This chapter covers Intune App Protection Policies (APP), also known as MAM (Mobile Application Management) without device enrollment. This is a critical topic for the MS-102 exam, appearing in approximately 10-15% of questions in the 'Manage Identity and Access' domain (Objective 2.4). You will learn how to protect corporate data in mobile apps on both managed and unmanaged devices, focusing on policy configuration, data protection, and conditional access integration. Mastering MAM is essential for any Microsoft 365 administrator implementing BYOD or partner access scenarios.
Jump to a section
Imagine a company where employees bring their own phones (BYOD) but the company must protect its data. Instead of installing a company phone system, each employee gets a security badge that only works inside certain apps. When an employee opens the company email app on their personal phone, the badge checks: Is the phone screen locked? Is the OS version recent? If not, the badge denies entry and the data stays hidden. The badge also controls what you can do with the data: you can read an email but not copy-paste it to a personal note app. If you try to open a company document in a non-approved app, the badge blocks the transfer. The badge is not tied to the phone's hardware; it's tied to the user's identity. If the employee leaves the company, the badge is revoked, and the data in the app is wiped (selective wipe) without affecting the rest of the phone. The company never manages the entire phone, only the badge that enforces policies on the apps. This is exactly how Intune MAM works: it applies protection policies at the app layer, independent of device management, using the user's identity to enforce data protection and access controls.
What is Intune App Protection Policy (MAM)?
Intune App Protection Policies (APP) – commonly referred to as Mobile Application Management (MAM) – are policies that protect corporate data within applications on mobile devices (iOS/iPadOS and Android) without requiring the device to be enrolled in Intune MDM. This is a key distinction: MAM without enrollment (MAM-WE) allows organizations to protect data in apps like Outlook, Teams, SharePoint, and third-party apps that integrate with the Microsoft Intune App SDK, even on personally owned devices that are not managed.
Why MAM Exists
Traditional MDM requires device enrollment, which gives the organization significant control over the entire device. For BYOD scenarios, employees are often reluctant to enroll their personal devices. MAM solves this by applying data protection policies at the app layer, based on the user's identity. When a user authenticates to a supported app with their corporate credentials, Intune applies the APP policies. These policies can restrict actions like copy/paste, save-as, and screen capture, and can enforce PIN requirements or conditional launch settings.
How MAM Works – The Mechanism
Policy Assignment: An admin creates an app protection policy in the Microsoft Intune admin center, targeting a group of users (e.g., all users, or a specific security group). The policy includes settings for data protection, access requirements, and conditional launch.
Policy Delivery: When a user signs into a supported app on a mobile device with their Azure AD account, the app (which includes the Intune App SDK) checks in with the Intune service to see if any APP policies are assigned to that user. The policy is downloaded and applied to the app session.
Policy Enforcement: The Intune App SDK integrates with the app to intercept data operations. For example, when the user tries to copy text, the SDK checks the 'Allow cut, copy, and paste' policy. If set to 'Block', the copy action is prevented. Similarly, the SDK can enforce encryption of app data at rest using device-level encryption or the Intune-managed encryption key.
Conditional Launch: The policy can define conditions that must be met before the app can be accessed. For instance, a minimum OS version, a maximum PIN retry count, or a jailbreak/root detection check. If the condition is not met, the app can be blocked, or data can be wiped selectively.
Selective Wipe: If a user is removed from the target group or if the admin triggers a wipe, Intune sends a command to the app to remove corporate data. The app SDK deletes all managed data within the app (e.g., email, documents) but leaves personal data (e.g., personal emails in Outlook if configured with multiple accounts) intact.
