Attribute | Description | Backed up | Restorable |
| allowedAndroidDeviceManufacturers | Semicolon-separated list of device manufacturers allowed, as a string, for the managed app to work. | Yes | Yes |
| allowedAndroidDeviceModels | List of device models allowed, as a string, for the managed app to work. | Yes | Yes |
| allowedDataIngestionLocations | Data storage locations where a user may store managed data. Inherited from managedAppProtection | Yes | Yes |
| allowedDataStorageLocations | Data storage locations where a user may store managed data. Inherited from managedAppProtection | Yes | Yes |
| allowedInboundDataTransferSources | Sources from which data is allowed to be transferred. Inherited from managedAppProtection | Yes | Yes |
| allowedIosDeviceModels | Semicolon-separated list of device models allowed, as a string, for the managed app to work. (iOS only) | Yes | Yes |
| allowedOutboundClipboardSharingExceptionLength | Number of characters that may be cut or copied from Org data and accounts to any application. | Yes | Yes |
| allowedOutboundClipboardSharingLevel | The level to which the clipboard may be shared between apps on the managed device. Inherited from managedAppProtection. | Yes | Yes |
| allowedOutboundDataTransferDestinations | Destinations to which data is allowed to be transferred. Inherited from managedAppProtection. | Yes | Yes |
| allowWidgetContentSync | Indicates if content sync for widgets is allowed for iOS on app protection policies. | Yes | Yes |
| appActionIfAccountIsClockedOut | Defines a managed app behavior, either block or warn, if the user is clocked out (non-working time). | Yes | Yes |
| appActionIfAndroidDeviceManufacturerNotAllowed | Defines a managed app behavior, either block or wipe, if the specified device manufacturer is not allowed. | Yes | Yes |
| appActionIfAndroidDeviceModelNotAllowed | Defines a managed app behavior, either block or wipe, if the specified device model is not allowed. | Yes | Yes |
| appActionIfAndroidSafetyNetAppsVerificationFailed | Defines a managed app behavior, either warn or block, if the specified Android App Verification requirement fails. | Yes | Yes |
| appActionIfAndroidSafetyNetDeviceAttestationFailed | Defines a managed app behavior, either warn or block, if the specified Android SafetyNet Attestation requirement fails. | Yes | Yes |
| appActionIfDeviceComplianceRequired | Defines a managed app behavior, either block or wipe, when the device is either rooted or jailbroken( if DeviceComplianceRequired is set to true). | Yes | Yes |
| appActionIfDeviceLockNotSet | Defines a managed app behavior, either warn, block or wipe, if the screen lock is required on Android device but is not set. | Yes | Yes |
| appActionIfDevicePasscodeComplexityLessThanHigh | If the device does not have a passcode of high complexity or higher, trigger the stored action. Possible values are: block, wipe, warn, blockWhenSettingIsSupported. | Yes | Yes |
| appActionIfDevicePasscodeComplexityLessThanLow | If the device does not have a passcode of low complexity or higher, trigger the stored action. | Yes | Yes |
| appActionIfDevicePasscodeComplexityLessThanMedium | If the device does not have a passcode of medium complexity or higher, trigger the stored action. | Yes | Yes |
| appActionIfIosDeviceModelNotAllowed | Defines a managed app behavior, either block or wipe, if the specified device model is not allowed. (iOS only) | Yes | Yes |
| appActionIfMaximumPinRetriesExceeded | Defines a managed app behavior, either block or wipe, based on maximum number of incorrect pin retry attempts. Inherited from managedAppProtection. | Yes | Yes |
| appActionIfUnableToAuthenticateUser | Specifies what action to take in the case where the user is unable to check in because their authentication token is invalidbecause the user has been deleted or disabled. | Yes | Yes |
| appDataEncryptionType | Type of encryption which should be used for data in a managed app. (iOS only) | Yes | Yes |
| biometricAuthenticationBlocked | Indicates whether use of the biometric authentication is allowed in place of a pin if PinRequired is set to True. | Yes | Yes |
| blockAfterCompanyPortalUpdateDeferralInDays | Maximum number of days the Company Portal update can be deferred on the device before app access will be blocked. | Yes | Yes |
| blockDataIngestionIntoOrganizationDocuments | Indicates whether a user can bring data into org documents. Inherited from managedAppProtection | Yes | Yes |
| connectToVpnOnLaunch | Indicates whether the app should connect to the configured VPN on launch. | Yes | Yes |
| contactSyncBlocked | Indicates whether contacts can be synced to the user's device. Inherited from managedAppProtection | Yes | Yes |
| createdDateTime | The date and time the policy was created. Inherited from managedAppPolicy | Yes | Yes |
| customBrowserDisplayName | Friendly name of the preferred custom browser to open weblink on Android. | Yes | Yes |
| customBrowserPackageId | Unique identifier of the preferred custom browser to open weblink on Android. | Yes | Yes |
| customBrowserProtocol | A custom browser protocol to open internet links on iOS. (iOS only) | Yes | Yes |
| customDialerAppDisplayName | Friendly name of a custom dialer app to click-to-open a phone number on Android. | Yes | Yes |
| customDialerAppPackageId | PackageId of a custom dialer app to click-to-open a phone number on Android. | Yes | Yes |
