Hi Community,
This will be the 1st of 3 guides on how to setup MAM (Mobile Application Management) in Intune. I will be starting with MAM for iOS.
We’ll explore how to protect company data on unmanaged iOS and iPadOS devices using Microsoft Intune. For simplicity, I’ll refer to iOS throughout this post, but the information applies to both iOS and iPadOS. We’ll establish guardrails to ensure company information remains secure while still allowing personal access to organizational data for productivity.
We’ll use Mobile Application Management (MAM) for unmanaged devices, often referred to as personal or BYOD (Bring Your Own Device) devices. These are devices over which your IT staff has no control over their settings.
What Is MAM (Mobile Application Management)?
Mobile Application Management (MAM) is a type of security management focused on controlling and securing mobile applications used within an organization. It involves provisioning, configuring, and managing mobile apps on both company-provided and personal devices.
Key features of MAM include:
- App Configuration: Setting up app-specific policies and configurations.
- Data Protection: Ensuring that sensitive organizational data within apps is secure and not leaked.
- Access Control: Managing who can access specific apps and data.
- App Updates: Keeping apps up-to-date with the latest features and security patches.
MAM is particularly useful for organizations that need to secure data on personal devices without requiring full device management. This allows employees to use their own devices for work while ensuring that corporate data remains protected.
Combining App Protection policies with Conditional access policies you can create a secured application environment for your users without the need of managing the complete device. With MAM configured you don’t need to “fully” enroll your device Intune.
Implementing MAM has these benefits:
- Enhanced Data Security – Provides a layer of security for organization data on unmanaged devices by setting policies to control how company data is accessed and shared within apps.
- Increase Flexibility – Give your users access to company data such as Outlook, Excel etc. without having to enroll their devices under management.
App Protection Policies
Microsoft has defined 3 levels of App Protection Policies to configure your policies:
- Level 1 enterprise basic data protection:
Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios. The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.
- Level 2 enterprise enhanced data protection:
Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. These recommendations don’t assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and requiring a minimum operating system version.
- Level 3 enterprise high data protection:
Level 3 is the data protection configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described. This configuration expands upon the configuration in Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and adding mobile threat detection.
As the above table indicates, all changes to the App Protection Policies should be first performed in a preproduction environment to understand the policy setting implications. Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Roll out to production may take a longer amount of time depending on the scale of impact regarding the change. If there’s no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.
To ensure that only apps supporting App Protection Polices access work or school account data, Microsoft Entra Conditional Access policies are required.
I have already created the 3 levels of security in JSON files, you can download them here:
Just unzip the JSON file sand you can import them in Intune.
The full Microsoft article is here.
How To Setup MAM
I will begin with the creation of the Conditional Access Policy, after the Conditional Access Policy i will go further with the App Protection policy and I will conclude with the user experience.
Conditional Access policy
Go to the Intune Portal – Endpoint Security – Conditional access – Policies – Create new Policy (Yes you can go via the Azure or Entra Portals but I will stick in the Intune Portal)
Microsoft has some guideline to name your Conditional Access policy, you can find this here. You can use this if you want, not mandatory.
Name your policy, according to the guidelines above, or just give it a name that is clear to you. E.g. MAM for iOS.
Select the group or user that best fits your needs.
Select Target resources such as “Cloud Apps” or specifically “Office 365.” You can also select All cloud apps to broaden your scope, but to keep it simple I will select All Cloud apps.
Set the Conditions targeting the Device Platform, as this will tell us the platform the user is signing in from.
Under Client apps, select both Browser and Mobile apps and desktop clients.
Now, go to Access Controls and specify the requirements to get access. I have chosen Grant access by Requiring app protection policies to be in place.
Switch the policy to on and click create. Now you have configured the Conditional Access policy. Let’s go to the App Protection Policy.