Key Components, Values, Defaults, and Timers
- Supported Apps: Microsoft apps (Outlook, Teams, SharePoint, OneDrive, Microsoft 365 apps, Edge, Power BI, etc.) and third-party apps that have integrated the Intune App SDK (e.g., Adobe Acrobat Reader, WhatsApp Business). A full list is in the Microsoft documentation. - Policy Types: - Data Protection: Settings like 'Allow cut, copy, and paste' (values: Block, Policy Managed Apps, Policy Managed Apps with Paste In, Any App), 'Allow save-as' (Block/Allow), 'Restrict web content to display in a managed browser' (Edge or a managed browser), 'Encrypt app data' (Enabled by default for iOS, Android uses native encryption). - Access Requirements: PIN (length, complexity, allow biometrics), work or school account credentials, jailbreak/root detection. - Conditional Launch: Settings that are checked each time the app launches, e.g., 'Min OS version' (if below, block access or wipe data), 'Max PIN attempts' (default 5, then PIN reset), 'Offline grace period' (default 720 minutes, after which app requires network check), 'Device lock' (require device PIN or fingerprint). - Default Values:
PIN length: 4 (minimum 4, maximum 16).
Allow simple PIN: No (cannot use 1234 or 1111).
Allow fingerprint/biometric: Yes.
Offline interval: 720 minutes (12 hours).
Recheck access requirements: 30 minutes after offline interval.
Timers: The policy is checked at app launch and periodically. The Intune service polls for policy changes every 8 hours by default, but changes can be applied sooner if the user logs out and back in or if the app is restarted.
Configuration and Verification Commands
You configure APP policies via the Intune admin portal: Apps > App protection policies > Create policy. For iOS or Android, you define the policy name, description, platform, and then configure the settings.
To verify policy application, you can use the Microsoft Intune App Diagnostic logs. For Android, install the 'Intune Company Portal' app (even without enrollment) and go to Settings > Diagnostic data. For iOS, use the 'Microsoft Edge' app or the 'Intune Company Portal' to view diagnostic logs. You can also use the Get-IntuneAppProtectionPolicy PowerShell cmdlet from the Microsoft Graph PowerShell module:
Connect-MgGraph -Scopes "DeviceManagementApps.Read.All"
Get-MgDeviceAppManagementManagedAppPolicyInteraction with Related Technologies
Conditional Access (CA): You can require that approved client apps or app protection policies be in place before granting access to Exchange Online or SharePoint. This is done via a CA policy with 'Require app protection policy' grant control. This ensures that only devices that have the APP policy applied can access corporate data.
Intune MDM: MAM can coexist with MDM. If a device is enrolled in MDM, you can choose to target APP policies to managed devices only, or to all devices. The policies can be the same or different. When both are applied, the more restrictive setting prevails.
Azure AD Identity Protection: MAM policies can incorporate risk levels from Azure AD Identity Protection, e.g., block access if user risk is medium or high.
Microsoft Defender for Endpoint: Can provide device risk signals that can be used in APP conditional launch (e.g., block access if device is compromised).
Common Pitfalls and Exam Traps
MAM without enrollment vs. MAM with enrollment: The exam often tests the difference. MAM without enrollment applies policies based on user identity only, no device management required. MAM with enrollment can apply additional device-level policies.
Policy conflict resolution: If a user has multiple policies assigned, the most restrictive setting applies. But if policies are targeted to different groups, the effective policy is a union of all settings, with the most restrictive value for each setting.
Selective wipe vs. full wipe: A selective wipe removes only corporate data from the app, leaving personal data. A full wipe (only possible with MDM enrollment) resets the device to factory defaults.
Encryption: For iOS, app data is encrypted using device-level encryption (FileVault). For Android, Intune uses the Android Keystore system and encrypts data with a key derived from the user's PIN. The 'Encrypt app data' setting is enabled by default and cannot be disabled on iOS.
Advanced: Multi-Identity Support
Microsoft apps like Outlook support multiple identities (personal and work accounts). MAM policies apply only to the corporate identity. For example, in Outlook, if you have a personal Gmail account and a work Exchange Online account, the APP policy only protects the work data. Copy/paste from work to personal is blocked if configured, but personal to work may be allowed depending on policy.
Summary of Key Exam Facts
MAM without enrollment is also called MAM-WE (Mobile Application Management without Enrollment).
Policy is applied per user, not per device.
Supported platforms: iOS 14+ (or latest), Android 8+ (or latest).
The Intune App SDK is required for third-party app support.
Conditional Access can require APP policy via 'Require app protection policy' grant.
Selective wipe targets corporate data only.
Default offline grace period is 720 minutes.
PIN minimum length is 4 (default), can be up to 16.
Recheck access requirements interval is 30 minutes after offline period expires.
