What Is MAM? Security Definition
On This Page
Quick Definition
MAM stands for Mobile Application Management. It lets a company manage its apps on your phone without taking over your whole device. For example, the IT team can make sure a work email app requires a PIN, but they cannot see your personal photos or apps.
Commonly Confused With
MDM manages the entire device, including enforcing device PIN policies, device encryption, and can remotely wipe the whole device. MAM manages only the corporate apps and their data, leaving the device otherwise untouched. For example, MDM can force a whole-device PIN, while MAM forces a PIN just for a single app.
If you want to ensure an employee's personal tablet is encrypted and has a device passcode, use MDM. If you only want to protect the company's email app data on that same tablet, use MAM.
MCM focuses on securing and distributing content (documents, media) to mobile devices, often through a containerized app. MAM is broader, managing access, policies, and data protection for any app. MCM is like a secure box for files, while MAM is a security guard for each app.
MCM would give a user a secure app to view PDFs from a company repository. MAM would apply a policy to the company's existing PDF reader to prevent the user from sharing that PDF to a personal cloud storage.
Conditional Access is an Entra ID feature that evaluates signals (user, device, location, app) and can block or grant access to cloud apps. MAM is about applying data protection policies on the app itself. However, Conditional Access can require a compliant app (i.e., an app that has MAM policies) as a condition for granting access. They are complementary, not the same.
A Conditional Access policy might say 'Only allow access to Exchange Online from apps that support MAM.' Then MAM policies (enforced inside those apps) control what you can do with the data. CA is the gatekeeper; MAM is the rulebook inside the room.
Must Know for Exams
MAM is a recurring concept across multiple Microsoft certification exams, especially MD-102 (Endpoint Administrator), MS-102 (Enterprise Administrator), and MS-900 (Microsoft 365 Fundamentals). For MD-102, MAM is a primary objective under the 'Manage security and compliance' domain. Candidates are expected to know how to configure App Protection Policies, understand the difference between MAM and MDM, and implement policies for data loss prevention, data transfer, and access requirements. The exam often includes scenarios where you must choose between MAM and MDM based on the need to manage only apps versus the whole device. You must also know the requirements for MAM without enrollment, such as the need for a managed browser (like Microsoft Edge for iOS/Android) and the role of the Company Portal app.
For MS-102, MAM appears in the broader context of Enterprise Mobility + Security. While not as deep as MD-102, the exam tests your ability to plan and implement a mobile application management strategy alongside Microsoft Intune and Azure AD Conditional Access. You might be asked to evaluate MAM policy settings to meet a specific compliance requirement, such as requiring a PIN for a company app or preventing data backup to iCloud. MS-102 questions may also involve troubleshooting MAM policy application failures.
For MS-900, MAM is tested at a foundational level. You need to understand what MAM is, how it differs from MDM, and why it is important for security in Microsoft 365. The exam may present a scenario where a company wants to protect data on employee personal phones without managing the whole device, and you must identify MAM as the correct solution. Expect multiple-choice questions that ask for the definition of MAM, rather than deep configuration steps.
Across all three exams, the traps often involve confusing MAM with MDM. Remember: MAM manages apps, MDM manages devices. Another common trap is thinking MAM requires device enrollment (it does not, in the MAM without enrollment scenario). Also, be clear on the tools: Intune App Protection Policies are the MAM policies; Conditional Access policies complement MAM but are not MAM itself. Understanding the step-by-step flow of how a user authenticates and receives MAM policies will help you answer scenario-based questions on how to enforce security on unmanaged devices.
Simple Meaning
Think of MAM like a special set of rules for the work apps on your phone, separate from your personal apps. Imagine your phone is your own home. You have a living room, a bedroom, and a kitchen, your personal life. Then your employer gives you a locked briefcase that contains work papers. With MAM, the company controls only that briefcase. They can make sure it has a combination lock, wipe its contents if you lose the briefcase, and prevent you from copying work papers to your kitchen table. But they cannot redecorate your living room, read your personal mail, or take away your sofa. That is the key idea: MAM focuses on the applications, the apps themselves, rather than the whole phone.
