Step 4: App Configuration Policies for Microsoft Edge for Business

App configuration policies for Windows

Windows app configuration policies provide browser customization through managed app settings.

Microsoft Documentation:

• Microsoft Edge Browser Policies
• Windows App Configuration Policies
• Managed App Configuration for Windows

Prerequisites:

• Windows 11
• Microsoft Edge installed
• Intune enrollment or MAM managed
• User Entra ID account

Level 1 - Basic browser configuration for Windows

Level 1 configuration provides foundational browser security controls while maintaining user productivity.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge Windows ACP Level 1 Basic
   • Description: Enhanced browser customization for Microsoft Edge Windows with comprehensive basic controls addressing ACP gap analysis
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge Windows, then select Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Select Next.
9. For Assignments, assign to SEB-Level1-Users group.
10. Select Next to review the settings. Then choose Create.

Level 2 - Enhanced browser configuration for Windows

Level 2 configuration adds enhanced security controls and restrictions for sensitive environments.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge Windows ACP Level 2 Enhanced
   • Description: Advanced browser customization with enhanced security controls and comprehensive feature management
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge Windows, then select Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Select Next.
9. For Assignments, assign to SEB-Level2-Users group.
10. Select Next to review the settings. Then choose Create.

Level 3 - High security configuration for Windows

Level 3 configuration enforces maximum security with zero-trust controls and comprehensive data-loss prevention.

1. Go to the Microsoft Intune admin center.

2. Select Apps > Manage apps > Configuration > Create > Managed apps.

3. On the Basics tab, enter:

   • Name: Edge Windows ACP Level 3 High
   • Description: High browser customization with complete enterprise controls, zero-trust configuration, and comprehensive security isolation

4. In Target policy to, select Selected apps.

   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge Windows, then select Select.

