Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below. The latest post is available for MAM policies are available – Step by Step procedure to create App Protection policies for iOS/iPadOS in Intune.

How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager? Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. There are two types of management options for Android devices with Intune.

The first one is the traditional way of MDM management, and the second way is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

Video – End-user experience of Android Device MAM WE

Please check the video link

Patch My PC
Intune App Protection Policies

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then, The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune – Mobile Apps – Apps – Skype for Business – Properties: – In the following example, you can see that Skype for Business application for Android has deployed with a deployment type called “Available with or Without enrollment.” So without enrollment deployment type is for MAM WE management.

How to Enable Intune MAM without Enrollment along with Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager
How to Enable Intune MAM without Enrollment along with Intune App Protection Policies

The Intune “MAM WE” comes with a separate set of Conditional Access policies. This conditional access policy is different from MDM conditional access policy. So, you need to take little extra care when you deploy both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

Adaptiva

I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager
Intune App Protection Policies How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups. 

With an app protection policy, you will get an option to restrict corporate data relocation and App data encryption options. It’s very critical that you should create app protection policies and deploy them to MAM WE user groups.

Intune App Protection Policies -How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager
Intune App Protection Policies -How to Enable Intune MAM without Enrollment along with Azure AD Conditional Access | Endpoint Manager

 End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide you with the Intune MAM WE real-time end-user experience. How to Enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

13 thoughts on “Intune App Protection Policies for Android iOS Devices”

  1. Can you enforce MFA for MAM WE without also imposing it to MDM users? For example, if we want to enable MAM for specific apps such that users who are no enrolled with Intune can access these apps but require MFA for extra protection, where users that are enrolled are not required MFA – is this possible?

    Reply
  2. Nice blog!

    How can the applications be deployed on to the user device without enrollment? We are considering using Mobile Center Azure for this. For testing purpose can we side load the application as well? If so, do we still need to upload the app to Intune to assign the application with specific profile?

    I this article – https://docs.microsoft.com/en-us/intune-classic/deploy-use/protect-app-data-using-mobile-app-management-policies-with-microsoft-intune

    they mention “you can’t deploy apps to the device. The user has to get the apps from the store.” Can this be a private store?

    Reply
    • I don’t whether it supports Windows mobile devices. MAM-WE for Windows is Windows Information Protection (WIP). I don’t whether WIP is supported for Windows mobile devices…I will try to check and post here

      Reply
  3. Do we need to set a MDM authority to use MAM-WE and conditional access.
    If not, how will Intune know which user has installed an app that need to be managed.

    Reply
  4. You had said “I would avoid deploying MDM CA policy to user groups whenever possible rather. I would deploy the MDM CA policy to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.”

    I was told that we need to apply CA for user group only and you can use filter now for any device specific things. I have tried to apply for a dynamic device group but it did not work.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.