BIO 11.02.07 ISO A.6.2.1

App Gegevensbescherming Design (Intune MAM)

πŸ“… 2025-10-30
β€’
⏱️ 14 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

App gegevensbescherming (MAM - Mobile Application Management) design implementeert Intune App bescherming Policies voor iOS en Android om corporate data binnen managed apps te beschermen met copy/paste restrictions, versleuteling, conditional launch en gegevenslekken prevention zonder volledige device enrollment (BYOD-friendly).

Aanbeveling
IMPLEMENTEER APP DATA PROTECTION
Risico zonder
High
Risk Score
8/10
Implementatie
24u (tech: 8u)
Van toepassing op:
βœ“ Intune
βœ“ MAM
βœ“ App bescherming

MAM biedt gegevensbescherming Zonder device enrollment (BYOD scenario waar users geen volledige MDM willen): Corporate data isolated binnen managed apps (Outlook, Teams, OneDrive), gegevenslekken prevention (geen copy/paste naar personal apps), Conditional launch (PIN vereist, jailbreak detectie Blokkeert app), Selective wipe (remove corporate data, keep personal). Zonder MAM: Corporate data in unmanaged apps (screenshot mogelijk, save to personal opslag), No versleuteling enforcement, gegevenslekken via copy/paste, Lost device is data exposure.

Implementatie

MAM design: (1) App bescherming Policies per platform (iOS, Android), (2) gegevensbescherming: versleuteling bij rest (app-level versleuteling), Data transfer restrictions (only to managed apps), Copy/paste blocked (or managed apps only), Save-as restrictions (Blokkeer save to personal opslag), Screenshot prevention (Blokkeer voor iOS, warn voor Android); (3) Conditional Launch: PIN/biometric vereist (app-level authentication), Max offline period (30 days β†’ wipe), Jailbreak/root detectie (Blokkeer app launch), Min OS version, Max app version (force updates); (4) Managed apps: Microsoft apps (Outlook, Teams, OneDrive, Edge, Office), derde partij apps (Intune SDK integrated).

Vereisten

  1. Intune Licenties (standalone of M365 E3/E5)
  2. App bescherming Policies defined (iOS, Android)
  3. Managed apps list (Outlook, Teams, OneDrive minimum)
  4. Conditional launch settings (PIN, jailbreak detectie)
  5. User communication (MAM requirements, app setup)
  6. BYOD policy (if applicable)

Implementatie

Maak aan App bescherming Policies: iOS policy (data transfer restricted, save-as blocked, PIN vereist, jailbreak blocked), Android policy (same settings), assign to alle gebruikers of specific groups, implementeren managed apps (Company Portal), Test data isolation, user training.

Compliance en Auditing

MAM policies voldoen aan: BIO 11.02 (Mobile device gegevensbescherming), ISO 27001 A.6.2.1 (Mobile device policy), AVG Artikel 32 (gegevensbescherming door design - versleuteling, Toegangscontrole en authenticaties), NIS2 (Gegevenslekage prevention).

Monitoring

Gebruik PowerShell-script app-data-protection.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script app-data-protection.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS App Data Protection (MAM) Design .DESCRIPTION Implementation for App Data Protection (MAM) Design .NOTES Filename: app-data-protection.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/platform/app-data-protection.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "App Data Protection (MAM) Design" $BIOControl = "13.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "app-data-protection" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
High: Corporate data in unmanaged apps = data leaks (copy/paste personal apps, screenshots, save to personal cloud storage), lost device exposure (no encryption), BYOD risks. Compliance: AVG Article 32, BIO 11.02. Het risico is HOOG - mobile data protection.

Management Samenvatting

App Data Protection (MAM): Intune App Protection Policies - Data isolation (corporate vs personal), Block copy/paste to personal apps, Require app PIN (secondary auth), Jailbreak/root detection (block compromised devices), Selective wipe (remove corporate data only - preserve personal), Encryption. BYOD-friendly (no full device enrollment needed). Activatie: Intune β†’ App protection policies β†’ iOS/Android. Gratis (Intune included M365). Verplicht AVG 32, BIO 11.02. Implementatie: 8-24 uur. CRITICAL BYOD security - data isolation without MDM.