5. Select Next.

6. On the Settings step, expand General configuration settings.

7. Configure each setting using the Name and Value specified:

   Name	Value	Documentation
   HomepageLocation	https://portal.company.com	Configure the home page URL
   ShowHomeButton	Enabled	Show Home button on toolbar
   NewTabPageLocation	https://portal.company.com	Configure the new tab page URL
   RestoreOnStartup	Open the new tab page (5)	Action to take on startup
   HTTPSOnlyMode	Enabled	Configure Automatic HTTPS
   DefaultPopupsSetting	Do not allow popups (2)	Default pop-up window setting
   PasswordManagerEnabled	Disabled	Enable saving passwords to the password manager
   AutofillAddressEnabled	Disabled	Enable AutoFill for addresses
   AutofillCreditCardEnabled	Disabled	Enable Autofill for payment instructions
   TrackingPrevention	Balanced (2)	Block tracking of users' web-browsing activity
   DefaultSearchProviderEnabled	Enabled	Enable the default search provider
   DefaultSearchProviderName	Microsoft Bing	Default search provider name
   DefaultSearchProviderSearchURL	https://www.bing.com/search?q={searchTerms}	Default search provider search URL
   SearchSuggestEnabled	Disabled	Enable search suggestions
   ImportAutofillFormData	Disabled	Allow importing of autofill form data
   ImportSavedPasswords	Disabled	Allow importing of saved passwords
   ImportBrowsingHistory	Disabled	Allow importing of browsing history
   ImportCookies	Disabled	Allow importing cookies
   ImportExtensions	Disabled	Allow importing of extension
   ExtensionInstallBlocklist	["external_component", "external_pref", "external_registry"]	Control which extensions cannot be installed
   ExtensionAllowedTypes	["extension", "theme"]	Configure allowed extension types
   ExtensionInstallSources	[https://corp.contoso.com/*]	Configure extension and user script install sources
   DefaultDownloadDirectory	${user_home}/Downloads/Edge	Set download directory
   PromptForDownloadLocation	Enabled	Ask where to save downloaded files
   HubsSidebarEnabled	Disabled	Show Hubs Sidebar
   ShowMicrosoftRewards	Disabled	Show Microsoft Rewards experiences
   EdgeShoppingAssistantEnabled	Disabled	Shopping in Microsoft Edge Enabled
   EdgeWorkspacesEnabled	Enabled	Edge Workspaces
   FavoritesBarEnabled	Enabled	Show favorites bar
   AllowDeletingBrowserHistory	Enabled	Enable deleting browser and download history
   SmartScreenForTrustedDownloadsEnabled	Enabled	Force Microsoft Defender SmartScreen checks on downloads from trusted sources
   InsecureContentAllowedForUrls	[]	Allow insecure content on specified sites
   InsecureContentBlockedForUrls	["*"]	Block insecure content on specified sites
   ExtensionInstallAllowlist	[]	Allow specific extensions to be installed
   ExtensionInstallForcelist	[]	Control which extensions are installed silently
   ExtensionSettings	{"*":{"installation_mode":"blocked"}}	Configure extension management settings
   NativeMessagingAllowlist	[]	Control which native messaging hosts users can use
   NativeMessagingBlocklist	["*"]	Configure native messaging block list
   AutoSelectCertificateForUrls	["*.company.com"]	Automatically select client certificates for these sites
   WebRtcUdpPortRange	10000:11000	Restrict the range of local UDP ports used by WebRTC
   DefaultImagesSetting	Allow images (1)	Default images setting
   DefaultJavaScriptSetting	Allow JavaScript (1)	Default JavaScript setting
   SyncDisabled	Enabled	Disable synchronization of data using Microsoft sync services
   ForceSync	Disabled	Force synchronization of browser data and do not show the sync consent prompt
   SleepingTabsEnabled	Enabled	Configure sleeping tabs
   SearchSuggestEnabled	Disabled	Enable search suggestions
   LocalProvidersEnabled	Disabled	Allow suggestions from local providers
   DefaultNotificationsSetting	Block (2)	Default notification setting
   DefaultGeolocationSetting	Don't allow sites to track users' physical location (2)	Default geolocation setting
   WebUsbBlockedForUrls	[]	Allow WebUSB on specific sites
   WebUsbBlockDevicesForUrls	[{"urls":[""],"devices":[{"vendor_id":"","product_id":"*"}]}]	Block WebUSB on specific sites
   WebRtcLocalhostIpHandling	Disable non-proxied UDP (default_public_interface_only)	Restrict exposure of local IP address by WebRTC
   URLAllowlist	[".company.com", ".microsoft.com", "*.office.com"]	Define a list of allowed URLs
   URLBlocklist	["*"]	Block access to a list of URLs
   CookiesAllowedForUrls	["*.company.com"]	Allow cookies on specific sites
   CookiesBlockedForUrls	["*"]	Block cookies on specific sites
   CookiesSessionOnlyForUrls	["*"]	Limit cookies from specific websites to current session
   DownloadRestrictions	Block all downloads (4)	Download restrictions
   ScreenCaptureAllowed	Disabled	Allow or deny screen capture
   PrintingEnabled	Disabled	Enable printing
   DefaultClipboardSetting	Block clipboard (2)	Default clipboard site permission
   VideoCaptureAllowed	Disabled	Allow or block video capture
   InPrivateModeAvailability	InPrivate mode forced (2)	Configure InPrivate mode availability
   ClearBrowsingDataOnExit	Enabled	Clear browsing data when Microsoft Edge closes
   SavingBrowserHistoryDisabled	Enabled	Disable saving browser history
   DeveloperToolsAvailability	Disallowed (2)	Control where developer tools can be used
   NetworkPredictionOptions	Don't predict (2)	Enable network prediction
   EdgeCollectionsEnabled	Disabled	Enable the Collections feature

8. Select Next.

9. For Assignments, assign to SEB-Level3-Users group.

10. Select Next to review the settings. Then choose Create.

Validation (All Windows Levels)

Policy Application

• In the Intune admin center, verify the Settings Catalog, Security Baseline, APP, and ACP policy deployment status for the targeted Windows devices.

Endpoint Verification

• On the client device, open Microsoft Edge and navigate to edge://policy.
• Confirm that all configured policy keys appear with expected values and don't show an Error state.