In IT terms, MAM is a solution for corporate data protection in a bring-your-own-device (BYOD) world. Instead of forcing employees to enroll their entire personal device in a management system (which feels invasive), a company uses MAM policies to protect only the corporate apps and data. Those policies can require a PIN or biometric authentication before opening the company app, prevent cut/copy/paste from the corporate app to a personal app, and remotely wipe corporate data from the app if the device is lost or the employee leaves. MAM is often part of a larger suite like Microsoft Intune, where it works hand in hand with Mobile Device Management (MDM). While MDM manages the whole device, MAM manages the apps. MAM gives the company control over its data without sacrificing the user's privacy on their personal device.
MAM uses software development kits (SDKs) built into apps or app wrapping to apply policies. Modern approaches, like Microsoft Intune's MAM without device enrollment, allow MAM policies to apply even on unmanaged devices, using the Intune Company Portal app as a broker. This is incredibly flexible for organizations that want to protect data without the overhead of full device management. The core goal is always the same: separate and secure corporate data within apps, while leaving the rest of the device untouched.
Full Technical Definition
Mobile Application Management (MAM) refers to the software and services that enable IT administrators to apply and enforce app-level policies on mobile applications, typically on iOS and Android devices. MAM is a subset of Enterprise Mobility Management (EMM) and is distinct from Mobile Device Management (MDM), which manages the entire device. MAM works by integrating a management layer into the application, often through a software development kit (SDK) or through app wrapping (adding a management wrapper around an existing app binary).
In a Microsoft ecosystem, Intune MAM is the primary implementation. There are two main scenarios: MAM without device enrollment, where policies apply to apps on devices not enrolled in Intune MDM, and MAM with device enrollment, where policies complement MDM. The key protocols and components include the Intune App Protection Policies (APP) that control data handling. These policies are configured in the Microsoft Endpoint Manager admin center and are delivered to the app via the Intune Company Portal or, for iOS/iPadOS, through the Microsoft Authenticator app. On Android, the Intune Company Portal app or the Intune managed browser acts as the broker.
The technical specifics of an App Protection Policy include data relocation settings (prevent cut, copy, paste to other apps), access requirements (require PIN, facial recognition, or fingerprint for app access), and conditional launch settings (block app access if the device is jailbroken or rooted). Encryption of data at rest is handled at the app level using AES-256. MAM policies can also configure multifactor authentication (MFA) prompts before accessing corporate data, integrate with Conditional Access policies in Azure AD (now Entra ID), and support selective wipe of corporate data from managed apps without deleting personal data.
The architecture involves the end user device, the application, the Intune service in Azure, and an identity provider (Microsoft Entra ID). The MAM service uses a token-based system to verify policy compliance before allowing data access. For iOS, Intune uses the Microsoft Intune App SDK, which is embedded into the app. For Android, Intune uses the Intune Company Portal as the policy delivery agent. App wrapping is a legacy approach for custom line-of-business apps, where the app binary is repackaged with Intune management capabilities.
In practice, MAM is critical for organizations that allow BYOD. It enforces data protection even on unmanaged devices, making it a cornerstone of a Zero Trust security model. It does not, however, provide device-level management such as device passcode enforcement or device wipe. For those capabilities, MDM is required. MAM is supported on all three major mobile platforms, iOS, Android, and Windows 10/11 (via Windows Information Protection which has been deprecated in favor of MAM on Windows using endpoint DLP features). Real IT deployment involves creating App Protection Policies in Intune, assigning them to groups (based on user or device), and monitoring compliance through reports on protected app usage.
Real-Life Example
Imagine you are a manager at a bakery. Your employee, Alex, uses their own personal tablet at work to access the company's order management app and the recipe database. You fully trust Alex, but you still need to protect the business's secret recipes and customer order history. You cannot force Alex to let you lock down their entire tablet, it has their personal photos, games, and banking app. This is exactly the situation MAM solves.
