Isolate your data with Mobile Application Management

One of the great features of Intune is Mobile Application Management (MAM). The important benefit of using MAM policies are protecting your company data at the app level. Since mobile app management does not require device management, you can protect company data on both managed and unmanaged devices. The management is centered on the user identity, which removes the requirement for device management.

Another benefit is the fact end user productivity is not impacted, and the policies are not applied when using the app in a personal context. The policies are applied only in a work context, thus giving you the ability to protect company data without touching personal data. This gives you as an administrator the ability to only wipe company data when people leave the company.

MAM can be used in combination with a device enrolled in Intune Mobile Device Management (MDM) or a third-party MDM vendor, but today we are focusing on a scenario where a user uses a personal device, for example an iPad to read e-mail, and is not enrolled in any MDM solution. For security reasons, we are also blocking e-mail applications that don’t support MAM policies to stay in control of company e-mail.

Which devices are supported?

MAM polices are currently supported on:
– iOS 8.1 or later
– Android 4 or later

“What?! No Windows 10?”

Exactly. There is a MAM-like feature for Windows 10 called Windows Information Protection, but we will talk about this in another blog post.

So how do I configure MAM?

Microsoft is currently working on the transition of several portals (for example classic Azure AD and Intune) to, so I can imagine it is a bit hard to figure out where to configure which functionality. For today’s scenario, we need to be in both the new Azure and the classic Intune portal.

Go to and login with your administrator credentials. Browse to the Intune console by clicking “More services”, search and click Intune.

At the Intune console, you can create your first policy by clicking “App Policy” and next “Add a policy”. Here you can enter a name, create a description, choose the targeted platform, select the targeted applications and ofcourse configure your policy settings.

After you have entered the details and selected the targeted platform and applications, it is time to configure the policy settings. At the end of every option you will see the information icon  that will give you more information.

Data relocation

The data relocation section gives an administrator the possibility to control where the data can be stored on a device. It even controls whether data can be part of the OS built-in backup feature.

To isolate company data and make sure all company data is wiped when requested, it is necessary to don’t allow paste out to unmanaged apps. Cut, copy and paste should be only available between the policy managed apps that you have selected, whereas hyperlinks should always be opened in the Managed Browser. Keep in mind this applies to everything that happens in managed apps and that links to another unmanaged app don’t work anymore. You often see this when a mobile website offers the employee to open the information provided in an app.

Synchronizing contacts to the native address book should be not enabled in my opinion, because I believe the employee will have a bad user experience when trying to call a corporate contact for example.

Figure 1: recommended data relocation settings


Privately owned devices don’t always require a PIN to unlock the device and it is often shared by multiple people. To prevent unauthorized access to company data we will configure the policy to require a PIN to access policy managed apps, extended by allowing a built-in fingerprint reader to support a better user experience.

Requiring corporate credentials instead of a PIN is disabled. You can imagine that requiring this would have a huge impact on the user experience if people need to enter an 8-character password, with at least one capital letter and a number every time they open managed apps when a fingerprint reader isn’t available.

Figure 2: recommended access policy settings


Once the policy has been created we will need to deploy it to at least one user group. This group can be synchronized from Active Directory or created in Azure Active Directory directly. Since Intune functionality is assigned on a per-user basis you will need to make sure that all members of the targeted group(s) have an Intune license assigned.

Click on your recently created policy, go to “User groups” and click “Add user group”. Select the group you want to apply the policy to and click “Select” to active the policy immediately.

User experience

Now when an employee configures the Outlook client on a mobile device for example, he or she is forced to create a PIN during the setup phase. After setting up the PIN the employee can choose to use the built-in fingerprint reader when it is available on the device. When a managed app is running in the background, the actual content is blurred so it cannot be read by other people using the device.

Copy/pasting is a bit hard to demonstrate, since the employee simply doesn’t get the option to paste when data is copied from a managed app, but you definitely should try it out!

Figure 3: A PIN is required to open the managed app Figure 4: You can allow usage of the fingerprint reader for a better user experience Figure 5: Content of managed apps is blurred so people can’t read it

Blocking other e-mail apps

By default, all e-mail applications that support Exchange ActiveSync can get the e-mail of the employee, so at this stage we can’t be sure data is isolated. To enforce the use of Outlook we are going to block all other clients.

Go to and login with your administrator credentials. Browse to “Policy” and click on “Exchange ActiveSync”. Click “Add rule” to make an exception for devices that are not managed by Intune, select the options below and click “Add”.

Figure 6: Settings to allow Outlook for iOS and Android

Make sure “Block the devices from accessing Exchange” is selected under “Default rule”. You can also add some extra information for the employee when another, unmanaged, e-mail application is configured, for example:

“You are not allowed to use this mail client. Allowed clients are the built-in Windows 10 mail client and Outlook for iOS and Android. Go to the appstore to download Outlook for free!”

Click “Save” when you are finished. The rules you have defined are active and all other mail clients are blocked immediately!

Important things to know

At this moment, managed apps support only one managed account. So, to give you an example: as a consultant, clients often require me to use an e-mail account from the client next to my Avanade account. That would mean that if both the client and Avanade require me to use Outlook with MAM policy’s applied, I can only use one. Luckily the team at Avanade is working closely with the Intune product team and they have shared my feedback to support multiple managed accounts.

Figure 7: An error message is displayed when you add two managed accounts

Another important thing to understand is you will need to communicate to employees to instruct them about the choices you have made, why a particular solution has been chosen, what kind of information is available for IT and how to use it. The adoption of this solution will fail if you don’t provide sufficient information to the employee and in the end you won’t achieve the goal to increase productivity.

The Intune team delivers some materials about what to communicate to the employees on to give you a head start.

Leave a Reply