Last Updated on January 23, 2025 by Oktay Sari
It’s been a while since I did a blog on Mobile Application Management (MAM) policies, the unsung heroes of modern IT security. They quietly ensure that corporate data stays safe, even on personal devices. However, when it comes to data transfer exceptions, those tricky settings that allow unmanaged apps to interact with managed app data, things can get complicated fast. Microsoft’s warnings about the risks are no joke: misconfigurations here can turn your secure setup into a leaky bucket. But why is that, and what risks are there?
In this blog, I’ll talk about hands-on experience with URL Protocols and Data Transfer Exceptions and why you might want to consider adding applications to the exception list.
I invite you to share your thoughts on this topic, since the documentation is not really clear on what happens behind the scenes, we can all learn from each others experience. I'm also hoping that Microsoft can shed some light to this. Sure I did not cover all the angles yet and consider this blog as a work in progress. In the meantime, I'll try to hack this to the bottom and update this post when I have news to share...
Whether you’re managing iOS or Android devices. In this blog you’ll learn:
- How to handle data transfer exceptions.
- A step-by-step guide (and script!) to discover URL protocols for iOS apps.
- Tips from the field
So, grab your coffee, and let’s get to work.
App Protection Policy (APP)
You can create exceptions in the Intune App Protection Policy (APP) data transfer settings. These exceptions let you handpick which unmanaged apps are allowed to exchange data with managed apps.
When you set the Intune Application Protection Policy, setting “Allow app to transfer data to other apps” to “Policy managed apps” you ensure that data can only be shared with other Intune-managed apps. However, if you need to allow data transfer to certain apps that don’t support Intune APP, you can create exceptions using the Select apps to exempt option.
According to the documentation; “Exemptions allow applications managed by Intune to invoke unmanaged applications based on URL protocol (iOS/iPadOS) or package name (Android).”
When reading this, I’m thinking “OK, I’m good, applications managed by Intune can invoke unmanaged applications based on URL protocol” Not the other way around. But here come’s the kicker;
I can’t really explain what this means. I’ve configured my MAM policies and tried my best to leak data to these exempted applications which I’ll talk about a little later, but did not succeed. What I’m seeing is that an application can be invoked from a link. For example a link in a corporate e-mail (MAM Protected outlook) requesting a payment for a late night party you had with some of your colleagues. When the recipient clicks the pay me link, it should open the banking app.
Request: If you have information you can share. Please do so and let’s learn together.
By default, Intune includes essential native apps in this list of exceptions to ensure functionality. These default applications are; skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services; . What you see here, are the URL Protocols for these apps.
The iOS Challenge: Discovering URL Protocols
Creating exceptions for iOS apps requires knowing their URL schemes (a.k.a. URL protocols). These look like aliases that apps use to communicate. But how do you find them? Unfortunately, Apple doesn’t make this easy, and Microsoft doesn’t provide a built-in method.
That’s where scripting magic comes in. I’ve created a handy script to extract these protocols directly from an app’s .ipa file. More on that later…
The Risky Business of Data Transfer Exceptions
Data transfer exceptions are sort of a mystery for me. Do they allow unmanaged apps to access data from managed apps? I’m not sure and wonder why Microsoft warns for this. Is it really a potential Pandora’s box for data leaks or are we making a mountain of a molehill?
Microsoft’s Top Warnings:
- Unmanaged apps are wildcards: They’re not governed by your MAM policies, so any data they access could go anywhere.
- You’re the gatekeeper: Microsoft explicitly states that you’re responsible for reviewing and approving exceptions.
- Add exceptions sparingly: Stick to apps that are essential and have minimal data leak risks.
Same is true for Universal links. You can’t miss the warning there.
Check out Microsoft’s detailed guidance on data transfer exemptions for iOS.
Other App Protection Policy settings
To make things just a little more complex to understand, according to Microsoft, modifying or adding exceptions to the data transfer policy does not impact other App Protection Policies, such as cut, copy, and paste restrictions. After seeing all the red labeled warnings this might come as a surprise… So I ask again; what data leak risk is there exactly? Really hope someone can explain in detail what’s going on…I think I might fly-in Rudy Ooms for a deep-dive on the bits and bites..
