By: Wayne Bennett – Sr. Program Manager | Microsoft Intune

Microsoft Intune app protection policies (APP) enables organizations to protect corporate data. APPs include conditional launch actions which control access to corporate data if the required device or app conditions aren’t met.

Although we’ve documented the steps to selectively wipe app data using conditional launch, this blog expands on the existing information to provide details on how to use filters to require multiple minimum operating system (OS) versions.

Background

The increase of security improvements and the introduction of new functionality has resulted in more frequent OS updates. Thus, you may want to ensure devices accessing corporate resources have the latest updates installed. In Intune, for enrolled devices, you can use compliance policies to enforce a minimum OS version. Or, regardless of enrollment, you can use a single policy type to enforce minimum OS requirements by configuring APP conditional launch requirements. Then, users won’t be able to access protected resources if the minimum OS requirements aren’t met.

How conditional launch and filters work together

In APP, you can only configure one minimum OS version in the conditional launch settings but you could create multiple APPs with different minimum OS values. However, because APPs are assigned to user groups, this means a user with multiple devices that are running different OS versions could face conflicting OS requirements when accessing protected resources.

To allow multiple APPs with different OS requirements to be targeted to the same user, you can create filters which target the APP to a specific OS version.

There are two types of filters for Intune: Managed devices and Managed apps. APP only supports Managed apps filters.

Creating filters

To use filters with APPs, you must create a filter for each specific OS version you want to target:

1. Navigate to the Microsoft Intune admin center.
   
   
2. Select Tenant administration > Filters > Create > Managed apps.
   
   

    

3. On the Basics page, enter a name for the filter which makes it easily identifiable and select the platform you want to target, in this example, iOS/iPadOS.
   
   

    

4. On the Rules page, create a filter for the major OS release you wish target, for example, Property=osVersion(OS version), Operator=StartsWith, Value=18.
   
   Optional: You can use the Preview button to check the device, user, and app which match the specified filter.
   
   

    

5. On the Review and create page, save the filter by selecting Create.

Repeat these steps to create additional filters for each platform and major OS version you want to target, such as iOS 16 and 17.

Create and target APP with a filter

1. Navigate to the Microsoft Intune admin center.
   
   
2. Select Apps > App protection policies > Create policy > Choose the platform you want to target with the APP, such as iOS/iPadOS.
   
   

    

3. On the Basics page, enter a name for the policy which makes it easily identifiable.
   
   

    

4. Complete the Apps, Data protection and Access requirements pages with the iOS, Android or Windows app protection policy settings which meet the requirements for your organization. Within the Device conditions section on the Conditional launch page (or Health Checks page for Windows APP), configure the OS minor or patch release you wish to set as the minimum version.
   
   For example:
   • Setting=Min OS version
   • Value=18.2.1
   • Action=Block access/Wipe data/Warn, (as per the action required for your organization).
     
     

      

5. On the Assignments page, use the previously created filter to scope the policy assignment to the correct major OS version.
   
   

    

6. On the Review and create page, save the policy by selecting Create.
   
   In the example shown, the filter will target devices running iOS 18 and the APP conditional launch settings will require 18.2.1, ensuring that the APP does not apply to devices running on other major versions of iOS.
   
   Create additional APPs for each OS version, for instance:
   • Second policy for iOS 16:
     • Conditional launch, Device conditions, Min OS version=16.7.10, filter, OS version, StartsWith=16.
   • Third policy for iOS 17:
     • Conditional launch, Device conditions, Min OS version=17.7.2, filter OS version, StartsWith=17.
       
       

Conclusion

Using the examples in this blog, you can create multiple APPs that require different minimum OS versions. You can then filter the assignment of these APPs to only apply to each major OS version. As the OS vendors release new minor OS updates or patches, you can also update each APP with the new minimum OS ensuring your organization remains secure.

Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.