This week a relatively short blog post. Not because it’s challenging to get up-and-running in this new year, but mainly to highlight a change in behavior on iOS devices. That change in behavior is all about app protection policies on iOS devices. For apps that have updated to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, the default screen capture behavior will change. Before that update, blocking the screen capture was not option with app protection policies on iOS devices. That has now changed. Starting with that update, blocking screen capture is available in app protection policies and enabled by default when Send Org data to other apps is configured to anything other than “All apps“. This post will go into more details about this change in behavior and the configuration to counter the default behavior. This post ends with the user experience.
Note: The behavior changed with v19.7.6 or later for Xcode 15, and v20.2.1 or later for Xcode 16, of the SDK. At this moment it’s already implemented for the main Microsoft apps, such as Outlook, Teams, and OneDrive.
Allowing screen captures via app configuration policies
When looking at the new behavior with app protection policies on iOS devices, it’s be good to know that there is an alternative. Screen captures will be blocked by default, but, if needed, it’s possible to still allow screen captures. So, if it’s still required to allow screen captures in managed apps, it’s possible to use an app configuration policy to configure that behavior for managed apps. That behavior can be controlled by using the com.microsoft.intune.mam.screencapturecontrol key. Set that key to Disabled to allow screen capture for the iOS devices. The following eight steps walk through the configuration of that specific configuration key by using a app configuration profile for managed apps.
- Open the Microsoft Intune admin center portal navigate to Apps > App configuration profiles
- On the Apps | App configuration policies blade, click Add > Managed apps
- On the Basics page, provide the following information and click Next
- Name: Specify a unique name to distinguish the app configuration policy from other app configuration policies
- Description: (Optional) Specify a description to further explain the usage of the app configuration policy
- Device enrollment type: (Grayed out) Managed apps
- Targeted app: Select All apps as value
- On the Settings Catalog page, skip the Microsoft Edge settings and click Next
- On the Settings page, as shown below in Figure 1, provide at least the following configuration and click Next
- Navigate to General configuration settings and add a line with the following information
- Specify the com.microsoft.intune.mam.screencapturecontrol key and Disabled set as the value
- On the Scope tags page, configure the applicable scope tags and click Next
- On the Assignments page, configure the assignment by selecting the applicable group and click Next
- On the Review + create page, review the configuration and click Create
Note: Keep in that this configuration is specific to an app configuration profile for managed app.
Experiencing screen captures in app protection policies
The behavior is pretty easy and straight forward to experience. When there are apps in use that are relying on the latest Intune App SDK, and configured with app protection policies that have Send Org data to other apps configured to anything other than “All apps“, that’s the starting point for experiencing the behavior. By default, the user will now be blocked from making screen captures in their managed apps, as shown on the right in Figure 2. That is an example of the behavior of the Outlook app. With the change in behavior, the block will be experienced as a black screen when the user actually tries to perform a screen capture.
After applying the mentioned configuration key and value, the user will be allowed to make screen captures again. That experience is exactly the same as what it used to be before. So, a screen capture of that behavior would not make a lot of sense.
Note: During tests with allowing screen captures again, it wasn’t always even straightforward to get the change applied. Make sure to thoroughly test the required behavior and the implementation flow. The easiest is to have the counter configuration in place, before getting apps with the new default behavior.
More information
For more information about app protection policies on iOS devices, refer to the following docs.
- iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Learn
- Microsoft Intune App SDK for iOS developer guide – App participation features | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
it’s pretty cool that Microsoft have added this though it would have been really nice if it wasn’t turned on by defualt for Intune deployments already rolled out. I had a lot of upset users that had gotten use to be able to take screenshots when they needed too and then it was just turned off.
Agree. There was some communication, but it wasn’t really clear.
Regards, Peter
We have set the app config policy so this should be working again, but still we have a lot of users that are complaining that this still not working. But I can see that the user gets the policy under monitor for the app config policy. So this is strange. I have applied the policy to users, not devices, maybe thats the reason? have anyone lese seen this?
Hi Audun,
I have noticed that in some cases I had to sign out and sign back in to get it to work (and sometimes even more).
Regards, Peter
I have a question that I have created this App Config to block SS and assigned to iOS Device group, however how do I check the status since on Intune there is on Status page to review the policy update.
also I was little confused that shall I target this App Config Policy to user group or device group, since we have enrolled BYOD devices.
Kindly suggest.
Hi Amit,
As you don’t have information about the devices, you should assign it to users.
Regards, Peter
If I select core microsoft app in configuration setting instead of Targeted app: Select All apps as value with com.microsoft.intune.mam.screencapturecontrol key and Disabled set as the value it will Allow screen captures?
Hi Nainika,
The targeted apps selection doesn’t matter, as long as it includes the apps that you need to configure.
Regards, Peter
Hi Peter, great article. Just to confirm, if we create the App configuration profile you recomend, this can only be deployed to MDM devices and not MAM only devices. If we need screen capture working on MAM Only I assume we need to change the Send Org data to other apps setting to All Apps ?
Hi Mike,
Not sure what you mean exactly. The specified configuration is focussed on MAM only devices. When Send Org data to other apps is configured to anything other than “All apps“ the mentioned behavior will change. In that case you can use the app configuration to adjust the screen capture behavior. Configuring that setting to “All apps“ enables users to copy the information to any other (personal) app. That’s probably not what you want.