Configure the App Protection policy – MAM Policy
If you have imported the JSON files for the MAM polices into your Intune environment the MAM policies are already there, you can always create your own MAM policies of course, i will continue this guide from the ones that i have configured according to the Microsoft Framework.
I will use the Level 2 MAM policy in this guide.
In the Intune portal go to Apps – App protection, here the 3 app protection policies are in place.
The settings in this MAM policy correspond to the settings that Microsoft offers in the Data Framework.
For me these MAM settings are OK, you can always change them to your needs if you want. I consider this as Microsoft best practice. If you are happy with the MAM settings assign this policy to a group of your choice, in my case this is the pilot user group.
In this MAM policy you can see that the targeted public apps are the core Microsoft apps.
The core Microsoft apps are these:
- Microsoft Edge
- Excel
- Office
- OneDrive
- OneNote
- Outlook
- PowerPoint
- SharePoint
- Teams
- To Do
- Word
The policies should include other Microsoft apps based on business need, additional third-party public apps that have integrated the Intune SDK used within the organization, as well as line-of-business apps that have integrated the Intune SDK (or have been wrapped) if this suits your business needs. Like you see these MAM policies are not carved in stone and they should be altered to your specific needs.
User Experience
In this “demo” i already have MFA enabled for the user, i would suggest that you also do this if this is not yet in place.
I will use the Outlook app to demonstrate the end users behavior on the device together with a copy paste use case.
First we will download Outlook from the app store.
Open the Outlook app and tap add account.
If the account has been found tap add account, otherwise fill in the details for your email account.
If the account is added tap maybe later or add another account.
Now you will get the message stating that “Your organization is now protecting its data in this apps. You need to restart the app to continue” This is when the MAM policy is kicking in. The Outlook app will restart.
Choose a PIN to protect the Outlook app from being opened by an unauthorized user. This is an extra layer of security to avoid Outlook being opened on a stolen device where somebody has managed to get passed the home screen where you also have (or should have) a PIN code on.
Enable notification if you want.
Now to test the copy paste restriction, just select some text from an email and copy this.
Now paste this into e.g. the Notes app. You will see the restriction that you cannot past more then 10 characters.
Now for the 2nd use case I will add a personal mail account to the Outlook app. After we added the personal account we will retire the device and see what happens. Because these are personal devices they most likely have a personal mail account configured next to the business account. If the personal account is not configured in Outlook all is fine, however i would never suggest that but hey these are personal devices. You can also create an extra Conditional Access policy to force the use of the Outlook app for your business mail accounts.
As you can see i have an extra mail account in the Outlook app.
Now let’s say my consultancy project with this customer is ending and they want to remove the company data from my phone. Normally for an enrolled device you would go to the device in the Intune portal and do a retire. (this is a screenshot from a macOS device but the action is the same)
However because this is a personal device and this device is NOT enrolled in Intune the device it will not show up in the lntune device list.
The device will show in the Office 365 portal under devices – active devices – app managed.
From here you can select the device and choose Remove company data.
After you click the remove data button a device wipe is triggered, this device wipe can be monitored from the Intune portal. Go to the intune portal – apps – App selective wipe. From here you can also create the wipe requests.
After a few minutes the company date on the device has been removed without touching the personal data in the app. As you can see the company mail account is gone but my personal mail account is still there. You will get a notification message for this but it happened so fast that i couldn’t screenshot it.
For more information regarding the wipe requests check out this Microsoft article.
I hope you find this article helpful, And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
Great article!
Question- If my users already have downloaded and are using the Outlook Mobile app (Without MAM) when I Set this up, what would the experience be like for them? Would it prompt them for installing company portal as well or would you have to uninstall/reinstall the app?
Hi, thank you. I still need to test this but did not have time yet. But what i think the behavior will be is that the user will get the pop up to install the Company portal app and after that my guess is that everything will go as described in the guide. If you test this please let me know the outcome if you want.
Beautiful documentation!