URL and Feature Enforcement

• Level 1: Confirm core security controls are active, including SmartScreen, tracking prevention, and basic restriction settings.
• Level 2: Validate enhanced restrictions such as extension blocking, data sync restrictions, and clear-on-exit behaviors.
• Level 3: Attempt to browse to nonallowlisted URLs and verify they're blocked or isolated (for example, Application Guard).

Update Policies

• In edge://policy, search for Update to ensure the configured update behavior (for example, daily checks, suppressed hours, version pinning) matches the assigned security level.

Isolation Controls (Level 3 Only)

• Verify that high-risk or unapproved URLs trigger the expected isolation behavior, such as forced application isolation or a secure browsing container.

App Configuration Policies for Android

Android app configuration policies customize Microsoft Edge for Business behavior on mobile devices. These policies define browser defaults, restrict risky features, and enforce privacy protections in alignment with enterprise security frameworks.

Microsoft Documentation:

• Microsoft Edge Mobile Policies
• Android App Configuration Policies
• Managed App Configuration for Android

Prerequisites:

• Android 10.0+ (8.0+ for userless devices)
• Microsoft Edge for Android installed
• Company Portal or Intune app installed
• Microsoft Intune license assigned to the user
• Device MAM-enabled or MDM-enrolled through Intune
• User signed in with Microsoft Entra ID account

Level 1 – Basic Mobile Browser Configuration for Android

Level 1 configuration provides foundational browser security controls while maintaining user productivity.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge Android ACP Level 1 Basic
   • Description: Basic browser configuration for Microsoft Edge Android with essential security settings and fundamental mobile controls
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge (Android), then select Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Under Microsoft Tunnel for Mobile Application Management settings:

9. Expand Edge configuration settings and configure:

10. Select Next
11. In Assignments, assign to SEB-Level1-Users group.
12. Select Next to review the settings. Then choose Create.

Level 2 – Enhanced Mobile Browser Configuration for Android

Level 2 configuration adds enhanced security controls and restrictions for sensitive environments.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge Android ACP Level 2 Enhanced
   • Description: Enhanced browser configuration for Microsoft Edge Android with more security controls and data protection features
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge (Android), then select Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Expand Edge configuration settings and configure:

9. Select Next
10. In Assignments, assign to SEB-Level2-Users group.
11. Select Next to review the settings. Then choose Create.

Level 3 – High Security Mobile Configuration for Android

Level 3 configuration enforces maximum security with zero-trust controls and comprehensive data-loss prevention.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge Android ACP Level 3 High
   • Description: High security browser configuration for Microsoft Edge Android with maximum restrictions, strict isolation, and comprehensive privacy controls
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge (Android), then select Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Expand Edge configuration settings and configure:

9. Select Next
10. In Assignments, assign to SEB-Level3-Users group.
11. Select Next to review the settings. Then choose Create.

Validation (All Android Levels)

Policy Application

• In the Intune admin center, verify the ACP deployment status for assigned Android devices.

Browser Configuration

• On an Android device, open Microsoft Edge and go to edge://policy to confirm the expected configuration values are present and not marked as errors.

URL Filtering

• Level 1: Confirm allowed URLs operate as expected.
• Level 2: Confirm blocked URLs (such as social media domains) are restricted.
• Level 3: Confirm only allowlisted corporate URLs are accessible.

Feature Restrictions

• Validate restricted features based on the assigned security level, such as InPrivate mode, autofill, password import, extensions, and Copilot visibility.

Homepage and Bookmarks

• Confirm the managed homepage and managed bookmarks appear correctly in Microsoft Edge.

Security Settings

• Verify that SmartScreen, HTTPS enforcement, and data-sharing restrictions operate according to the applied policy.

VPN Integration (If Configured)

• For deployments using Microsoft Tunnel, ensure per-app VPN settings connect and route traffic as defined in the ACP.