Regards, Peter
Thanks for coming back to me. I originally thought ‘Allowing screen captures via app configuration policies’ could only be applied to MDM enrolled devices and not BYOD devices that are only uses App Protection Policies, however I tested and the setting you recommended works. Thanks again for a great article.
Thank you Mike. Good to hear that it’s working.
Regards, Peter
If cx has choosen= Send all organisational data to policy managed app and applied app configuration policy to key value disable .Want to restore screen capture , will it work ?
That should indeed work.
Regards, Peter
Hello,
Thank you for your post. I have a question. Is it possible to enable so that you can screen capture and only share between managed application? For example, I take a screenshot during a Teams meeting and attach it in an email in Outlook or Onedrive app. But block save screenshot to photo gallery or another private app like Gmail.app ?
Hi Robard,
At this moment there are no further configuration options for the screen capture.
Regards, Peter
Hi Peter
we have exactly the same issue as Robard.
This lack of parameters is frustrating i hope it will be improved in the future
Today we had to let the default parameters, we cannot due to security evidence, allow “com.microsoft.intune.mam.screencapturecontrol key to Disabled” 🙁
Thank you for sharing, Guillaume.
Regards, Peter
Hi Peter
First always enjoy reading your blog so thank you for keeping this up.
I have an issue here.
Following setting: Send org data to other apps “All Apps”
For some reason some users seems to still not be able to take screenshoots in Edge, atleast i replicated the issue in Edge.
I have not made a change to this policy scense September 2023, but for some reason I need to apply the seetings you mention now, any thoughts on why this is happening?
Hi Jimmy,
If that’s the case, you might want to contact Microsoft. The docs clearly state that “if you have configured Send Org data to other apps setting to a value other than All apps, screen capture block is applied […]”
Regards, Peter
Good Morning,
Thanks for the article. I did have one further question. Would the above steps for allowing screen captures via app configuration policies also work for apps on Android devices. I am looking for a way to allow a specific Intune app on Android devices be able to take a screen capture.
Hi Rich,
For Android there is a specific setting in the APP for blocking screen capture.
Regards, Peter
Hi Peter, thanks for all your great content. You’ve helped me enormously over the years.
My company uses App Protection Policies and iOS screenshots has been a security gap for years, until now.
I’m thinking about implementing a minimum iOS SDK version of 19.7.6 in the policy (using just “warning” for now) to push users to update this so that this feature works for all our users, but I’m not clear on if the iOS SDK is tied directly to the iOS version or does it update separately?
My Intune App Protection Status report shows devices that have a fully updated iOS version but the SDK is lower than 19.7.6, and older devices with older iOS versions that have a much newer SDK version, it doesn’t make any sense. What does the user have to update to get an SDK version above 19.7.6, do you know? The apps or the iOS, or both?
Maybe I’m overthinking this but I had assumed that if the user had an updated iOS then they would have an updated SDK, but the Intune report doesn’t reflect that. Any thoughts?
Hi Derek,
The SDK should be implemented in the app.
Regards, Peter
So this key is great for iOS com.microsoft.intune.mam.screencapturecontrol = Disabled
But is there a equivalent for Android?
Hi Sam,
For Android the configuration to configure screen capture is part of the APP.
Regards, Peter
Hi Peter. Over the many millennia that I’ve been an SMS/SCCM/MECM/? admin, I have REALLY appreciated all you do to support the community. And now Intune as well! Hallelujah! Anyhow…big fan. Now to my question:
We support employee iOS devices that are enrolled in Intune. We’re using an app called iManage Work 10 For Intune which is what Microsoft classifies as a “Partner productivity app”. This means it supports the core and advanced Intune App Protection Policy settings. Presently we have the following deployed (all are assigned to a pilot group in AAD):
…Device Configuration Policy: Block viewing corporate documents in unmanaged apps (Yes)
…App Configuration Policy targeting Managed devices (iOS/iPadOS) and specifically the iManage Work 10 For Intune app. This policy configures settings unique to the app (with the exception of Intune MAMUPN, IntuneMAMOID, and Intune MAMDeviceID which are Intune SDK settings to help apply the policy to the right user/device.)
—App Protection Policy targeting Microsoft Apps and iManage app
The way I read your article and Microsoft’s documentation is that I need to add a new App Configuration policy that targets Managed apps (instead of Managed devices like the one we already have), target it to the apps for which we want to allow screen capture, and add the setting as you’ve described. This new policy should trump anything else that might be prohibiting screen capture, correct? Or could there also be a setting in our app protection policy that impacts it?
Thanks in advance!
Thank you for those kind words, Mike!
This feature is for MAM protected apps. So, it might not even apply to managed devices. On the Microsoft blog post I also still see that as an open question: https://techcommunity.microsoft.com/blog/intunecustomersuccess/new-block-screen-capture-for-iosipados-mam-protected-apps/4366312?after=MjUuM3wyLjF8aXwxMHwxMzI6MHxpbnQsNDQxNjk2Miw0MzY3NTU2
Regards, Peter
I have a weird problem that the app protection doesn’t work on some of the apps that it SHOULD work on. For example, my app protection policies all set Send Org Data as “Policy Managed Apps” only. Additionally, at the bottom of Data Protection, Screen Capture is set to Block. And even though I check using about://intunehelp to verify the policy is applying to ALL apps (it is), Edge, Outlook, SharePoint, and Teams all allow screenshots anyway. The apps are fully up-to-date, and I can see from the intunehelp status that all are using a valid Intune SDK.
Any thoughts on why this might be the case?
Hi Aaron,
Is that on managed or unmanaged devices?
Regards, Peter