Unfortunately, I cannot import the .json files, not manually directly via Intune and also not via the GitHub software that was linked.
I don’t get any error messages either.
Does anyone have an idea?
Hi Jonas, thank you for the comment. If you want we can do a quick remote session to get this cleared out? Let me know.
Hi Joery, I think I could arrange that.
What would be the preferred way?
I suggest to do a teams call? What do you think?
i now know the error when i try to import your .json file or even the Template from MS. Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies (Request ID: ee0416ce-4d73-42a4-809e-253029be2d44). Status code: BadRequest. Response message: A type named ‘microsoft.graph.iosManagedAppProtection’ could not be resolved by the model. When a model is available, each type name must resolve to a valid type. Exception: Der Remoteserver hat einen Fehler zurückgegeben: (400) Ungültige Anforderung.
How can i reach you to send you the invite?
Thank you so much so far!
Jonas, just sent me an email and we can arrange something over teams.
Hello,
How do you exclude enrolled devices from Mam policies?
I want to exclude company owned Ipad’s from MAM policies- however not been able to make it work so far.
I have tried with the filters under tenant administration didnt work. Also tried to create a app configuration policy for Outlook to test, and did not work when addind IntuneMAMUPN there and choosing managed device.
Hi, you should use filters in the app protection policy to exclude corporate devices, you can create the filter like this: (device.deviceOwnership -eq “Corporate”) and (device.model -contains “iPad”)
But what i understand inclusion is targeted User group and Exclusion is targeted device Group will not work, so in that case if the MAM policy is assigned based on user group and you suggesting to create filter on device Group , will it work ?
Hi, that should work.
I’ve set the App Protection Policies like you outlined in this guide. Just about everything seems to be working – thanks for that. I do have one problem though: The Defender App in iOS now cannot log in anymore. I get a screen that says (translated from German):
The change from here to there is not possible.
You are trying to open a ressource with a client app, that is not available with App Protection Policies.
Is Defender not compatible with App Protection Policies? And if yes, why Microsoft? Just why…
Hi, i would not suggest to put the defender app on personal devices, it is and remains a personal device. Personally i would not like it if my company forces the defender app on my personal device. If you want defender on your devices you should enroll them and not use MAM.
After adding the MAM policy for conditional access, I tried added an iPad, but never receive the message that the organization is controlling the app. The device does not show in devices in O365 portal. Only the device for my Android devices that uses Company portal shows there. Any thoughts on what I’m doing wrong?
Did you create and assign the app protection policy?
Does the conditional access policy need to be in place to enforce MAM? Would just creating a App protection policy and targeting right users be enough?
No, you need the ca policy.
Thanks, Joery! Why don’t Microsoft official docs mention about the CA policy requirement? Or do they mention it somewhere and I overlooked?
Great work! this setup has really saved a lot of time!
I just wanted to clarify a few things regarding the deployment:
How are you currently assigning the Conditional Access (CA) policy and the App Protection (MAM) policy?
If the CA policy is assigned to all users, how does it impact users who enroll Android devices (i.e., fully managed or work profile)?
Similarly, is the App Protection policy also targeted to all users, or is there a filtering mechanism in place?
Appreciate your guidance.
Hi Joery,
Great article, everything is clear and concise, love it.
I have however run into a problem, maybe I just need to be patient, I’m not sure.
I created the Conditional Access Policy as outlined and added the test user group to it, I then created the App protection policy and again added my Test user group to it.
It took a good 45 minutes until my Outlook reacted by not working, so I uninstalled it and reinstalled it, this time it told me it needs to register the device, so I was happy thinking it’s working, however once it had registered the device I then get a message stating :
Access Denied
This app must be protect with an Intune policy before you can access company data, please contact your IT helpdesk for more information.
I have checked the requirements and the phone fulfills them, I can’t see what is causing this issue.
Any help would be greatly appreciated
Hi, is the oultook app targetted by the app protection policy?
what is license requirements?