Hi Community,

This will be the 2nd of 3 guides on how to setup MAM (Mobile Application Management) in Intune. In this 2nd part i will cover Android.

We’ll explore how to protect company data on unmanaged Android devices using Microsoft Intune. For simplicity, We’ll establish guardrails to ensure company information remains secure while still allowing personal access to organizational data for productivity.

We’ll use Mobile Application Management (MAM) for unmanaged devices, often referred to as personal or BYOD (Bring Your Own Device) devices. These are devices over which your IT staff has no control over their settings.

What Is MAM (Mobile Application Management)?

Mobile Application Management (MAM) is a type of security management focused on controlling and securing mobile applications used within an organization. It involves provisioning, configuring, and managing mobile apps on both company-provided and personal devices.

Key features of MAM include:

• App Configuration: Setting up app-specific policies and configurations.
• Data Protection: Ensuring that sensitive organizational data within apps is secure and not leaked.
• Access Control: Managing who can access specific apps and data.
• App Updates: Keeping apps up-to-date with the latest features and security patches.

MAM is particularly useful for organizations that need to secure data on personal devices without requiring full device management. This allows employees to use their own devices for work while ensuring that corporate data remains protected.

Combining App Protection policies with Conditional access policies you can create a secured application environment for your users without the need of managing the complete device. With MAM configured you don’t need to “fully” enroll your device Intune.

Implementing MAM has these benefits:

• Enhanced Data Security – Provides a layer of security for organization data on unmanaged devices by setting policies to control how company data is accessed and shared within apps.
• Increase Flexibility – Give your users access to company data such as Outlook, Excel etc. without having to enroll their devices under management.

App Protection Policies

Microsoft has defined 3 levels of App Protection Policies to configure your policies:

• Level 1 enterprise basic data protection:
  Level 1 is the minimum data protection configuration for an enterprise mobile device. This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the school or work data. However, unlike Exchange Online device access policies, the below App Protection Policy settings apply to all the apps selected in the policy, thereby ensuring data access is protected beyond mobile messaging scenarios. The policies in level 1 enforce a reasonable data access level while minimizing the impact to users and mirror the default data protection and access requirements settings when creating an App Protection Policy within Microsoft Intune.

• Level 2 enterprise enhanced data protection:
  Level 2 is the data protection configuration recommended as a standard for devices where users access more sensitive information. These devices are a natural target in enterprises today. These recommendations don’t assume a large staff of highly skilled security practitioners, and therefore should be accessible to most enterprise organizations. This configuration expands upon the configuration in Level 1 by restricting data transfer scenarios and requiring a minimum operating system version.

• Level 3 enterprise high data protection:
  Level 3 is the data protection configuration recommended as a standard for organizations with large and sophisticated security organizations, or for specific users and groups who will be uniquely targeted by adversaries. Such organizations are typically targeted by well-funded and sophisticated adversaries, and as such merit the additional constraints and controls described. This configuration expands upon the configuration in Level 2 by restricting additional data transfer scenarios, increasing the complexity of the PIN configuration, and adding mobile threat detection.

As the above table indicates, all changes to the App Protection Policies should be first performed in a preproduction environment to understand the policy setting implications. Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Roll out to production may take a longer amount of time depending on the scale of impact regarding the change. If there’s no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.

To ensure that only apps supporting App Protection Polices access work or school account data, Microsoft Entra Conditional Access policies are required.

I have already created the 3 levels of security in JSON files, you can download them here:

• Level 1
• Level 2
• Level 3

Just unzip the JSON file and you can import them in Intune.

The full Microsoft article is here.

Data protection framework using app protection policies - Microsoft Intune

Learn how App Protection Policies (APP) ensure an organization’s data remains safe or contained in a managed app, regardless of whether the device is enrolled.

How To Setup MAM

I will begin with the creation of the Conditional Access Policy, after the Conditional Access Policy i will go further with the App Protection policy and I will conclude with the user experience.

Conditional Access policy

Go to the Intune Portal – Endpoint Security – Conditional access – Policies – Create new Policy (Yes you can go via the Azure or Entra Portals but I will stick in the Intune Portal)

Microsoft has some guideline to name your Conditional Access policy, you can find this here. You can use this if you want, not mandatory.

Conditional Access framework and policies - Azure Architecture Center

Get a detailed description of a recommended Conditional Access framework and a starting point for policies.

Name your policy, according to the guidelines above, or just give it a name that is clear to you. E.g. MAM for Android.

Select the group or user that best fits your needs.

