Skip to content



Parameter Attribute DataType Description Allowed Values
DisplayName Key String Display name of the iOS App Protection Policy
Description Write String Description of the iOS App Protection Policy
PeriodOfflineBeforeAccessCheck Write String N/A
PeriodOnlineBeforeAccessCheck Write String N/A
AllowedInboundDataTransferSources Write String N/A
AllowedOutboundDataTransferDestinations Write String N/A
OrganizationalCredentialsRequired Write Boolean N/A
AllowedOutboundClipboardSharingLevel Write String N/A
DataBackupBlocked Write Boolean N/A
DeviceComplianceRequired Write Boolean N/A
ManagedBrowserToOpenLinksRequired Write Boolean N/A
SaveAsBlocked Write Boolean N/A
PeriodOfflineBeforeWipeIsEnforced Write String N/A
PinRequired Write Boolean N/A
MaximumPinRetries Write UInt32 N/A
SimplePinBlocked Write Boolean N/A
MinimumPinLength Write UInt32 N/A
PinCharacterSet Write String N/A
AllowedDataStorageLocations Write StringArray[] N/A
ContactSyncBlocked Write Boolean N/A
PrintBlocked Write Boolean N/A
FingerprintBlocked Write Boolean N/A
AppDataEncryptionType Write String N/A
Apps Write StringArray[] List of Ids representing the iOS apps controlled by this protection policy.
Assignments Write StringArray[] List of IDs of the groups assigned to this iOS Protection Policy.
ExcludedGroups Write StringArray[] List of IDs of the groups that are excluded from this iOS Protection Policy.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Intune Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write String Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.


This resource configures an Intune device configuration profile for an iOS Device.


Example 1

This example creates a new App ProtectionPolicy for iOS.

Configuration Example
        [Parameter(Mandatory = $true)]
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
        IntuneAppProtectionPolicyiOS 'MyCustomiOSPolicy'
            AllowedDataStorageLocations             = @("sharePoint")
            AllowedInboundDataTransferSources       = "managedApps"
            AllowedOutboundClipboardSharingLevel    = "managedAppsWithPasteIn"
            AllowedOutboundDataTransferDestinations = "managedApps"
            AppDataEncryptionType                   = "whenDeviceLocked"
            Apps                                    = @("","com.pervasent.boardpapers.ios","")
            Assignments                             = @("6ee86c9f-2b3c-471d-ad38-ff4673ed723e")
            ContactSyncBlocked                      = $False
            DataBackupBlocked                       = $False
            Description                             = ""
            DeviceComplianceRequired                = $True
            DisplayName                             = "My DSC iOS App Protection Policy"
            ExcludedGroups                          = @("3eacc231-d77b-4efb-bb5f-310f68bd6198")
            FingerprintBlocked                      = $False
            ManagedBrowserToOpenLinksRequired       = $True
            MaximumPinRetries                       = 5
            MinimumPinLength                        = 4
            OrganizationalCredentialsRequired       = $False
            PeriodOfflineBeforeAccessCheck          = "PT12H"
            PeriodOfflineBeforeWipeIsEnforced       = "P90D"
            PeriodOnlineBeforeAccessCheck           = "PT30M"
            PinCharacterSet                         = "alphanumericAndSymbol"
            PinRequired                             = $True
            PrintBlocked                            = $False
            SaveAsBlocked                           = $True
            SimplePinBlocked                        = $False
            Ensure                                  = 'Present'
            Credential                              = $credsGlobalAdmin