In this post I provide information on how Microsoft Mobile Application Management (MAM) policies configured in the Azure portal can be used to protect your corporate data while being accessed from personal iOS or Android mobile devices without the need to enroll those devices in a Mobile Device Management (MDM) solution such as Microsoft Intune.
I provide concepts, "gotchas", requirements and illustrate using the Azure portal to configure a MAM policy, associate it to mobile apps, and deploy it to a group with two user members. One user has an iPhone enrolled in Intune, and the other one has an iPad not enrolled in any MDM solution. The MAM policy effectively applies to apps in both devices.
Although you can apply MAM policy settings using the Intune admin console if you have Intune (standalone or integrated with System Center Configuration Manager -SCCM), Microsoft recommends to use the Azure portal admin console instead because of the following reasons:
Data can be protected by restricting copy/paste operations, data transfer outside of the work context (i.e from a MAM protected app to a non-protected app), prompt for PIN or corp credentials when accessing the app, and have all URLs open using the Intune Managed Browser (iOS and Android versions available). Azure AD authenticates users when they open a protected application and provide their work credentials. You can also wipe corporate data without uninstalling the app or deleting personal data.
For apps that support multi-identity, MAM policies apply only when apps are used in the work context and not when using a personal account. Microsoft Office mobile apps support multi-identity.
MAM policies don't support Windows devices but you can protect your corporate data on them using Windows Information Protection (WIP) with Microsoft Intune or SCCM.
If you have Line of Business (LOB) apps already written and don't want to modify the code (or don't have the source code), you can use the Intune App Wrapping Tool to make your existing mobile app compatible with MAM policies. However, this tool does not support apps in the Apple App Store or Google Play Store. You can download the tool's iOS and Android versions from GitHub.
Look at this article for information on how to use the tool to wrap iOS apps, and this one for information on how to wrap Android apps. The tool does not provide all the management features that the SDK does. You can see a comparison of the features here.
![]()
In the "Intune mobile application management", "Settings" blade, under "App Management", click on "App policy".
![]()
Click on "Add a policy" in the "App policy" blade.
![]()
Name your policy, select the platform (iOS or Android) and click on "Select required apps". In this case I'm targetting my iOS devices.
![]()
Select the apps that the policy should target.
![]()
In the "Add a policy" blade, click on "Configure required settings".
![]()
The settings are divided in two sections: "Data relocation" and "Access".
Check this link for information about each setting.
Once you have configured the settings, you are ready to deploy the policy to users.
![]()
Select the Azure AD group to which you want to deploy the policy and click on "Select". In this case, I'm deploying it to my "All Users" group.
![]()
![]()
and a PIN is required to access the app, as configured in the policy.
As configured in the policy, the user, when using her work account, is restricted from copying/pasting data in the protected apps.
When the user's work account signs out, she gets the following "Wipe Alert" notification: "Your organization has removed its data associated with this app. To continue, restart the app. (607)".
![]()
and a PIN is required to access the app, as configured in the policy.
As configured in the policy, the user, when using his work account, is restricted from copying/pasting data in the protected apps.
When the user's work account signs out, he gets the following "Wipe Alert" notification: "Your organization has removed its data associated with this app. To continue, restart the app. (607)".
![]()
![]()
Click on "Select" user and select a user.
![]()
Protecting app data using MAM policies with Intune
I provide concepts, "gotchas", requirements and illustrate using the Azure portal to configure a MAM policy, associate it to mobile apps, and deploy it to a group with two user members. One user has an iPhone enrolled in Intune, and the other one has an iPad not enrolled in any MDM solution. The MAM policy effectively applies to apps in both devices.