With MAM, you, as the IT manager, create a policy that says: the company's order app must require a 4-digit PIN before opening, and the recipe database app cannot allow text to be copied and pasted into a personal notes app. You apply these rules only to the two company apps. Alex's personal tablet remains unchanged. Alex can still use any personal app, take photos, and do everything else they normally do. If Alex loses the tablet, you can trigger a remote wipe of just the company apps' data, leaving everything else on the tablet untouched. If Alex leaves the bakery, you can revoke access to the company data, and it disappears from the apps.
The bakery analogy maps this way: the company apps are the locked filing cabinet in Alex's home office. The filing cabinet has its own lock (the PIN), a rule that you cannot remove papers (copy/paste prevention), and a key that only you, the manager, control for remote destruction of the contents (selective wipe). Alex's home office can still have their own personal desk, their own photos on the wall, and their own laptop; you never touch those. This separation is the heart of MAM. It gives the business the security it needs without treating the employee's personal property as company property. This distinction is why MAM is often preferred over full MDM in BYOD scenarios, it respects the user's privacy while protecting corporate data.
Why This Term Matters
MAM matters because the modern workforce is mobile and increasingly uses personal devices for work. The old model of issuing a corporate phone for each employee is expensive and often unwanted, people prefer using their own devices. However, corporate data on a personal device is at risk if the device is lost, stolen, or compromised. MAM offers a pragmatic middle ground. It allows IT to enforce security on corporate apps without crossing into the user's personal space. This reduces user resistance to security policies and improves adoption of BYOD programs.
From a security standpoint, MAM is a critical control in data loss prevention (DLP). It prevents data from leaking from corporate apps into personal apps or storage. For example, a policy can block copying a customer list from the CRM app and pasting it into a personal messaging app. That single policy can stop a data breach. MAM also supports selective wipe, which is far more user-friendly than a full device wipe. If a device is lost, the user loses only the corporate data, not their entire digital life. This preserves trust between employer and employee.
In practical IT context, MAM reduces the attack surface. Even if a device is jailbroken or rooted, MAM policies can block app access entirely. This means a compromised device does not automatically mean compromised corporate data. MAM also integrates with Conditional Access, so you can require a compliant app (i.e., an app that respects MAM policies) to access Exchange Online or SharePoint. This makes MAM a key component of a Zero Trust architecture: never trust the device, always verify the app and its policies. For IT professionals managing Microsoft 365, understanding MAM is essential for passing exams like MD-102, MS-102, and MS-900, as it appears in scenarios about securing mobile access in a Microsoft 365 environment.
How It Appears in Exam Questions
MAM appears in exam questions in three main patterns: scenario-based selection, configuration steps, and troubleshooting.
Scenario-based selection: The question describes a business requirement, 'A company wants to protect corporate email and documents on employee personal mobile devices without managing the whole device. Which solution should you recommend?' The correct answer is MAM, often phrased as 'Intune App Protection Policies' or 'Mobile Application Management (MAM) without enrollment'. A distractor might be MDM or full device enrollment. You must recognize the key phrase 'without managing the whole device' as a direct cue for MAM.
Configuration questions: These ask you to order the steps to create an App Protection Policy in Microsoft Intune. For example: 'You need to create a policy that requires a PIN of length 6 for the Microsoft Outlook app. What is the correct order?' Steps include: 1) Sign in to the Microsoft Endpoint Manager admin center, 2) Select Apps > App protection policies > Create policy, 3) Choose iOS or Android, 4) Configure Settings > Access requirements > PIN, 5) Assign to a group. Other config questions ask about specific settings: 'Which setting prevents a user from pasting corporate data into a personal notes app?' Answer: 'Data protection > Cut, copy, and paste with other apps > Block.'