Configuration Example: Creating a Basic MAM Policy
Sign in to the Microsoft Intune admin center (https://intune.microsoft.com).
Go to Apps > App protection policies.
Click Create policy and choose iOS/iPadOS or Android.
Enter a name, e.g., "MAM-DataProtection-High".
Under Data protection, set:
- Cut, copy, and paste: Policy Managed Apps - Save-as: Block - Restrict web content: Microsoft Edge - Encrypt app data: Yes 6. Under Access requirements, set:
- PIN: Require, length 6, allow biometrics - Work or school account credentials: Require - Jailbreak/root detection: Block 7. Under Conditional launch, set:
- Min OS version: 15.0 (iOS) or 11.0 (Android) – if not met, block access - Max PIN attempts: 5 - Offline grace period: 720 minutes 8. Assign the policy to a user group, e.g., "All Users". 9. Click Create.
The policy will be applied the next time users sign into supported apps on their mobile devices.
Create App Protection Policy
In the Intune admin center, navigate to Apps > App protection policies and click 'Create policy'. Choose the platform (iOS/iPadOS or Android). Provide a name and description. This is where you define the policy settings that will be applied to apps. The policy is created at the tenant level and assigned to user groups. Note that you cannot create a policy targeting both platforms simultaneously; you must create separate policies for iOS and Android.
Configure Data Protection Settings
Under the 'Data protection' tab, configure settings that control how corporate data can be used within and outside the managed apps. Key settings include: 'Allow cut, copy, and paste' (choose between Block, Policy Managed Apps, Policy Managed Apps with Paste In, Any App), 'Allow save-as' (Block or Allow), 'Restrict web content to display in a managed browser' (typically Microsoft Edge), and 'Encrypt app data' (enabled by default). These settings prevent data leakage to unmanaged apps or personal storage.
Configure Access Requirements
Under the 'Access requirements' tab, configure settings that control how users access the app. You can require a PIN (with configurable length and complexity), require work or school account credentials for access, and block access on jailbroken/rooted devices. These settings ensure that only authorized users on compliant devices can access corporate data. The PIN is managed by Intune and is independent of the device lock PIN.
Configure Conditional Launch Settings
Under the 'Conditional launch' tab, define conditions that are evaluated each time the app launches. Examples include: minimum OS version (if not met, block access or wipe data), maximum PIN attempts (default 5, after which PIN reset is required), offline grace period (default 720 minutes, after which the app must check in with Intune), and device lock (require device PIN or biometric). These settings enforce ongoing compliance.
Assign Policy to User Groups
After configuring the settings, assign the policy to Azure AD user groups. You can choose to include or exclude specific groups. The policy applies to all supported apps on devices where the user signs in with their work account. It is important to note that the policy is applied per user, not per device. If a user is removed from the group, the policy is no longer applied, and any corporate data may be selectively wiped.
Verify Policy Application
To verify that the policy is applied correctly, have a test user sign into a supported app (e.g., Outlook) on a mobile device. Check that the PIN prompt appears and that data protection settings (e.g., copy/paste restrictions) are enforced. You can also review the 'App protection status' report in the Intune admin center under Apps > Monitor > App protection status. This report shows which users and devices have received the policy.
Scenario 1: BYOD for Sales Team
A company with a large sales force allows employees to use their personal iPhones and Android devices for work email and calendar. The company does not want to manage the entire device (BYOD) but needs to protect sensitive customer data. The solution: Deploy MAM without enrollment. The admin creates an iOS app protection policy that requires a 6-digit PIN, blocks copy/paste to personal apps, restricts web links to open in Microsoft Edge, and enables encryption. The policy is assigned to the 'Sales' security group. Sales reps install the Outlook and Teams apps from the App Store/Play Store, sign in with their work accounts, and are prompted to set up a PIN. The company can selectively wipe corporate data if an employee leaves, without affecting personal photos or messages. This scenario is common and the exam tests your ability to choose MAM over MDM for BYOD.