Concepts
MDM allows Information Technology (IT) to manage and protect mobile devices. Corporate users may need to access your corporate applications and data from their own personal devices (Bring Your Own Device or BYOD scenario) but may not want IT to manage their devices. IT still needs to protect corporate data.Although you can apply MAM policy settings using the Intune admin console if you have Intune (standalone or integrated with System Center Configuration Manager -SCCM), Microsoft recommends to use the Azure portal admin console instead because of the following reasons:
- MAM policy settings in the Azure portal can be applied to devices managed by Intune, managed by a 3rd party MDM solution or not managed by MDM
- The Azure portal is the new console to apply MAM policy settings, and new settings may be added to the Azure portal only and not to Intune
Data can be protected by restricting copy/paste operations, data transfer outside of the work context (i.e from a MAM protected app to a non-protected app), prompt for PIN or corp credentials when accessing the app, and have all URLs open using the Intune Managed Browser (iOS and Android versions available). Azure AD authenticates users when they open a protected application and provide their work credentials. You can also wipe corporate data without uninstalling the app or deleting personal data.
For apps that support multi-identity, MAM policies apply only when apps are used in the work context and not when using a personal account. Microsoft Office mobile apps support multi-identity.
MAM policies don't support Windows devices but you can protect your corporate data on them using Windows Information Protection (WIP) with Microsoft Intune or SCCM.
"Gotchas"
- If both, Intune and Azure MAM policies are configured, the Azure policy settings take precedence and are applied to the apps (a known issue is that reporting in Intune or SCCM incorrectly report that Intune policies are applied)
- MAM policies must be deployed to user groups setup in Azure AD and not in Intune
- The Azure portal can't deploy apps (if you need this, you can enroll the device in Intune or any other MDM that supports it)
- MAM policies should not be used in conjunction with a 3rd party MAM or secured container solution
Requirements
- Intune subscription for each user (the user's device doesn't need to be enrolled in Intune, but it's OK if it is)
- Office 365 subscription
- Azure AD
- Supported mobile applications
Supported Applications
A supported mobile app should incorporate the Microsoft Intune App SDK in order to understand MAM policies applied to it. Apps that connect to the Office 365 services are supported as they have the SDK built-in (not apps that connect to on-premises Exchange or SharePoint). Apps written incorporating the SDK are called Intune-enlightened apps. In this list you can see which Intune-enlightened apps support t MAM without enrollment. Note that Microsoft just announced MAM without enrollment support to the SDK Cordova plugin and Xamarin component.If you have Line of Business (LOB) apps already written and don't want to modify the code (or don't have the source code), you can use the Intune App Wrapping Tool to make your existing mobile app compatible with MAM policies. However, this tool does not support apps in the Apple App Store or Google Play Store. You can download the tool's iOS and Android versions from GitHub.
Look at this article for information on how to use the tool to wrap iOS apps, and this one for information on how to wrap Android apps. The tool does not provide all the management features that the SDK does. You can see a comparison of the features here.
Creating Application Policy
Login to https://portal.azure.com, click on "More services", and select "Intune" in the "Monitoring + Management" section.
 |
| Data Relocation |
 |
| Access |
Once you have configured the settings, you are ready to deploy the policy to users.
Deploying Application Policy
Select your policy under "App policy", select "User groups" and click on "Add user group".
User Experience on Device not Managed by MDM
This is a user member of the "All Users" Azure AD group who's using an iPad not managed by any MDM solution. When the user signs in to use a protected app using her work account (Azure AD account), she gets the following notification: "Your organization is now protecting its data in this app. You need to restart the app to continue".
 |
| PIN Setup |
 |
| Prompting for PIN |
When the user's work account signs out, she gets the following "Wipe Alert" notification: "Your organization has removed its data associated with this app. To continue, restart the app. (607)".
User Experience on Device Managed by Intune
This is a user member of the "All Users" Azure AD group who's using an iPhone enrolled in Microsoft Intune. When the user signs in to use a protected app using his work account (Azure AD account), he gets the following notification: "Your organization is now protecting its data in this app. You need to restart the app to continue". |
| PIN Setup |
 |
| Prompting for PIN |
When the user's work account signs out, he gets the following "Wipe Alert" notification: "Your organization has removed its data associated with this app. To continue, restart the app. (607)".
Monitoring Application Policies
In the "Intune mobile application management", "Settings" blade, click on "Users" under "App reporting by user".
More Information
Microsoft two-minute demoProtecting app data using MAM policies with Intune
ConfigMgr