Last Updated on 25/02/2026 by Alex
Third-party keyboards are one of those security risks that often fly under the radar in enterprise mobile management. By default, nothing stops a user on a corporate enrolled or BYOD device from installing a keyboard app from the Play Store or App Store and using it across every application they interact with, including corporate ones.
The problem is significant. Many third-party keyboard apps, particularly on iOS, request “full access” during installation. As highlighted in Apple’s own privacy warning, granting full access allows the keyboard developer to transmit anything you type to their servers. Passwords, card numbers, sensitive business data, it doesn’t matter which app you’re typing in. Worse still, even if a user temporarily switches back to the native keyboard to enter something sensitive, that data can be cached by the third-party keyboard and uploaded later when it regains focus.
This isn’t a theoretical risk. It’s a documented behaviour, and for organisations handling sensitive data, it represents a genuine data leakage vector that is trivially easy to close.
In this post, we’ll walk through how to block third-party keyboards on both Android and iOS devices using Intune App Protection Policies (APP), which apply whether the device is corporate enrolled or a personal BYOD device, giving you consistent protection across your entire user base.
Introduction
Have you ever read the 3rd party privacy policy on iOS devices? Maybe you should, here’s the highlights:
So, in short, 3rd party keyboard developers can access your bank accounts, credit card details, essentially anything that you type, the worrying part is that even if the 3rd party keyboard is disabled whilst you type in sensitive information, that data is then cached and then potentially uploaded once the 3rd party keyboard is re-enabled.
Mitigation
To mitigate this, we will make use of App Protection Policies (APP) otherwise known as Mobile Application Management (MAM) on both corporate and BYO devices, separate APP’s can be targeted to different device states, e.g. APP1 is applicable to BYOD only and APP2 is targeted to Corporate devices, this is helpful when users have BOTH a corporate and a BYO devices. Here’s an example on how APP’s can differentiate based on how the device is managed:
- Managed = Enroled, MDM
- Unmanaged = MAM, BYOD
It’s possible, to have multiple APP’s based on the management type, for example for managed devices the restrictions might be slightly lighter depending on your corporate policies.
Android
To block 3rd party keyboards via APP for Android, log into the Intune Portal, browse to Apps, then App protection policies, either Create Policy or amend an existing policy (Note: I would recommend testing on a separate policy before amending existing policies), once in the policy, navigate to Data Protection and set Approved Keyboards to Require:
Then Select which keyboards you wish to approve, for the most part, the defaults are sufficient:
iOS
To block 3rd party keyboards via APP for iOS, log into the Intune Portal, browse to Apps, then App protection policies, either Create Policy or amend an existing policy (Note: I would recommend testing on a separate policy before amending existing policies), once in the policy, navigate to Data Protection, and set Third party keyboards to Block:
Note on blocking iOS third party keyboards: ‘When this setting is enabled, the user receives a one-time message stating that the use of third-party keyboards is blocked. This message appears the first time a user interacts with organizational data that requires the use of a keyboard. Only the standard iOS/iPadOS keyboard is available while using managed applications, and all other keyboard options are disabled. This setting will affect both the organization and personal accounts of multi-identity applications. This setting does not affect the use of third-party keyboards in unmanaged applications.’ – MS Article Reference