Scenario 2: Partner Access with Conditional Access
A consulting firm gives external partners access to a SharePoint site containing project documents. Partners use their own devices (unmanaged). The firm wants to ensure that documents cannot be saved to personal storage or printed. They create an Android app protection policy that blocks save-as, restricts copy/paste to policy-managed apps only, and requires a PIN. They also create a Conditional Access policy for SharePoint Online that requires 'App protection policy' as a grant control. When a partner tries to access SharePoint from the Edge app, they must authenticate and the app protection policy is applied. If the device is rooted, access is blocked. This integration is a frequent exam topic: combining CA with MAM to enforce app protection.
Scenario 3: Multi-Identity in Outlook
A university uses Office 365 for faculty and staff. Many faculty members also have personal email accounts (e.g., Gmail) configured in the same Outlook app. The university wants to protect work emails but not interfere with personal ones. They create an iOS app protection policy with 'Allow cut, copy, and paste' set to 'Policy Managed Apps' – this means copying from work email to personal email is blocked, but copying from personal to work is allowed. When a faculty member copies text from a work email, the SDK detects the source identity and enforces the policy. If they try to paste into a personal email, the paste is blocked. The exam may ask about multi-identity behavior or how to configure policies for different accounts in the same app.
Common Misconfigurations
Not assigning the policy to the correct group: If the policy is not assigned to the user, it won't apply. Always verify group membership.
Offline grace period too short: If set too low, users may be blocked frequently when they have poor connectivity. Default is 720 minutes (12 hours), which works for most.
Forgetting to configure Conditional Access: Without CA, users can still access data via browser or non-compliant apps. CA with 'Require app protection policy' is essential for comprehensive protection.
What MS-102 Tests on This Topic
The MS-102 exam covers MAM under Objective 2.4: 'Manage app protection policies'. Specifically, you should be able to:
Create and configure app protection policies for iOS and Android.
Understand the difference between MAM with and without enrollment.
Configure data protection settings, access requirements, and conditional launch.
Integrate app protection policies with Conditional Access.
Perform selective wipe.
Troubleshoot policy application.
Common Wrong Answers and Why Candidates Choose Them
'MAM requires device enrollment': Many candidates confuse MAM with MDM. MAM without enrollment is a key feature. The exam will present a scenario where devices are not enrolled and ask which technology to use. The wrong answer is MDM; the correct answer is MAM.
'App protection policies apply to all apps on the device': No, they only apply to apps that support the Intune App SDK. The exam may list unsupported apps as distractors.
'Selective wipe removes all data from the device': Selective wipe removes only corporate data from managed apps, not personal data. Full wipe is for MDM-enrolled devices.
'PIN is the device lock PIN': The PIN configured in MAM is separate from the device lock PIN. The exam may test that you can require both.
Specific Numbers, Values, and Terms That Appear on the Exam
Default offline grace period: 720 minutes (12 hours).
Default PIN length: 4 (minimum 4, maximum 16).
Maximum PIN attempts before reset: 5.
Recheck access requirements interval: 30 minutes after offline period.
Supported platforms: iOS 14+ (or latest), Android 8+ (or latest).
Policy update interval: Every 8 hours (but can be forced by app restart).
Terms: MAM-WE, Intune App SDK, selective wipe, multi-identity, conditional launch.
Edge Cases and Exceptions
Policy conflict: If a user is in two groups with different policies, the most restrictive setting applies for each individual setting. The exam may present a scenario where you need to determine effective settings.
Android vs. iOS differences: On Android, you can configure 'Protect other managed apps' (allow data transfer between managed apps). On iOS, this is not applicable because iOS inter-app data sharing is limited.
Third-party apps: Only apps that have integrated the Intune App SDK support MAM. The exam may list apps like 'Salesforce' or 'SAP' as supported if they have the SDK.
User removal: If a user is removed from the target group, the policy is revoked, and on next app launch, the user may be prompted to either remove corporate data or lose access.
How to Eliminate Wrong Answers Using the Underlying Mechanism
When you see a question about data leakage prevention on unmanaged devices, immediately think MAM. If the question mentions 'device enrollment', think MDM. If it mentions 'PIN specific to the app', think MAM. For selective wipe, remember it only affects managed apps. For Conditional Access integration, remember that CA can require app protection policy as a grant. Understanding the mechanism of the Intune App SDK intercepting data operations helps you eliminate answers that suggest device-level control.