App Configuration Policies for iOS/iPadOS

iOS app configuration policies define and enforce browser behavior for Microsoft Edge for Business on iPhone and iPad devices. These policies provide progressive control over privacy, security, and data protection while aligning with Zero Trust principles.

Microsoft Documentation:

• Microsoft Edge Mobile Policies
• iOS App Configuration Policies
• Managed App Configuration for iOS

Prerequisites:

• iOS/iPadOS 17+
• Microsoft Edge for iOS installed
• Company Portal or Intune app installed
• Microsoft Intune license assigned to the user
• Device MAM-enabled or MDM-enrolled through Intune
• User signed in with Microsoft Entra ID account

Level 1 – Basic mobile browser configuration for iOS

Level 1 configuration provides foundational browser security controls while maintaining user productivity.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge iOS ACP Level 1 Basic
   • Description: Basic browser configuration for Microsoft Edge iOS with essential security settings and fundamental mobile controls
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge.
   • Choose Microsoft Edge (iOS/iPadOS), then Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Expand Edge configuration settings and configure:

9. Select Next.
10. In Assignments, assign to SEB-Level1-Users group.
11. Select Next to review the settings. Then choose Create when you're done.

Level 2 – Enhanced mobile browser configuration for iOS

Level 2 configuration adds enhanced security controls and restrictions for sensitive environments.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge iOS ACP Level 2 Enhanced
   • Description: Enhanced browser configuration for Microsoft Edge iOS with more security controls and data protection features
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge.
   • Choose Microsoft Edge (iOS/iPadOS), then Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Expand Edge configuration settings and configure:

9. Select Next.
10. In Assignments, assign to SEB-Level2-Users group.
11. Select Next to review the settings. Then choose Create when you're done.

Level 3 – High security mobile configuration for iOS

Level 3 configuration enforces maximum security with zero-trust controls and comprehensive data-loss prevention.

1. Go to the Microsoft Intune admin center.
2. Select Apps > Manage apps > Configuration > Create > Managed apps.
3. On the Basics tab, enter:
   • Name: Edge iOS ACP Level 3 High
   • Description: High security browser configuration for Microsoft Edge iOS with maximum restrictions, strict isolation, and comprehensive privacy controls
4. In Target policy to, select Selected apps.
   • Choose + Select public apps.
   • In the Select apps to target panel, search for and select Microsoft Edge (iOS/iPadOS), then select Select.
5. Select Next.
6. On the Settings step, expand General configuration settings.
7. Configure each setting using the Name and Value specified:

8. Expand Edge configuration settings and configure:

9. Per-App VPN (optional): Integrate with Microsoft Tunnel if necessary for isolated secure traffic routing
10. Select Next.
11. In Assignments, assign to SEB-Level3-Users group.
12. Select Next to review the settings. Then choose Create when you're done.

Validation (All iOS Levels)

Policy Application

• In the Intune admin center, verify the assigned App Protection and App Configuration policies have successfully deployed to the targeted iOS devices.

App Configuration Verification

• On the device, open Microsoft Edge and navigate to Settings.
• Confirm that managed configuration values—such as homepage, search provider, password manager, and disabled features—match the applied ACP settings.

URL Filtering

• Level 1: Confirm that allowed URLs operate as expected.
• Level 2: Verify that blocked URL categories (for example, social media domains) can't be accessed.
• Level 3: Confirm that only the configured corporate allowlisted URLs are accessible.

Feature Restrictions

• Validate restricted features based on the assigned level, including:
  • Level 1: SmartScreen, pop-up blocking, and basic security controls.
  • Level 2: Sync disabled, password import blocked, biometric authentication for filling enabled, InPrivate browsing controlled.
  • Level 3: InPrivate disabled, history saving disabled, shared device mode disabled, and advanced restrictions (such as Collections, Extensions, Drop, Copilot) enforced.

Homepage and Bookmarks

• Confirm that the managed homepage and any configured managed bookmarks appear correctly in Microsoft Edge.

Policy Dependency Check

• Ensure the user is signed into Edge using their work or school (Entra ID) account, as App Configuration settings only apply within the managed work profile context.