Troubleshooting questions: A common scenario is: 'A user reports that the MAM policy is not applied to the Outlook app on their personal Android device. The device is not enrolled in MDM. What should you check first?' Possible answers include: 'Verify that the user is licensed for Intune', 'Ensure the Intune Company Portal app is installed and the user has signed in', or 'Check that the policy is assigned to the correct user group.' Another frequent issue: 'The user cannot access corporate data in a managed app on a rooted device.' The solution is to ensure the policy has a conditional launch setting that blocks access on jailbroken/rooted devices.
Sometimes questions combine MAM with Conditional Access. For example: 'You want to require an approved client app (one that supports MAM) for access to Exchange Online. What should you configure?' Answer: A Conditional Access policy that requires 'App protection policy' as a grant control. This forces users to open the Outlook app (which has MAM policies applied) rather than the default mail client. Understanding these combinations is vital for the exams.
Study MD-102
Test your understanding with exam-style practice questions.
Example Scenario
Contoso, Ltd. is a manufacturing company with 500 employees. They use Microsoft 365 E3 and want to allow employees to use their personal Android and iOS phones to check corporate email via Outlook and access internal SharePoint files using the Microsoft Edge browser. The IT director is worried about data leaks if a phone is lost or stolen. They do not want to force employees to enroll their personal devices in management because of privacy concerns.
You are the IT administrator tasked with solving this. You decide to implement MAM without device enrollment. In the Microsoft Endpoint Manager admin center, you create an App Protection Policy for iOS and another for Android. For both platforms, you configure: Access requirements, require a 6-digit PIN and Face ID (on iOS) or fingerprint (on Android) to open the Outlook app. Data protection, set 'Cut, copy, and paste with other apps' to 'Block' for managed apps, and 'Save copies of data' to 'Block' to prevent saving email attachments to the device's local storage. Conditional launch, set 'Max PIN attempts' to 5, after which the app wipes corporate data, and 'Offline grace period' to 720 minutes before the app requires a check-in.
You assign the policy to the 'All Users' group. Each employee installs the Microsoft Outlook app and the Intune Company Portal app (required as the policy broker on Android; on iOS, the Microsoft Authenticator app can serve as the broker). When a user first opens Outlook on their personal phone, they are prompted to sign in with their corporate credentials (Microsoft Entra ID), then the Company Portal app briefly launches to apply the MAM policy. After that, the user sets a PIN and enables Face ID. They can now use Outlook to send and receive emails. They cannot copy text from an email and paste it into their personal WhatsApp. If the user leaves the company, you revoke their license or trigger a selective wipe from the Intune console, removing all corporate data from the Outlook app without affecting the user's personal apps or data. This scenario perfectly demonstrates the value of MAM: security and data loss prevention with minimal intrusion into the user's personal device.
Common Mistakes
Confusing MAM with MDM and thinking they are both the same thing.
MDM manages the entire device (enforce device passcode, remote wipe whole device, install profiles), while MAM only manages corporate apps and their data. They are complementary but separate solutions.
When a requirement says 'manage only the apps' or 'do not manage the whole device', think MAM. If it says 'enforce device encryption' or 'manage device settings', think MDM.
Believing MAM requires the device to be enrolled in MDM.
MAM without enrollment is a valid and common deployment. It requires only a MAM-capable app and the Intune Company Portal or Authenticator app as a broker. The device does not need to be enrolled in Intune MDM.
Remember the phrase 'MAM without enrollment', it is a supported scenario that provides app-level management on unmanaged personal devices.
Thinking that MAM policies apply to all apps on the device automatically.
MAM policies apply only to the specific managed apps (those that are MAM-capable or wrapped). Personal apps are not affected. The policy targets specific app IDs.
Understand that MAM targets applications individually. You select which apps (e.g., Outlook, Teams, Edge) to manage. Other apps like personal Facebook or Instagram are untouched.
Forgetting that MAM policies can be bypassed if the app does not support the Intune SDK.
Only apps that have been integrated with the Intune App SDK or are wrapped can enforce MAM policies. Standard off-the-shelf apps like native email clients cannot be managed by MAM.
Use MAM-supported apps from Microsoft (Outlook, Teams, Edge, SharePoint) or wrap your line-of-business apps. Do not assume any app can be managed by MAM.