MAM without enrollment protects corporate data in apps on unmanaged devices, using user identity.
Supported platforms: iOS/iPadOS and Android only.
Default offline grace period is 720 minutes (12 hours).
Default PIN length is 4 (minimum 4, maximum 16).
Maximum PIN attempts before reset: 5.
Selective wipe removes only corporate data from managed apps.
Conditional Access can require app protection policy via 'Require app protection policy' grant.
Policy update interval is every 8 hours; can be forced by app restart.
Multi-identity apps apply MAM policies only to corporate identity.
The Intune App SDK is required for third-party app support.
These come up on the exam all the time. Here's how to tell them apart.
MAM without Enrollment (MAM-WE)
No device enrollment required.
Policies applied per user identity.
Data protection only within managed apps.
Selective wipe removes corporate app data only.
Best for BYOD scenarios with privacy concerns.
MAM with Enrollment (MDM + MAM)
Device must be enrolled in Intune MDM.
Policies applied per device and user.
Can combine app-level and device-level policies (e.g., encryption, compliance).
Can perform full wipe (factory reset) and selective wipe.
Best for corporate-owned devices requiring full management.
Mistake
MAM policies require the device to be enrolled in Intune MDM.
Correct
MAM without enrollment (MAM-WE) does not require device enrollment. Policies are applied based on the user's identity when they sign into supported apps. Device enrollment is optional and independent.
Mistake
App protection policies apply to all apps installed on the device.
Correct
Only apps that have integrated the Intune App SDK (Microsoft apps and select third-party apps) can be managed by MAM. The policy does not apply to apps that do not support the SDK.
Mistake
Selective wipe removes all data from the device.
Correct
Selective wipe removes only corporate data from managed apps, such as emails and documents. Personal data (e.g., personal emails, photos) remains intact. Full wipe (factory reset) is only possible with MDM enrollment.
Mistake
The PIN configured in MAM is the same as the device lock PIN.
Correct
The MAM PIN is independent of the device lock PIN. You can require both. The MAM PIN is managed by Intune and is used specifically to access corporate data in managed apps.
Mistake
MAM policies can be applied to Windows devices.
Correct
MAM policies are only for iOS/iPadOS and Android devices. Windows devices use different protection mechanisms like Windows Information Protection (WIP) or Microsoft Defender for Cloud Apps.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MAM (Mobile Application Management) focuses on protecting data within specific applications without managing the entire device. MDM (Mobile Device Management) manages the entire device, including settings, compliance, and remote wipe. MAM can work with or without MDM. The exam often tests MAM without enrollment (MAM-WE) for BYOD scenarios.
Yes, you can apply MAM policies to Android Enterprise work profiles. In fact, you can target both personally owned devices with work profile (BYOD) and fully managed devices. The policy applies to the work profile apps. This is a common exam scenario.
Selective wipe sends a command to the managed app to remove all corporate data. The Intune App SDK deletes the data associated with the corporate identity. For example, in Outlook, work emails and calendar items are removed, but personal emails remain. This is triggered by removing a user from the policy group or by an admin-initiated wipe.
If you enable jailbreak/root detection in the access requirements, the app will block access or wipe corporate data when a jailbroken/rooted device is detected. The detection is performed by the Intune App SDK at app launch. This is a critical security feature for protecting data on compromised devices.
Yes, you can create a Conditional Access policy that requires app protection policy as a grant control. For example, you can require that users accessing Exchange Online use an approved app (like Outlook) that has an app protection policy applied. This ensures that data is protected even on unmanaged devices.
Check that the user is in the assigned group, the app supports MAM, the device platform is correct (iOS/Android), and the user has signed in with their work account. You can also use diagnostic logs: on Android, install the Company Portal app and go to Settings > Diagnostic data; on iOS, use the Edge app or Company Portal to view logs. Additionally, verify that the policy is not blocked by a conflicting policy.
After the offline grace period expires (default 720 minutes), the app rechecks access requirements every 30 minutes. This ensures that if the device becomes non-compliant (e.g., OS version downgraded), access can be revoked within 30 minutes.
You've just covered Intune App Protection Policies (MAM) — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?