| customDialerAppProtocol | Protocol of a custom dialer app to click-to-open a phone number on iOS. | Yes | Yes |
| customSettings | A set of string key and string value pairs to be sent to the affected users. | Yes | Yes |
| dataBackupBlocked | Indicates whether the backup of a managed app's data is blocked. Inherited from managedAppProtection | Yes | Yes |
| deployedAppCount | Number of apps to which the current policy is deployed. | Yes | Yes |
| description | Description of the policy. Inherited from managedAppPolicy | Yes | Yes |
| deviceComplianceRequired | Indicates whether device compliance is required. Inherited from managedAppProtection | Yes | Yes |
| deviceLockRequired | Defines if any kind of lock must be required on Android devices. | Yes | Yes |
| dialerRestrictionLevel | Lists the classes of dialer apps that are allowed to click-to-open a phone number. Inherited from managedAppProtection. | Yes | Yes |
| disableAppEncryptionIfDeviceEncryptionIsEnabled | When this setting is enabled, app level encryption is disabled if device level encryption is enabled. | Yes | Yes |
| disableAppPinIfDevicePinIsSet | Indicates whether use of the app pin is required if the device pin is set. Inherited from managedAppProtection | Yes | Yes |
| disableProtectionOfManagedOutboundOpenInData | Disables protection of data transferred to other apps through IOS OpenIn option. (iOS Only) | Yes | Yes |
| displayName | Policy display name. Inherited from managedAppPolicy | Yes | Yes |
| encryptAppData | Indicates whether application data for managed apps should be encrypted. | Yes | Yes |
| exemptedAppPackages | Lists the app packages that are exempt from the policy and will be able to receive data from managed apps. | Yes | Yes |
| exemptedAppProtocols | Lists iOS apps that will be exempt from the policy and will be able to receive data from managed apps. (iOS only) | Yes | Yes |
| faceIdBlocked | Indicates whether the use of the FaceID is allowed in place of a pin if pinRequired is set to True. (iOS only) | Yes | Yes |
| filterOpenInToOnlyManagedApps | Defines if open-in operation is supported from the managed app to the file-sharing locations selected. (iOS only) | Yes | Yes |
| fingerprintAndBiometricEnabled | If null, this setting will be ignored. If false, both fingerprint and biometrics will be disabled. If true, both fingerprint and biometrics will be enabled. | Yes | Yes |
| fingerprintBlocked | Indicates whether use of the fingerprint reader is allowed in place of a pin if PinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| gracePeriodToBlockAppsDuringOffClockHours | Specifies the grace period before app access is blocked during off clock hours. Inherited from managedAppProtection | Yes | Yes |
| id | Key of the entity. Inherited from managedAppPolicy | Yes | No |
| lastModifiedDateTime | Last time the policy was modified. Inherited from managedAppPolicy | Yes | Yes |
| managedBrowser | Indicates in which managed browser(s) internet links should be opened. | Yes | Yes |
| managedBrowserToOpenLinksRequired | Indicates whether internet links should be opened in the managed browser app or any custom browser specified by CustomBrowserProtocol (for iOS) or CustomBrowserPackageId / CustomBrowserDisplayName (for Android) Inherited from managedAppProtection | Yes | Yes |
| maximumAllowedDeviceThreatLevel | Maximum allowed device threat level, as reported by the MTD app Inherited from managedAppProtection. | Yes | Yes |
| maximumPinRetries | Maximum number of incorrect pin retry attempts before the managed app is either blocked or wiped. Inherited from managedAppProtection | Yes | Yes |
| maximumRequiredOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| maximumWarningOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| maximumWipeOsVersion | Versions higher than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| messagingRedirectAppDisplayName | Defines the app that is allowed when a redirection is enforced by protectedMessagingRedirectAppType. | Yes | Yes |
| messagingRedirectAppPackageId | Defines the app package ID that is allowed when a redirection is enforced by protectedMessagingRedirectAppType. | Yes | Yes |
| messagingRedirectAppUrlScheme | Defines the app URL redirect schemes which are allowed to be used when a redirection is enforced by protectedMessagingRedirectAppTyp. | Yes | Yes |
| minimumPinLength | Minimum pin length required for an app-level pin if PinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredAppVersion | Versions lower than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredCompanyPortalVersion | Minimum version of the Company portal that must be installed on the device or app. | Yes | Yes |
| minimumRequiredOsVersion | Versions lower than the specified version will block the managed app from accessing company data. Inherited from managedAppProtection | Yes | Yes |
| minimumRequiredPatchVersion | Oldest required Android security patch level a user can have to gain secure access to the app. | Yes | Yes |
| minimumRequiredSdkVersion | Versions lower than the specified version will block the managed app from accessing company data. (iOS only) | Yes | Yes |
| minimumWarningAppVersion | Versions lower than the specified version will result in a warning message on the managed app. Inherited from managedAppProtection | Yes | Yes |
| minimumWarningCompanyPortalVersion | Minimum version of the Company Portal that must be installed on the device. | Yes | Yes |
| minimumWarningOsVersion | Versions lower than the specified version will result in a warning message on the managed app. Inherited from managedAppProtection | Yes | Yes |
| minimumWarningPatchVersion | Oldest recommended Android security patch level a user can have for secure access to the app. | Yes | Yes |
| minimumWarningSdkVersion | Versions lower than the specified version will result in warning message on the managed app when accessing company data. (iOS only) | Yes | Yes |
| minimumWipeAppVersion | Versions lower than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection | Yes | Yes |
| minimumWipeCompanyPortalVersion | Minimum version of the Company Portal that must be installed on the device otherwise the company data on the app will be wiped. | Yes | Yes |
| minimumWipeOsVersion | Versions lower than or equal to the specified version will wipe the managed app and the associated company data. Inherited from managedAppProtection | Yes | Yes |
| minimumWipePatchVersion | Android security patch level lower than or equal to the specified value will wipe the managed app and the associated company data. | Yes | Yes |
| minimumWipeSdkVersion | Versions lower than the specified version will block the managed app from accessing company data. | Yes | Yes |
| mobileThreatDefensePartnerPriority | Indicates how to prioritise which mobile threat defense partner is enabled for a given platform, when more than one is enabled. | Yes | Yes |
| mobileThreatDefenseRemediationAction | Determines what action to take if the mobile threat defense threat threshold isn't met. | Yes | Yes |
| notificationRestriction | Specifies the level of restriction for app notifications. Inherited from managedAppProtection. | Yes | Yes |
| organizationalCredentialsRequired | Indicates whether organisational credentials are required for app use. Inherited from managedAppProtection | Yes | Yes |
| periodBeforePinReset | Specifies the time period before the all-level pin must be reset if PinRequired is set to True. Inherited from managedAppProtection | Yes | Yes |
| periodOfflineBeforeAccessCheck | Specifies the time period after which access is checked when the device is not connected to the internet. Inherited from managedAppProtection | Yes | Yes |
| periodOfflineBeforeWipeIsEnforced | Specifies the time period an app is allowed to remain disconnected from the internet before all managed data is wiped. Inherited from managedAppProtection | Yes | Yes |
| periodOnlineBeforeAccessCheck | Specifies the time period after which access is checked when the device is connected to the internet. Inherited from managedAppProtection | Yes | Yes |
| pinCharacterSet | Character set which may be used for an app-level pin if PinRequired is set to True. Inherited from managedAppProtection. | Yes | Yes |
| pinRequired | Indicates whether an app-level pin is required. Inherited from managedAppProtection | Yes | Yes |
| pinRequiredInsteadOfBiometricTimeout | Timeout in minutes for an app pin when required instead of a non-biometric passcode. Inherited from managedAppProtection | Yes | Yes |
| previousPinBlockCount | Requires a pin to be unique from the number specified in this property. Inherited from managedAppProtection | Yes | Yes |
| printBlocked | Indicates whether printing is allowed from managed apps. Inherited from managedAppProtection | Yes | Yes |
| protectedMessagingRedirectAppType | Defines how app messaging redirection is protected by an app protection policy. Inherited from managedAppProtection. | Yes | Yes |
| protectInboundDataFromUnknownSources | Protects incoming data from unknown sources. (iOS only) | Yes | Yes |
| requireClass3Biometrics | Requires the user to apply Class 3 biometrics on their Android device. | Yes | Yes |
| requiredAndroidSafetyNetAppsVerificationType | Defines the Android SafetyNet Apps Verification requirement for a managed app to work. | Yes | Yes |
| requiredAndroidSafetyNetDeviceAttestationType | Defines the Android SafetyNet Device Attestation requirement for a managed app to work | Yes | Yes |
| requiredAndroidSafetyNetEvaluationType | Defines the Android SafetyNet evaluation type requirement for a managed app to work. | Yes | Yes |
| requirePinAfterBiometricChange | Specifies that a PIN prompt will override biometric prompts if Class 3 biometrics are updated on the device. | Yes | Yes |
| roleScopeTagIds | List of scope tags for this entity instance. Inherited from managedAppPolicy | Yes | Yes |
| saveAsBlocked | Indicates whether users may use the "Save As" menu item to save a copy of protected files. Inherited from managedAppProtection | Yes | Yes |
| screenCaptureBlocked | Indicates whether a managed user can take screen captures of managed apps. | Yes | Yes |
| simplePinBlocked | Indicates whether simplePin is blocked. Inherited from managedAppProtection | Yes | Yes |
| thirdPartyKeyboardsBlocked | Defines if third party keyboards are allowed while accessing a managed app. (iOS only) | Yes | Yes |
| version | Version of the entity. Inherited from managedAppPolicy | Yes | Yes |
| warnAfterCompanyPortalUpdateDeferralInDays | Maximum number of days a Company Portal update can be deferred on the device before the user receives a warning. | Yes | Yes |
| wipeAfterCompanyPortalUpdateDeferralInDays | Maximum number of days a Company Portal update can be deferred on the device before company data on the app is wiped. | Yes | Yes |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article