Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune App Protection Policies (MAM): Complete Guide

Learn how to protect organizational data using Intune App Protection Policies (Mobile Application Management) on both enrolled and unenrolled devices, including BYOD scenarios.

By Ali Alame
intunemamapp-protection-policiesbyodmobile-securitydata-protectionmicrosoft-365

Intune App Protection Policies (APP), also known as Mobile Application Management (MAM), protect your organization's data at the application level on both company-owned and personal devices. These policies ensure corporate data remains safe and contained within managed apps, regardless of whether the device itself is enrolled in Intune.

What Are App Protection Policies?

App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule enforced when users attempt to access or move "corporate" data, or a set of actions that are prohibited or monitored when users are inside the app.

Key Benefits

  • Protect Data Without Device Enrollment: Secure corporate data on personal devices without full device management
  • BYOD Support: Enable bring-your-own-device scenarios while maintaining security
  • App-Level Protection: Control data access, sharing, and storage at the application level
  • Cross-Platform Support: Works on iOS/iPadOS, Android, and Windows
  • Conditional Access Integration: Integrate with Conditional Access for enhanced security

MAM Configurations

Intune supports two MAM configurations:

1. MAM Without Device Management (MAM Only)

This configuration allows your organization's apps to be managed by Intune without enrolling the devices. This is commonly referred to as MAM without device enrollment.

Benefits:

  • No device enrollment required
  • Users maintain privacy on personal devices
  • IT controls only organization data
  • Works with third-party MDM solutions

Limitations:

  • Cannot deploy apps to devices
  • Cannot provision certificate profiles
  • Cannot provision Wi-Fi and VPN settings

For more information, see MAM configurations.

2. MAM With Device Management (MAM + MDM)

This configuration allows both your organization's apps and devices to be managed. This is commonly referred to as MAM + MDM.

Benefits:

  • Full device management capabilities
  • App deployment to devices
  • Certificate provisioning
  • Wi-Fi and VPN configuration
  • Enhanced security controls

For details, see MAM with device management.

Creating App Protection Policies

Step 1: Access App Protection Policies

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Apps > App protection policies
  3. Select Create policy

Step 2: Select Platform

Choose the platform:

  • iOS/iPadOS
  • Android

Note: Windows MAM is available for Windows 10 and Windows 11 with specific requirements. See Data Protection for Windows MAM.

Step 3: Configure Basics

  1. Name: Enter a descriptive name for the policy
  2. Description: Optional description
  3. Target to apps on all device types:
    • Yes: Apply policy to all device types
    • No: Apply based on device management state

Step 4: Configure Data Protection Settings

Configure how data is protected within managed apps:

Data Transfer Settings

  • Backup org data to iTunes and iCloud backups: Block or allow
  • Send org data to other apps:
    • Policy managed apps
    • All apps
    • None
  • Save copies of org data: Block or allow
  • Allow user to save copies to selected services: Choose services like OneDrive, SharePoint

Access Requirements

  • PIN for access: Require PIN to open managed apps
  • PIN type: Numeric or alphanumeric
  • PIN length: Minimum PIN length
  • Biometric instead of PIN: Allow fingerprint or face recognition
  • Timeout: Require PIN after period of inactivity

Conditional Launch

  • Max PIN attempts: Number of failed PIN attempts before app data is wiped
  • Offline grace period: Days before app requires authentication
  • Jailbroken/rooted devices: Block access or warn

For complete settings reference, see:

Step 5: Assign Apps

  1. Select Targeted apps
  2. Choose apps to protect:
    • Core Microsoft Apps (includes Outlook, Teams, etc.)
    • Custom apps (line-of-business apps)
  3. Select OK

Note: Apps must be integrated with the Intune App SDK or wrapped using the Intune App Wrapping Tool.

For a list of supported apps, see Microsoft Intune protected apps.

Step 6: Assign Users

  1. Select Assignments
  2. Choose + Select groups to include
  3. Select user groups
  4. Optionally exclude specific groups
  5. Select OK

Step 7: Review and Create

  1. Review all settings
  2. Select Create to save the policy

For step-by-step guidance, see How to create and assign app protection policies.

