Applying different iOS App Protection Policies depending on Management State

In this post I am going to show you how to have separate app protection policies for Managed devices over Unmanaged devices. You may want to do this in your environment if you decide MDM managed device users should have a less restrictive policy applied over a user on an unmanaged device. When creating an iOS App Protection policy you may have noticed the section “Target to all App Types”. If you choose No you can then tick whether the policy applies to managed or unmanaged devices.

image

Your probably thinking at this point OK great I’ll create two policies and on one policy tick “Apps on Intune Managed Devices” and the other tick “Apps on Unmanaged devices” and I’m done right? Unfortunately it is not as simple as a device just being enrolled in MDM to satisfy the requirement. What you will find is even MDM enrolled devices will receive the policy targeted to “Apps on Unmanaged devices”.

WHY? The reason is because you need to have “Managed Apps” which have the IntuneMAMUPN key deployed via an app configuration policy for the device to pick up the policy targeted to “Intune Managed Devices”

image

The Process

In order to deploy the IntuneMAMUPN key pair value to our apps via an app configuration policy the app must first be managed by Intune. The simplest way to do this is to deploy the apps from Intune. By either making the app available to be installed by Company Portal or Required for automatic deployment.

  • Login to the Intune Portal
  • Navigate to Client Apps > Apps
  • Add each iOS App which you are going to include in the App Protection Policy

image

  • Assign the apps to your users as either available or required.

image

What if the app already exists on the device (i.e. was previously installed from the app store)? That is fine, you can still deploy the app and the user will be prompted to let “i.manage.microsoft.com” take over management of the app.

image

You can confirm which apps are managed by Intune on an iOS device by going to Settings > General > Device Management.

  • Click on the Management Profile
  • Click Apps
  • The intune managed apps should be listed

imageimage

At this point you have now deployed/managed all of your apps which will be protected by MAM/App Protection. Now we need to deploy the IntuneMAMUPN key.

  • In the Intune Portal navigate to Client Apps
  • Choose App Configuration Policies
  • Choose Add
  • Enter a Name
  • Device Enrollment Type – Managed Devices
  • Platform – iOS

image

  • Select Associated App
  • Choose an app from the list (You need to do this for each app)
  • Select OK

image

  • Choose Configuration Settings
  • Configuration Settings Format – Use Configuration Designer
  • Under “Application Configuration” enter the following:
    • Configuration Key – IntuneMAMUPN
    • Value Type – String
    • Configuration Value – {{UserPrincipalName}}

image

Now you have create the app configuration policy you need to assign it to a group.

image

Once the profile has been deployed successfully you should see the devices start picking up the App Protection Policy which is assigned to “Intune Managed Devices”.

I have the following two policies:

imageimage

To determine which app protection policy a device is receiving you can use the report “App Protection Status” under client apps > App Protection Status > User status for iOS.

BEFORE I deployed the IntuneMAMUPN Key

image

AFTER I deployed the IntuneMAMUPN Key

image

As you can now see the Outlook app has started receiving the Managed policy. Obviously I would need to repeat the same steps for each app that is protected as I just used Outlook as an example.

Thanks for reading! Any Questions feel free to ping me on Twitter/LinkedIn.

Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME