Quick tip: Blocking screen capture with app protection policies on iOS devices

This week a relatively short blog post. Not because it’s challenging to get up-and-running in this new year, but mainly to highlight a change in behavior on iOS devices. That change in behavior is all about app protection policies on iOS devices. For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, the default screen capture behavior will change. Before that update, blocking the screen capture was not option with app protection policies on iOS devices. That has now changed. Starting with that update, blocking screen capture is available in app protection policies and enabled by default when Send Org data to other apps is configured to anything other than “All apps“. This post will go into more details about this change in behavior and the configuration to counter the default behavior. This post ends with the user experience.

Note: The behavior changed with v19.7.6 or later for Xcode 15, and v20.2.1 or later for Xcode 16, of the SDK. At this moment it’s already implemented for the main Microsoft apps, such as Outlook, Teams, and OneDrive.

Allowing screen captures via app configuration policies

When looking at the new behavior with app protection policies on iOS devices, it’s be good to know that there is an alternative. Screen captures will be blocked by default, but, if needed, it’s possible to still allow screen captures. So, if it’s still required to allow screen captures in managed apps, it’s possible to use an app configuration policy to configure that behavior for managed apps. That behavior can be controlled by using the com.microsoft.intune.mam.screencapturecontrol key. Set that key to Disabled to allow screen capture for the iOS devices. The following eight steps walk through the configuration of that specific configuration key by using a app configuration profile for managed apps.

  1. Open the Microsoft Intune admin center portal navigate to Apps App configuration profiles
  2. On the Apps | App configuration policies blade, click Add > Managed apps
  3. On the Basics page, provide the following information and click Next
  • Name: Specify a unique name to distinguish the app configuration policy from other app configuration policies
  • Description: (Optional) Specify a description to further explain the usage of the app configuration policy
  • Device enrollment type: (Grayed out) Managed apps
  • Targeted app: Select All apps as value
  1. On the Settings Catalog page, skip the Microsoft Edge settings and click Next
  2. On the Settings page, as shown below in Figure 1, provide at least the following configuration and click Next
  • Navigate to General configuration settings and add a line with the following information
    • Specify the com.microsoft.intune.mam.screencapturecontrol key and Disabled set as the value
  1. On the Scope tags page, configure the applicable scope tags and click Next
  2. On the Assignments page, configure the assignment by selecting the applicable group and click Next
  3. On the Review + create page, review the configuration and click Create

Note: Keep in that this configuration is specific to an app configuration profile for managed app.

Experiencing screen captures in app protection policies

The behavior is pretty easy and straight forward to experience. When there are apps in use that are relying on the latest Intune App SDK, and configured with app protection policies that have Send Org data to other apps configured to anything other than “All apps“, that’s the starting point for experiencing the behavior. By default, the user will now be blocked from making screen captures in their managed apps, as shown on the right in Figure 2. That is an example of the behavior of the Outlook app. With the change in behavior, the block will be experienced as a black screen when the user actually tries to perform a screen capture.

After applying the mentioned configuration key and value, the user will be allowed to make screen captures again. That experience is exactly the same as what it used to be before. So, a screen capture of that behavior would not make a lot of sense.

Note: During tests with allowing screen captures again, it wasn’t always even straightforward to get the change applied. Make sure to thoroughly test the required behavior and the implementation flow. The easiest is to have the counter configuration in place, before getting apps with the new default behavior.

More information

For more information about app protection policies on iOS devices, refer to the following docs.


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

16 thoughts on “Quick tip: Blocking screen capture with app protection policies on iOS devices”

  1. it’s pretty cool that Microsoft have added this though it would have been really nice if it wasn’t turned on by defualt for Intune deployments already rolled out. I had a lot of upset users that had gotten use to be able to take screenshots when they needed too and then it was just turned off.

    Reply
  2. We have set the app config policy so this should be working again, but still we have a lot of users that are complaining that this still not working. But I can see that the user gets the policy under monitor for the app config policy. So this is strange. I have applied the policy to users, not devices, maybe thats the reason? have anyone lese seen this?

    Reply
  3. I have a question that I have created this App Config to block SS and assigned to iOS Device group, however how do I check the status since on Intune there is on Status page to review the policy update.
    also I was little confused that shall I target this App Config Policy to user group or device group, since we have enrolled BYOD devices.

    Kindly suggest.

    Reply
  4. If I select core microsoft app in configuration setting instead of Targeted app: Select All apps as value with com.microsoft.intune.mam.screencapturecontrol key and Disabled set as the value it will Allow screen captures?

    Reply
  5. Hi Peter, great article. Just to confirm, if we create the App configuration profile you recomend, this can only be deployed to MDM devices and not MAM only devices. If we need screen capture working on MAM Only I assume we need to change the Send Org data to other apps setting to All Apps ?

    Reply
    • Hi Mike,
      Not sure what you mean exactly. The specified configuration is focussed on MAM only devices. When Send Org data to other apps is configured to anything other than “All apps“ the mentioned behavior will change. In that case you can use the app configuration to adjust the screen capture behavior. Configuring that setting to “All apps“ enables users to copy the information to any other (personal) app. That’s probably not what you want.
      Regards, Peter

      Reply
      • Thanks for coming back to me. I originally thought ‘Allowing screen captures via app configuration policies’ could only be applied to MDM enrolled devices and not BYOD devices that are only uses App Protection Policies, however I tested and the setting you recommended works. Thanks again for a great article.

        Reply
  6. If cx has choosen= Send all organisational data to policy managed app and applied app configuration policy to key value disable .Want to restore screen capture , will it work ?

    Reply
  7. Hello,
    Thank you for your post. I have a question. Is it possible to enable so that you can screen capture and only share between managed application? For example, I take a screenshot during a Teams meeting and attach it in an email in Outlook or Onedrive app. But block save screenshot to photo gallery or another private app like Gmail.app ?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.