# Step 3 -aMAM- Add App Protection Policy

SCA supports the core Intune App Protection Policy settings and is capable of supporting advanced App Protection Policy and App Configuration Policy settings.

{% hint style="success" %}
For more information about App Protection policies, you can check out Microsoft Docs.\
[App protection policies overview | Microsoft Docs](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy)
{% endhint %}

\
2.1 - Create an App Protection Policy in Microsoft Intune.

2.2 - Add `de.provectus.securecontacts.droid` as Custom App to your App Protection Policies

2.3 - Configure the setting for *Send org data to other apps at least* with the restrictive option e.g.\
\&#xNAN;*Policy managed apps* in the *Data protection-*pane for App Protection Policies.

<figure><img src="https://3880789596-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4v109br9tFl1Rxk2qP0x%2Fuploads%2FRLJT833Z25eZYSVowHce%2Fimage.png?alt=media&#x26;token=5ea1dcd0-f430-466f-ada8-cac56d4a5aa5" alt=""><figcaption></figcaption></figure>

2.4 - Add for the setting “Select apps to exempt” we recommend the following Name/Values for testing.

<table data-header-hidden><thead><tr><th width="286"></th><th></th></tr></thead><tbody><tr><td><strong>Name</strong></td><td><strong>Value</strong></td></tr><tr><td>phonecall</td><td><code>tel</code></td></tr><tr><td>sms</td><td><code>smsto</code></td></tr><tr><td>email</td><td><code>mailto</code></td></tr><tr><td>PermissionController</td><td><code>com.google.android.permissioncontroller</code></td></tr><tr><td>Optional:</td><td></td></tr><tr><td>CallSimulator</td><td><code>com.android.server.telecom</code></td></tr><tr><td>LocalContactsSync</td><td><code>com.google.android.dialer</code></td></tr></tbody></table>

{% hint style="danger" %}
App Protection Policy blocks all comunication. \
\
**SCA needs this mandatory settings to work:**\
\
phonecall - App requires this to open your phone-app\
sms - App requires this to open your message-app\
email - App requires this to open your mail-app\
PermissionController - App requires this to add permissions in Android\
\
**optional:**\
Call Simulator - Required for testing with Call Simulator\
LocalContactsSync - Required to sync contacts to work-profile\
Proceed with the any other setting in this policy according to your best practice for App Protection Policies and assign the test group to this policy.
{% endhint %}

After you created the App Protection Policies and configured them in Endpoint Manager,\
in the next step, you need to enforce this policy with Conditional Access.

{% hint style="success" %}
If you have any questions regards the implementation of App Protection Policies, \
do not hesitate to [contact us](https://secure-contacts.com/en/kontakt-beratung/) for support.
{% endhint %}