Proceed with Caution…
Before diving headfirst into creating exceptions and tweaking policies, let’s hit pause for a moment. Adjusting data transfer exceptions can seemingly have serious implications for your organization’s security. Here are a few words of advice before you proceed:
- Understand the Risks: Adding exceptions means allowing unmanaged apps to access data from managed apps. This could lead to unintended data leaks if the exceptions aren’t carefully chosen.
- Test in a Controlled Environment: Never roll out changes to production without thorough testing. Set up a test environment to validate your policies and ensure that no unexpected behaviors occur.
- Double check: Make sure that you can’t share an entire file via the open-in menu
- Review the Exceptions Regularly: Exceptions should not be “set it and forget it.” Periodically review them to ensure they’re still needed and don’t pose a risk.
- Communicate with Stakeholders: Ensure that everyone involved, from IT to end-users, understands the implications of these exceptions. Transparency helps mitigate risks and ensures policies align with organizational goals.
- Document Everything: Keep a detailed log of all changes, including why an exception was added and who approved it. This will save you a lot of headaches during audits or troubleshooting.
Bottom Line: You’re walking a fine line between functionality and security. Make sure you’re always erring on the side of caution and documenting every step along the way.
How data leaks could happen
These are just educated guesses based on common sense, security practices, how apps typically work, and the risks that come with unmanaged apps. Microsoft doesn’t spell out exactly how data might leak when you exempt an app, but these examples highlight real-world vulnerabilities and ways things can go wrong when unmanaged apps get access to managed corporate data. I can’t confirm….or deny…
- Unsecured Network Transfers:
If the exempted app sends or receives data over an unsecured connection (e.g., HTTP instead of HTTPS), sensitive corporate data could be intercepted during transmission. - Cloud Syncing with Personal Accounts:
Many apps, especially productivity tools, offer cloud syncing options tied to personal accounts (e.g., Google Drive, iCloud, or Dropbox). If an exempted app syncs work data to an unmanaged personal account, it bypasses your corporate controls and becomes a potential leak. - Third-Party Integrations:
Some apps connect to third-party services or plugins that aren’t vetted by your organization. By exempting an app, you might unintentionally allow these integrations to access corporate data, creating a backdoor for data leakage. - Data Retention on Device:
Some apps store data locally on the device without encryption. If the app is exempted, this data becomes vulnerable to unauthorized access, especially if the device is compromised or lost. - Malicious Apps Masquerading as Legitimate:
If you exempt an app without thorough vetting, you risk allowing a malicious app (or an app that could be exploited) access to corporate data, potentially exposing it to attackers. - Social Engineering or User Error:
Users might unintentionally share data through exempted apps, especially if those apps lack clear prompts or warnings about transferring sensitive information.
In short, exempting an app can open up numerous ways for unintended data sharing or leakage. This might be why Microsoft emphasizes thorough testing and only exempting apps you trust and that are critical to your organization. Actual risks might depend on the specific apps and configurations within your environment. Testing in a controlled environment and evaluating the app’s behavior are key to confirming these scenarios.
The URL Protocol extraction Script
This script digs into an .ipa file to find all URL schemes listed in the app’s Info.plist file. It’s perfect for admins who need a quick, reliable way to discover URL protocols.
Note: This script will be maintained on my GitHub repository.
The Script:
#!/bin/bash
# -------------------------------------------------------------------------------------------------------------------------------
# Script to extract and identify URL protocols from iOS app .ipa files
# -------------------------------------------------------------------------------------------------------------------------------
#
# This script extracts all URL schemes (CFBundleURLSchemes) from the Info.plist file of an iOS app .ipa file. It outputs:
# 1. A complete list of all CFBundleURLSchemes found.
# 2. The most likely URL protocols based on relaxed filtering rules.
#
# DISCLAIMER:
# This script is provided "as is" without warranties or guarantees of any kind. While it has been created to fulfill specific functions
# and has worked effectively for my personal requirements, its performance may vary in different environments or use-cases.
# Users are advised to use this script at their own discretion and risk.
# No responsibility will be assumed for any direct, indirect, incidental, or consequential damages that may arise from its use.
