Conditional Launch

Conditional launch is the set of Intune app protection policy settings that block app sign-in based on device or app state — even before the app fully loads. Conditions include: maximum app version (block sign-in on outdated apps), maximum OS version, device must not be jailbroken / rooted, device must not have been offline for X days, device must not have unmanaged threat intelligence indicators, device must not exceed risk threshold from Defender for Endpoint. When a condition is violated, the app refuses to sign in or wipes corporate data. The most useful gate for BYOD scenarios where the device isn't fully managed but you still need device-state assurance before granting app access.