not personal data on the device.

+## Device based wipe

+You can create a device based wipe request for an end-user. Sometimes end-users have multiple devices, such as a tablet and a phone. You can choose which device to wipe. In addition, you can see the state of the wipe request in Intune. For more information, see [Create a device based wipe request](/mem/intune/apps/apps-selective-wipe#create-a-device-based-wipe-request).

+## User based wipe

+You can also create a user based wipe request. This wipe request removes organizational data from all apps on all the user's devices that are managed by Intune. You can also see the state of the wipe request in Intune. For more information, see [Create a user based wipe request](/mem/intune/apps/apps-selective-wipe#create-a-user-based-wipe-request).

+## Additional actions

+In addition to the above actions, you can also do the following actions:

+- [Monitor your wipe requests](/mem/intune/apps/apps-selective-wipe#monitor-your-wipe-requests)

+- [Delete a device wipe request](/mem/intune/apps/apps-selective-wipe#delete-a-device-wipe-request)

+- [Delete a user wipe request](/mem/intune/apps/apps-selective-wipe#delete-a-user-wipe-request)

+## After securing and protecting apps in Intune

+Once you have reviewed and completed the steps provided in this solution, you're ready to configure, protect, assign, and monitor the managed apps your organization uses.

+For more information about how to proceed, see the following articles:

+- [App configuration policies for Microsoft Intune](/mem/intune/apps/app-configuration-policies-overview)

+- [App protection policies overview](/mem/intune/apps/app-protection-policy)

+- [Data protection framework using app protection policies](/mem/intune/apps/app-protection-framework)

+- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy)

+- [Monitor app information and assignments with Microsoft Intune](/mem/intune/apps/apps-monitor)