Assuming MAM policies protect data at rest on the device with full disk encryption.
MAM encrypts data at the app level using AES-256, not at the device level. It does not manage device encryption. If a device is compromised, the app-level encryption protects data, but the device itself may not be encrypted.
Know that MAM provides app-level data encryption. For full device encryption, you would need MDM policies or device OS settings (like BitLocker on Windows or FileVault on macOS, but for mobile the OS provides encryption).
Exam Trap — Don't Get Fooled
{"trap":"A question asks: 'A user has a personal Android phone that is not enrolled in Intune. The user logs into the Outlook app and can open emails, but the company's App Protection Policy (requiring a PIN) is not applied. What is the most likely reason?'
","why_learners_choose_it":"Learners often pick answers like 'The device needs to be enrolled in MDM first' because they think MAM requires MDM enrollment. Or they choose 'The user does not have an Intune license', which is a possible cause but often not the primary one for policy not being applied.","how_to_avoid_it":"The most common reason is that the Intune Company Portal app (or Microsoft Authenticator on iOS) is not installed or the user hasn't signed into it.
MAM without enrollment requires the broker app to be present and the user to have authenticated via it. Always check for the broker app first. Licensing is important but secondary to the app being present."
Step-by-Step Breakdown
Identify the requirement
The first step is understanding whether the business needs MAM or MDM. If the goal is to secure corporate data inside apps on personal devices without managing the device, MAM is the choice. If full device control is needed, MDM is used. This decision drives the entire configuration approach.
Plan the apps to manage
Decide which corporate apps need protection. Typical candidates are Microsoft Outlook, Microsoft Teams, Microsoft Edge, and SharePoint. Third-party apps may require app wrapping or an SDK integration. The list of supported apps is key because not all apps can be managed by MAM.
Configure App Protection Policies in Intune
In the Microsoft Endpoint Manager admin center, navigate to Apps > App protection policies and create a new policy. Choose the platform (iOS/iPadOS, Android, Windows). This policy will contain the rules for data protection (copy/paste, save as), access requirements (PIN, biometrics), and conditional launch (block if jailbroken).
Define the policy settings
Set specific options: Data protection settings block data transfer to other apps or unmanaged apps. Access requirements set a PIN or biometric. Conditional launch settings define what happens when the policy is violated, like wiping data after a certain number of incorrect PIN attempts. These settings must align with the company's security policy.
Assign the policy to users or groups
Assign the policy to a security group or all users. The policy is applied per user, not per device. When users sign into the managed app on their device, the policy is delivered via the Intune service and enforced. Ensure the target users have the correct Intune license assigned.
Inform users and provide broker app
For iOS, the Microsoft Authenticator app is needed as the broker. For Android, the Intune Company Portal app is required. Users must install these apps and sign in with their corporate credentials. The broker app facilitates the policy download and enforcement. Communication is key to ensure users do not skip this step.
Test and monitor policy application
After deployment, test with a pilot user group. Verify that the PIN policy is prompted correctly, that data transfer restrictions work, and that the conditional launch blocks access on a test device that is jailbroken. Use Intune reporting to check for policy deployment status and any errors. Adjust settings based on feedback.
Practical Mini-Lesson
In a real IT environment, implementing MAM is a delicate balance between security and user experience. As an IT professional, you must first learn the difference between 'MAM without enrollment' and 'MAM with enrollment'. The former is for personal devices; the latter is for corporate-owned or fully managed devices where MDM is also in place. The configuration of App Protection Policies is done through the Microsoft Endpoint Manager admin center (formerly Intune).
When creating a policy, you will be asked to choose the platform: iOS or Android. Each platform has different capabilities. For example, on iOS, you can require a system PIN or Face ID, while on Android, you can require fingerprint or face unlock. The settings for data protection are critical: the 'Cut, copy, and paste with other apps' setting can be set to 'Block', 'Allow with paste in', or 'All apps'. The 'Save copies of data' setting prevents the user from saving corporate documents to the device's camera roll or local storage.
