Protect your corporate data on unmanaged devices with Mobile Application Management in Microsoft Intune.

Is your corporate data protected? Do you have control of your data on unmanaged Android or iOS devices? This article will show you how to protect your corporate data on unmanaged Android and iOS devices with Mobile Application Management (MAM) in Microsoft Intune.

What is Mobile Application Management?

Mobile Application Management (MAM) in Microsoft Intune is a feature that allows IT administrators to manage and secure apps on devices without enrolling them in a device management service. This is particularly useful for personal or BYOD (Bring Your Own Device) scenarios, where you can protect data within an app on both Android and iOS platforms. MAM enables the configuration of app settings, enforcement of compliance policies, and protection of sensitive data, ensuring employees can safely access corporate resources from their personal devices.

Mobile Application Management (MAM) allows you to manage and protect your organizationโ€™s data within an application. Microsoft Intune MAM can manage many productivity apps, such as Microsoft 365 Apps.

Mobile application management ensures secure access to enterprise apps while making sure that an employeeโ€™s personal apps are not compromised by the companyโ€™s IT administrators; and vice-versa. It provides detailed control which enables companies to effectively monitor and secure their enterprise data by separating them from personal data, particularly in this BYOD (Bring-Your-Own-Device) work era.


Why would you use MAM instead of MDM?

For me itโ€™s easy! Only control your data on personal devices and not the device itself.
As you all know we live in an era where not having a personal smartphone is unseen. So as an organization, can you require employees to have their personal devices managed by Intune? But what about having control over our organizational data on personal devices? That is where you as an organization can take a look at Mobile Application Management.


What do we need?

  • A Microsoft Entra ID security group with all MAM-enabled users. I use a dynamic user group with all Intune-licensed users in it;
  • Conditional Access Policy, be sure to have a Microsoft Entra ID P1 license;
  • App Protection Policy, you will need a Microsoft Intune license assigned to the user. This policy will be based on the Data protection framework using app protection policies by Microsoft;
  • An unmanaged Android or iOS device;

Microsoft Entra ID User group

Iโ€™ve created a Dynamic User group that will only contain all Intune licensed users, that we will assign to our App Protection Policies.

I used the following dynamic membership rule:

user.assignedPlans -any (assignedPlan.servicePlanId -eq "c1ec4a95-1f05-45b3-a911-aa3fa01094f5" -and assignedPlan.capabilityStatus -eq "Enabled")

Do you want to know how I got this ServicePlanID for Intune? Make sure to take a look at this blog post by Thijs Lecomte. It will lead you the way!

Conditional Access Policy

Next up is creating our Conditional Access policy, this will be the setting that will prevent users from accessing corporate data and make sure that only MAM-compatible applications can be used.

Go to the Microsoft Intune Admin center | Endpoint Security | Conditional Access and choose + Create new policy.

Create a Conditional Access policy named CA01 โ€“ Require app protection policy with the following settings.

At Assignments | Users we will include All users and exclude our break-glass accounts (if you have none, time to create them!).

At Target Resources we are going for All cloud apps.

For the Conditions, we will include Android and iOS as Device Platforms.

Under the Grant, Access controls we will choose the Require app protection policy. Make sure you Enable the policy by setting it On.

Now save your Conditional Access policy and letโ€™s go to the next step and create our App Protection Policy.

App Protection Policy

If you donโ€™t know how to get started with which settings you want to add, go and take a look at the Data protection framework using app protection policies from Microsoft. They provide recommendations for iOS and Android or three levels of security (you can click on each level to be redirected to the Microsoft Learn page):

Go to Microsoft Intune admin center | Apps | App protection policies and choose + Create policy. Iโ€™ve created an Android App protection policy based on the Level 1 Enterprise protection recommendations from Microsoft and assigned it to our previously created Microsoft Entra ID user group.

You can find an overview of all settings in the screenshots below.

Level 1: Enterprise basic data protection settings
Level 1: Enterprise basic data protection settings
Level 1: Enterprise basic data protection settings

So this is an important way to protect your corporate data on unmanaged devices with Mobile Application Management in Microsoft Intune. Stay tuned for a new post soon on how all these settings will effect on your mobile device.

If you liked this article and want to see more, feel free to check out my other posts on my site.

Nicky De Westelinck

Nicky De Westelinck is a Modern Workplace Expert for Arxus with several years of experience in Microsoft 365. His main focus is Microsoft Intune and Microsoft 365 Administration. He is also a Microsoft Certified Trainer since 2021.

View all posts by Nicky De Westelinck →