App Protection Policy Settings

Data Protection Settings

Data Transfer:

  • Control how data moves between apps
  • Restrict copy/paste operations
  • Control screen capture
  • Manage data sharing to other apps

Data Loss Prevention:

  • Prevent saving to personal storage
  • Control backup to cloud services
  • Restrict printing
  • Control contact sync

Access Requirements

Authentication:

  • PIN requirements
  • Biometric authentication
  • Multi-factor authentication
  • Conditional launch settings

Device Requirements:

  • Minimum OS version
  • Jailbreak/root detection
  • Device encryption requirements

Conditional Launch

Configure actions when conditions aren't met:

  • Block access: Prevent app usage
  • Wipe data: Remove organization data
  • Warn: Display warning message

Integration with Conditional Access

App protection policies can integrate with Conditional Access to ensure only protected apps can access organizational resources.

App-Based Conditional Access

Create Conditional Access policies that:

  • Require app protection policies
  • Block access from unmanaged apps
  • Enforce MAM policies for specific apps

For guidance, see App-based Conditional Access with Intune.

Monitoring App Protection Policies

Policy Status

Monitor app protection policy status:

  1. Go to Apps > App protection policies
  2. Select a policy
  3. Review User status and Device status

Reports

View detailed reports:

  • App protection user report: User-level compliance
  • App protection app report: App-level usage
  • App protection policy report: Policy-level status

For monitoring guidance, see How to monitor app protection policies.

Best Practices

1. Start with Core Microsoft Apps

Begin by protecting core Microsoft apps:

  • Microsoft Outlook
  • Microsoft Teams
  • Microsoft Word, Excel, PowerPoint
  • OneDrive for Business

2. Use Data Protection Framework

Follow Microsoft's data protection framework:

  • Level 1 - Enterprise Basic Data Protection
  • Level 2 - Enterprise Enhanced Data Protection
  • Level 3 - Enterprise High Data Protection

For details, see Data protection framework using app protection policies.

3. Configure Appropriate PIN Requirements

Balance security with usability:

  • Require PIN for access
  • Set reasonable PIN length (4-6 digits minimum)
  • Allow biometric authentication
  • Configure appropriate timeout periods

4. Test Before Broad Deployment

  • Deploy to pilot groups first
  • Test on both enrolled and unenrolled devices
  • Verify app functionality
  • Gather user feedback

5. Monitor and Adjust

  • Review policy status regularly
  • Address user issues promptly
  • Adjust settings based on feedback
  • Update policies as requirements change

Common Scenarios

Scenario 1: BYOD Personal Devices

Configuration:

  • Use MAM without device enrollment
  • Protect core Microsoft apps
  • Require PIN for access
  • Block data backup to personal storage
  • Allow data sharing to policy-managed apps only

Scenario 2: Corporate-Owned Devices

Configuration:

  • Use MAM + MDM
  • Deploy apps to devices
  • Enforce stricter policies
  • Require device compliance
  • Integrate with Conditional Access

Scenario 3: High-Security Environment

Configuration:

  • Require strong PIN (alphanumeric, 8+ characters)
  • Block all data transfer except to managed apps
  • Require device encryption
  • Block jailbroken/rooted devices
  • Enforce app-based Conditional Access

Troubleshooting

Common Issues

  1. Policies Not Applying

    • Verify user has Intune license
    • Check user group assignments
    • Ensure apps support app protection policies
    • Review policy assignment status

  2. Apps Not Working as Expected

    • Check app protection policy settings
    • Verify app is in targeted apps list
    • Review conditional launch settings
    • Test with different policy configurations

  3. User Access Issues

    • Verify user authentication
    • Check PIN requirements
    • Review conditional launch settings
    • Ensure device meets requirements

For troubleshooting guidance, see Frequently asked questions about MAM and app protection.

Additional Resources

Conclusion

Intune App Protection Policies provide powerful data protection capabilities for both enrolled and unenrolled devices. By following these best practices:

✅ Choose the right MAM configuration for your scenario
✅ Start with core Microsoft apps
✅ Configure appropriate data protection settings
✅ Integrate with Conditional Access
✅ Monitor and adjust policies regularly

You can protect your organizational data while enabling flexible device usage scenarios, including BYOD, without compromising security.

Remember: App protection policies work at the application level, providing data protection regardless of device enrollment status. This makes them ideal for BYOD scenarios where users want to use personal devices while maintaining organizational data security.