Intune

MEM – Why you should be blocking 3rd party keyboards

In this post, we’ll discuss why organisations should be blocking 3rd party keyboards for Android and iOS devices via Microsoft Intune.

Introduction

Have you ever read the 3rd party privacy policy on iOS devices? Maybe you should, here’s the highlights:

So, in short, 3rd party keyboard developers can access your bank accounts, credit card details, essentially anything that you type, the worrying part is that even if the 3rd party keyboard is disabled whilst you type in sensitive information, that data is then cached and then potentially uploaded once the 3rd party keyboard is re-enabled.

Mitigation

To mitigate this, we will make use of App Protection Policies (APP) otherwise known as Mobile Application Management (MAM) on both corporate and BYO devices, separate APP’s can be targeted to different device states, e.g. APP1 is applicable to BYOD only and APP2 is targeted to Corporate devices, this is helpful when users have BOTH a corporate and a BYO devices. Here’s an example on how APP’s can differentiate based on how the device is managed:

  • Managed = Enroled, MDM
  • Unmanaged = MAM, BYOD

It’s possible, to have multiple APP’s based on the management type, for example for managed devices the restrictions might be slightly lighter depending on your corporate policies.

Android

To block 3rd party keyboards via APP for Android, log into the MEMAC portal, browse to Apps, then App protection policies, either Create Policy or amend an existing policy (Note: I would recommend testing on a separate policy before amending existing policies), once in the policy, navigate to Data Protection and set Approved Keyboards to Require:

Then Select which keyboards you wish to approve, for the most part, the defaults are sufficient:

iOS

To block 3rd party keyboards via APP for iOS, log into the MEMAC portal, browse to Apps, then App protection policies, either Create Policy or amend an existing policy (Note: I would recommend testing on a separate policy before amending existing policies), once in the policy, navigate to Data Protection, and set Third party keyboards to Block:

Note on blocking iOS third party keyboards: ‘When this setting is enabled, the user receives a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applications, and all other keyboard options are disabled. This setting will affect both the organization and personal accounts of multi-identity applications. This setting does not affect the use of third-party keyboards in unmanaged applications.’ – MS Article Reference