Select Target resources such as “Cloud Apps” or specifically “Office 365.” You can also select All cloud apps to broaden your scope, but to keep it simple I will select All Cloud apps.

Set the Conditions targeting the Device Platform, as this will tell us the platform the user is signing in from.

Under Client apps, select both Browser and Mobile apps and desktop clients.

Now, go to Access Controls and specify the requirements to get access. I have chosen Grant access by Requiring app protection policies to be in place.

Switch the policy to on and click create. Now you have configured the Conditional Access policy. Let’s go to the App Protection Policy.

Configure the App Protection policy – MAM Policy

If you have imported the JSON files for the MAM polices into your Intune environment the MAM policies are already there, you can always create your own MAM policies of course, i will continue this guide from the ones that i have configured according to the Microsoft Framework.

I will use the Level 2 MAM policy in this guide.

In the Intune portal go to Apps – App protection, here the 3 app protection policies are in place.

The settings in this MAM policy correspond to the settings that Microsoft offers in the Data Framework.

Data protection framework using app protection policies - Microsoft Intune

Learn how App Protection Policies (APP) ensure an organization’s data remains safe or contained in a managed app, regardless of whether the device is enrolled.

For me these MAM settings are OK, you can always change them to your needs if you want. I consider this as Microsoft best practice. If you are happy with the MAM settings assign this policy to a group of your choice, in my case this is the pilot user group.

In this MAM policy you can see that the targeted public apps are the core Microsoft apps.

The core Microsoft apps are these:

• Microsoft Edge
• Excel
• Office
• OneDrive
• OneNote
• Outlook
• PowerPoint
• SharePoint
• Teams
• To Do
• Word

The policies should include other Microsoft apps based on business need, additional third-party public apps that have integrated the Intune SDK used within the organization, as well as line-of-business apps that have integrated the Intune SDK (or have been wrapped) if this suits your business needs. Like you see these MAM policies are not carved in stone and they should be altered to your specific needs.

User Experience

In this “demo” i already have MFA enabled for the user, i would suggest that you also do this if this is not yet in place.

I will use the Outlook app to demonstrate the end users behavior on the device together with a copy paste use case.

First we will download Outlook from the Google Play store.

Open the Outlook app and tap add account.

If the account has been found tap add account, otherwise fill in the details for your email account. You will get notified to install the Company Portal app. Tap go to store.

Choose Google Play Store – The Company portal app is just being used to do the login, your device will NOT be enrolled.

Tap Install

Now you will be prompted that Samsung Knox is required, this has nothing to do with Knox enrollment, this is just a security standard. Tap OK.

Tap Agree

When the checks are complete, tap continue.

Choose a PIN to protect the Outlook app from being opened by an unauthorized user. This is an extra layer of security to avoid Outlook being opened on a stolen device where somebody has managed to get passed the home screen where you also have (or should have) a PIN code on.

Now to test the copy paste restriction, just select some text from an email and copy this.

Now paste this into e.g. the Messages app. You will see the restriction that you cannot past more then 10 characters.

Now for the 2nd use case I will add a personal mail account to the Outlook app. After we added the personal account we will retire the device and see what happens. Because these are personal devices they most likely have a personal mail account configured next to the business account. If the personal account is not configured in Outlook all is fine, however i would never suggest that but hey these are personal devices. You can also create an extra Conditional Access policy to force the use of the Outlook app for your business mail accounts.

Securing Outlook for iOS and Android in Exchange Online

Summary: How to enable Outlook for iOS and Android in your Exchange Online environment in a secure manner.

As you can see i have an extra mail account in the Outlook app.

Now let’s say my consultancy project with this customer is ending and they want to remove the company data from my phone. Normally for an enrolled device you would go to the device in the Intune portal and do a retire. (this is a screenshot from a macOS device but the action is the same)

However because this is a personal device and this device is NOT enrolled in Intune the device it will not show up in the lntune device list.

The device will show in the Office 365 portal under devices – active devices – app managed.

From here you can select the device and choose Remove company data.

After you click the remove data button a device wipe is triggered, this device wipe can be monitored from the Intune portal. Go to the intune portal – apps – App selective wipe. From here you can also create the wipe requests.

After a few minutes the company date on the device has been removed without touching the personal data in the app. As you can see the company mail account is gone but my personal mail account is still there.

For more information regarding the wipe requests check out this Microsoft article.

How to wipe only corporate data from apps - Microsoft Intune

Learn how to selectively wipe only corporate data from Intune-managed apps with Microsoft Intune.

I hope you find this article helpful, And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!