Intune App Protection Policies

This post is to show you how to create an app protection policy (MAM) in Intune. This functionality gives you the ability to control how corporate data is used within mobile apps. For example you can create an app protection policy to stop users from copying and pasting text from emails in outlook to others apps. These policies apply to both Intune Enrolled and UNENROLLED devices so even if a user is on their own personal iPhone the app protection policy will still be applied to corporate data. Personal Data is not affected by this.

To create an app protection policy navigate to https://portal.azure.com
Once logged into the portal go to Intune > Mobile Apps > App Protection Policies and choose add a policy.

Name the policy and enter a description of your choice and then select the platform in which you want to apply the policy. I.e. iOS. Select the apps which you want to apply the app protection policy too. I.e Outlook. Now click configure settings and now you can start to configure what settings apply to the outlook for iOS app.

App Protection Policy settings

Once you have chosen the desired settings click ok and then create to generate the policy. You can now deploy the policy to the users you wish the policy to apply to. 

You now have app protection in place for users accessing email from Outlook for iOS. However at this moment in time users could bypass this by using the native mail app. This is where Conditional Access comes into play and goes hand in hand with App Protection. If you create a conditional access policy for exchange online which forces users to use “an approved app” then essentially you are forcing users to access their email from Outlook which is then protected by your App Protection policy.

For More information on setting up a conditional access policy for exchange online please see the following post: https://triplesixseven.com/exchange-online-conditional-access/

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME

Leave a Reply

Your email address will not be published.