Dear All, This blog provides information on the default screen capture behavior to help you understand its effects on your users and the options available to adjust the default settings.
Microsoft has recently introduced support to block screen capture for apps protected by mobile application management (MAM). Previously, iOS/iPadOS did not have controls to restrict screen captures by application, user, or without device enrollment. Although screen capture blocking was available for managed devices, it posed a risk for organizations relying solely on MAM protection.
As part fo security initiative microsoft has changed the default behavior for your MAM-protected app . Now, according to your Intune app protection policy settings, if a user tries to capture or share the screen from a managed account in a MAM-protected app, a blank screen will be captured instead of the actual screen image, for apps that have upgraded to v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16 of the SDK, the screen capture block is enforced if the Send Org data to other apps setting is configured to any value other than "All apps".
Note : In the forthcoming version (20.3.0) of the Intune App SDK and Intune App Wrapping Tool for iOS, functionality has been introduced to notify users when a screen capture action (such as recording or mirroring) is detected in a managed app. This notification is visible to users only if an app protection policy (APP) has been set up to block screen capture.What impact does this have on you or your users?
If APP is set up to prevent screen capturing, users receive an alert stating that their organization has blocked screen capture actions when they try to take a screenshot, record the screen, mirror it or share teh screen.
How does this work ?
This is managed through the existing setting Send Org data to other apps setting within the Data Protection section under App protection policy (APP). If both the following conditions are met then the status is blocked
The app, whether it's a Microsoft app, a third-party app, or your line-of-business (LOB) app, has been updated to utilize Intune App SDK v19.7.6 or later for Xcode 15 and v20.2.1 or later for Xcode 16.
The app is managed by APP, and the Send Org data to other apps setting is configured to “None”, " Policy managed apps", "policy managed apps with OS sharing" and "Policy managed apps with Open-in/Share Filter" the screen sharing and screen shots are blocked
With "Send organizational data to other apps" set to "All Apps," users won't be able to capture screens, take screenshots, or share their screens.
Enable users to capture screenshots
If the organization prefers not to alter the existing data sharing methods between applications and still wants to enable screen capture, you can apply the following app configurations and deploy the managed apps.
Step 1: Log in to Microsoft Intune, navigate to App Configuration under Apps, and tap on Create, then select Managed Apps.
Step 2: Enter a name and choose the applications for which you want to set up an exclusion. Under Target policy, you can select from Specific apps, all apps, all Microsoft apps, or core apps according to your requirements and click on Next. In my situation, I have chosen Microsoft Outlook.
Step 3: Navigate to the Settings page, and in the "General configuration settings" section, include the key "com.microsoft.intune.mam.screencapturecontrol" with the value set to "Disabled". and tap on Next
Step 4: Apply the configuration policy to the users you wish to target with the override setting, by selelcting the group under Assignments.
Step 5: Check the configuration and press Create to finalize the app setup
Now let's observe how the policy impacts the End User.
Conclusion
In summary, Microsoft's latest update to prevent screen capture for MAM-protected apps on iOS devices highlights the company's dedication to improving data security. By blocking unauthorized screen captures, organizations can more effectively protect sensitive information and adhere to security policies. Administrators need to update their apps to the latest Intune App SDK versions and configure the appropriate settings in Microsoft Intune to meet their security needs. This proactive step not only protects organizational data but also emphasizes the significance of strong mobile application management in the current digital environment.