A common real-world pitfall is that users get frustrated when they cannot copy text from a work email to a personal note. As an admin, you must decide whether to allow a 'Policy Managed' paste, which permits paste only into other managed apps. This is a more practical setting that maintains security without destroying productivity. Also, the 'Offline interval' setting defines how long the app can be used offline before it must periodically check in with Intune to confirm the policy is still valid and the user is still licensed. If a user goes on a long flight and the check-in fails, they will be locked out.
What can go wrong? If the broker app is not installed, the MAM policy will not apply. The user will be able to open the app, but without the PIN constraint and without data loss prevention. This is a security gap. Also, licensing is a common issue, the user must have an Intune license (often included in Microsoft 365 E3/E5). Another issue is that Conditional Access policies might block access if the device is not compliant, even when MAM is in place. It is essential to understand the interplay: a Conditional Access policy might require an approved client app and app protection policy, which then forces the user to use the MAM-managed app.
For IT professionals, the key takeaway is to always test the policies on multiple device types and OS versions. Use the Intune diagnostic tools and the company portal app to verify policy application. Also, train helpdesk staff on the common user issues, such as 'I forgot my app PIN', the user must reset the app PIN by uninstalling and reinstalling the app (which triggers a new policy download), or the admin can initiate a selective wipe from the console to reset the app state. MAM is powerful, but it requires continuous monitoring and adjustment to balance security with user adoption.
Memory Tip
MAM = Manage Apps, not the whole phone. Think 'MAM' like 'mama' bear who only watches the app-cub, not the whole forest.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
MD-102MD-102 →MS-102MS-102 →MS-900MS-900 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Do users need to install a separate app for MAM to work?
Yes, typically. On Android, users need the Intune Company Portal app, and on iOS, the Microsoft Authenticator app is required as a broker for policy delivery.
Can MAM be used on devices that are not owned by the company?
Absolutely. That is the primary use case for MAM without enrollment, securing corporate apps on personal devices without managing the whole device.
Does MAM protect data at rest in the app?
Yes, when you enable data encryption in the App Protection Policy, Intune encrypts corporate data at the app level using AES-256, even if the device itself is not encrypted.
Can MAM policies be applied to all apps on the device?
No, MAM policies apply only to the specific apps you select when creating the policy. Personal apps are not affected.
What is the difference between a selective wipe and a full wipe?
A selective wipe removes only corporate data from managed apps, leaving personal data and apps intact. A full wiperemoves everything on the device and is performed by MDM, not MAM.
Is MAM supported on Windows 10/11?
Yes, but with limitations. Microsoft has deprecated Windows Information Protection and now recommends using endpoint DLP with MAM for Windows through the Edge browser and other supported apps.
Summary
Mobile Application Management (MAM) is a critical component of modern enterprise mobility, allowing organizations to secure corporate data within apps on personal devices without taking over the entire device. It is the preferred solution for BYOD environments where privacy is a concern. MAM uses App Protection Policies in Microsoft Intune to enforce data loss prevention, access controls (like PIN and biometrics), and conditional launch rules. It does not require the device to be enrolled in MDM, though it can complement MDM.
For IT certification candidates, understanding MAM is essential for MD-102, MS-102, and MS-900 exams. The key distinction to remember is MAM versus MDM: MAM manages apps, MDM manages devices. Common exam traps include confusing the two, thinking MAM requires device enrollment, and forgetting about the broker app. Real-world implementation requires careful planning of policy settings, user communication about installing the broker app, and ongoing monitoring of compliance.
The exam takeaway is to look for the keywords 'manage only the apps' or 'do not manage the whole device' to identify MAM in scenario questions. Remember the step-by-step flow: create policy, assign to users, ensure broker app installed, and test. With MAM, you protect corporate data while respecting user privacy, a balance that is increasingly crucial in today's mobile-first world. Mastering MAM will not only help you pass exams but will also make you a better IT administrator who can implement secure, user-friendly mobility solutions.