Sunday, 17 September 2017

Block Android Screen Capture with ConfigMgr 1706

Version 1706 of System Center Configuration Manager (Current Branch) was recently released and one the new features made one of my customers very happy.

See details of the new 1706 features here

This customer uses the hybrid solution of ConfigMgr and Intune to manage their fleet of Android devices. They use MAM policies to protect against corporate data leakage and they were "almost" 100% happy with the solution.

The felt that they were a little exposed as users could still capture a screen containing sensitive data using a simple button combination (Home and Power in the case of many Android devices). Now, with ConfigMgr 1706, we can disable the ability to capture the screen. Even cooler, we can configure this on a per-managed app basis.

I've just tested this in advance of configuring in the customers environment. It works so well that I wanted to share the experience.

Navigate to Software Library > Application Management > Application Management Policies

Right click to Create Application Management Policy (or alternatively edit an existing policy).

Enter a name and description for the policy.

Choose Android as the platform and General as the policy type.

We are presented with the MAM options for Android. See Block screen capture. It is enabled by default.

Finish the wizard to create the MAM policy.

For this test I want to block screen capture for Adobe Reader (this is an Intune managed app). The app is added to ConfigMgr as normal.

When deploying the app we are asked which MAM policy should apply. I've chosen my test policy containing the "Block screen capture".

So, what does that look like on a device? I'm using a Samsung Galaxy Tab3 (Android version 4.4.2). I've opened a PDF file using Adobe Reader. See what happens when I try to capture the screen.

"Couldn't save screenshot. Content is protected by DRM".

It's these little hidden gems that make me happy. 

Hope this helps, until next time....