Troubleshooting MAM-WE / App Protection Policies on personal Android devices

Question

We're trying to deploy App Protection Policies / MAM on the personal devices of our employees and we're having a problem on many devices. Once the policy is enforced by a conditional access rule, the targeted apps on the device (tried it with Teams and Outlook) flashes "Confirming app status" many times and it ends up with an error message.

If I delete the corporate account from outlook and try to add it back, I see Confirming app status again and it ends up with "Unable to log-in" "This Account can't be added because Outlook isn't configured correctly".

The conditional launch section of the policy looks like this:

Setting	Value	Action
Max PIN attemps	10	Reset PIN
Offline grace period	720	Block access (minutes)
Offline grace period	7	Wipe data (days)
Disabled account		Wipe data
Jailbroken / rooted devices		Block access
Min OS version	12.0	Warn
Min OS version	11.0	Block access
Min OS version	10.0	Wipe data

If I remove all the Min OS version clauses and the Disabled account clause, adding the corporate account to Outlook works again, but the policy doesn't seem to be applied: the device is not asking to setup a PIN, is not forcing the links to be opened with Edge, and is not limiting the amount of data that can be copy-pasted.

One of the device I'm trying to debug is a Google Pixel 7 running Android 14, and I have no reason to beleive it's jailbroken/rooted. Company portal is installed on the device, but the device is not enrolled.

What are the next steps to troubleshoot this? Where can I get some logs to see what's wrong?

Answer 1

Is the issue only with Outlook, Teams? Can you confirm if the Office apps, Company Portal and OS security patches are up to date?

Answer 2

The vast majority of the devices have only those two apps, this is what I tested. I confirm Outlook, Teams, Company Portal and the OS are up to date.