#
# IMPORTANT:
# The accuracy of identifying URL protocols depends on the filtering rules applied in the script. Always review the complete list of
# CFBundleURLSchemes output to ensure no critical entries are missed. This script works on extracted Info.plist files and assumes the
# .ipa file is valid and contains the required structures.
#
# -------------------------------------------------------------------------------------------------------------------------------
# AUTHOR: Oktay Sari
# https://allthingscloud.blog
# https://github.com/oktay-sari/
#
# NOTE:
# This script is by no means perfect.
# If you think you have a good idea to further enhance this script, then please reach out.
#
# SCRIPT VERSION/HISTORY:
# 18-01-2025 - Oktay Sari - Initial version for URL scheme extraction
# 19-01-2025 - Oktay Sari - Added clear distinction between full list and most likely protocols
# 22-01-2025 - Oktay Sari - Enhanced filtering logic to include single-dot URL protocols
# 22-01-2025 - Oktay Sari - script version 1.0
#
# ROADMAP/WISHLIST:
# - Further refine filtering rules for edge cases
# - Add support for batch processing of multiple .ipa files
# - Add logging to a file for detailed review
#
# Requirements:
# - A valid .ipa file to analyze
# -------------------------------------------------------------------------------------------------------------------------------
# Check if an argument (file path) is provided
if [ -z "$1" ]; then
echo "⛔ Please provide the path to the .ipa file."
exit 1
fi
# Verify the provided file exists
if [ ! -f "$1" ]; then
echo "⛔ File $1 does not exist."
exit 1
fi
# Create a unique temporary directory
TEMP_DIR=$(mktemp -d)
IPA_FILE="$1"
# Unzip the IPA file into the temporary directory
echo "Extracting $IPA_FILE..."
unzip -q "$IPA_FILE" -d "$TEMP_DIR" || { echo "⛔ Failed to unzip the file."; rm -rf "$TEMP_DIR"; exit 1; }
# Locate the Info.plist file inside the extracted app bundle
APP_FOLDER=$(find "$TEMP_DIR/Payload" -name "*.app" -type d | head -n 1)
PLIST_FILE="$APP_FOLDER/Info.plist"
if [ ! -f "$PLIST_FILE" ]; then
echo "⛔ Info.plist not found in the app bundle."
rm -rf "$TEMP_DIR"
exit 1
fi
# Extract all CFBundleURLSchemes
echo "URL Schemes found:"
ALL_SCHEMES=$(xmllint --xpath "//key[text()='CFBundleURLSchemes']/following-sibling::array/string/text()" "$PLIST_FILE" 2>/dev/null)
if [ -z "$ALL_SCHEMES" ]; then
echo "⛔ No URL schemes found."
rm -rf "$TEMP_DIR"
exit 0
fi
# Print all URL schemes as is
echo "------------"
echo "These are all the CFBundleURLSchemes values in the info.plist file:"
echo "$ALL_SCHEMES" | tr ' ' '\n'
# Separator line
echo "------------"
echo "These are most likely the URL protocols you look for:"
# Filter and print likely URL protocols
LIKELY_SCHEMES=$(echo "$ALL_SCHEMES" | tr ' ' '\n' | grep -E '^([a-zA-Z0-9\.\-]+)$' | grep -E '^[a-zA-Z0-9\-]+(\.[a-zA-Z0-9\-]+)?$')
if [ -z "$LIKELY_SCHEMES" ]; then
echo "⚠️ No clear URL protocols identified. Please review the full list above for potential candidates."
else
echo "$LIKELY_SCHEMES"
echo "------------"
echo "✅ Note: Review the full list above to ensure no important URL protocols are missed."
fi
# Cleanup the temporary directory
rm -rf "$TEMP_DIR"
How to Use the URL Protocol extraction script:
- Save the script as extract-url-protocol.sh.
- Make it executable: chmod +x extract-url-protocol.sh
- Run it with an .ipa file: ./extract-url-protocol.sh <path_to_ipa>
Getting the IPA Files
So, what exactly is an IPA file? Think of it as the iOS equivalent of an APK on Android. An IPA (iOS App Store Package) is essentially a container for an iOS app’s files and metadata. Within this package lies the treasure we’re hunting for: the Info.plist file, which contains the URL schemes we need.
Here’s how to get an IPA file and locate the Info.plist:
1. Downloading IPA Files
- From the App Store: If you have an older iOS device with iTunes installed (pre-version 12.7), you can download apps to your computer and extract the IPA from there.
- From iMazing: This is by far the easiest method in modern setups:
- Connect your iOS device to your computer.
- Open iMazing and navigate to the Apps section.
-
- Select the app you want and choose, download and then Export IPA from the options. iMazing will package and save the IPA file for you to the location you select.
Getting the IPA file might take a little effort, but it’s a crucial step for uncovering those URL protocols. With iMazing, the process is straightforward and doesn’t require developer tools, jailbreaking or whatever.
Alternative Methods for Discovering URL Schemes
Not a fan of scripting? No worries. Here are other ways to find URL protocols for iOS apps:
- Inspect the Info.plist Manually:
- Rename the .ipa file to .zip and unzip it.
- Inside the extracted folder, navigate to the Payload directory.
- Locate the .app folder (it will have the app’s name).
- Inside the .app folder, find the Info.plist file. This is where the URL schemes live.
- Look for the CFBundleURLTypes key.
- Use Terminal Commands:
- Extract schemes directly with commands like xmllint or plutil.
Command Example:
-
- xmllint –xpath “string(//key[text()=’CFBundleURLTypes’]/following-sibling::array/dict/array/string)” <path_to_Info.plist>
- Or use plutil:
- plutil -p <path_to_Info.plist> | grep -A2 CFBundleURLTypes
- Check Official Documentation:
- Developers often list URL schemes in their API docs.
- Ask the Developer:
- Reach out to the app’s development team.
What About Android?
Android doesn’t use URL schemes the same way iOS does, but the concept is the same. You’ll need the App Bundle ID for Android apps. To find the package ID of an app, simply visit the app’s page on the Google Play Store. The package ID is included in the URL of the page. For instance, the package ID for the Microsoft OneDrive app is com.microsoft.skydrive . 🙂
Best Practices for Managing Exceptions
- Minimize Exceptions:
- Only exempt apps essential to your organization.
- Evaluate Risks:
- Assess each app’s potential to leak data.
- Test Thoroughly:
- Validate configurations in non-production environments.
- Educate End Users:
- Train employees on how managed apps work and the importance of data security.
Conclusion
Managing MAM policies isn’t just about checking boxes; it’s about balancing security and usability. Whether you’re working with iOS or Android, understanding data transfer exceptions is critical. With the provided script, alternative methods, and best practices, I hope you’re now equipped to manage these challenges.
Have feedback, or want to share your tips? Drop a comment below or reach out on GitHub.
Useful URL Protocols
Some useful URL Protocols for banking apps (mostly Netherlands). These are only examples. Always make sure to check them yourself because they might change.
- ABN AMRO: abnamro.nl
- KNAB: knab-app;knabapp
- Rabobank: Rabobank
- ASN: nl-asnbank-ideal
- Yoursafe:mylink;bitsafe-app;yoursafe-app
- Triodos: triodosmobilebanking
- ING: ideal-ing-ng;ing-nl
- Van Lanschot: vl-dailybanking
- SNS Bank: nl-snsbank-banking;Nl-snsbank-ideal
- Revolut: revolut
- Regiobank: nl-regiobank-banking;nl-regiobank-ideal
- Nationale Nederlanden: nnretailapp
- N26: number26
- Bunq: bunq
- Tikkie: tikkie
Related Resources:
- https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies-exception
- https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/troubleshoot-data-transfer-exemptions
- https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#data-transfer-exemptions
There is also a website to get your bundle ID’s very easy. Check it out here: https://iosbundleidfinder.vercel.app/
Thank you for sharing this Yoennis, However, there is a difference between an app Bundle ID, and the app URL Protocol. There are probably only a handful of applications that have the same URL Protocol and App Bundle ID.
Another method to get the bundle ID of an iOS app: 1. Search for the app you want to get the Bundle ID in a browser. For example, you want to find out the bundle ID of WhatsApp Messenger for iOS. 2. Search on Google by typing the name of the App you want to find and go to App Store link of the App → https://apps.apple.com/gb/app/whatsapp-messenger/id310633997 3. Copy the number after the ID in the URL. 4. Now open a new browser tab or windows and copy this URL: https://itunes.apple.com/lookup?id=YourAppID&country&=YourCountry For example: https://itunes.apple.com/lookup?id=310633997&country=nl 5. When entering the URL, you… Read more »