Understand Mobile Application Management (MAM) and App Protection Policies

  • 5 minutes

As organizations embrace hybrid work and Bring Your Own Device (BYOD) programs, the traditional approach of simply locking down the physical device is no longer sufficient. Employees expect to access corporate email and files from their personal smartphones, and IT must secure that data without invading user privacy.

This is where Mobile Application Management (MAM) and App Protection Policies (APP) become essential. Together, they allow you to secure corporate data at the application layer, regardless of who owns the device.

Introduction to Mobile Application Management (MAM)

Mobile Application Management (MAM) is a suite of management features that allows IT administrators to publish, push, configure, secure, monitor, and update mobile apps for their users.

While Mobile Device Management (MDM) focuses on controlling the entire physical device (enforcing device-wide PINs, Wi-Fi profiles, and full-disk encryption), MAM focuses strictly on the software and the data inside it.

Why organizations use MAM:

  • User Privacy: In BYOD scenarios, employees are often hesitant to hand over full device control to IT. MAM allows IT to manage the corporate apps without touching personal photos, texts, or web history.
  • Targeted Security: It provides granular control over corporate data, ensuring it cannot be leaked to unauthorized personal applications.
  • Reduced Overhead: Administrators can secure data on devices they don't explicitly own or manage.

How Microsoft Intune implements MAM

For Intune to manage an application, the app must be "MAM-enlightened." This means the application has been built or modified to understand and respect Intune's security policies.

Microsoft implements MAM through two primary methods:

  • Intune App SDK: Developers integrate the Intune Software Development Kit directly into the app's code during the building process. All core Microsoft 365 mobile apps (Outlook, Teams, Edge, Word) natively include this SDK.
  • Intune App Wrapping Tool: If you have a custom, internal line-of-business (LOB) app without the SDK, administrators can use this tool to "wrap" a management layer around the compiled app, giving it MAM capabilities without requiring code changes.

Once an app is MAM-enlightened, it becomes a Managed App. Intune can now draw a secure, cryptographic boundary around it, isolating it from the Unmanaged Apps (like personal social media or native email clients) on the same device.

Introduction to App Protection Policies (APPs)

If MAM is the engine, App Protection Policies (APPs) are the rules that govern how that engine runs. APPs are rules that ensure an organization's data remains safe or contained within a managed app.

APPs provide three core layers of control:

  • Data Relocation (Leakage Prevention): Controls how data moves. You can restrict users from copying text from a corporate email and pasting it into a personal text message, or block them from saving a corporate Excel file to their personal Google Drive.
  • Access Requirements: Controls who can open the app. You can require users to enter a specific PIN or use biometrics (FaceID/Fingerprint) just to open the managed app, independent of the device's lock screen.
  • Conditional Launch: Evaluates the health of the device and app. You can block the app from opening if the device is jailbroken/rooted, if the OS is dangerously out of date, or if the user is offline for too long.

How MAM and APPs work together

When you deploy an App Protection Policy, it acts as a gatekeeper.

A key strength of Intune MAM is that it supports MAM without Enrollment (MAM-WE). This means an employee can download the standard Microsoft Outlook app from the public iOS App Store or Google Play Store onto their personal phone.

When the user signs into Outlook with their personal email, nothing happens. But the moment they add their corporate Microsoft Entra ID account, Intune intercepts the sign-in. The App Protection Policy is dynamically applied to that specific corporate session, containerizing the work data while leaving the personal session completely untouched.

Data protection scenarios

When properly configured, MAM and APPs fundamentally alter how data flows on a device to prevent exfiltration.

  • Scenario 1: Controlling Copy and Paste A user attempts to copy sensitive customer data from a managed Microsoft Word document. If they try to paste it into the managed Microsoft Teams app, it succeeds. If they open their personal WhatsApp and hit paste, the action is blocked, and a toast notification informs them that organizational data cannot be pasted here.
  • Scenario 2: Secure Web Links A user clicks a link inside a corporate email in Outlook. Instead of opening in the user's unmanaged personal Safari browser, the APP forces the link to open in the managed Microsoft Edge app, ensuring that data protection rules follow the user to the web.
  • Scenario 3: The Selective Wipe An employee leaves the company. Instead of factory resetting their personal phone, the administrator issues a MAM Selective Wipe. The next time the device connects to the internet, Intune deletes only the corporate data inside the managed apps, leaving the user's personal data fully intact.

Real-world use cases

MAM and APPs adapt to different hardware ownership models to provide flexible security:

  • The BYOD Environment (MAM-Only): A hospital allows doctors to check their schedules on personal phones. MDM enrollment is rejected by the staff. IT deploys APPs to secure the scheduling app, requiring a biometric check to open it and blocking screenshots to maintain HIPAA compliance.
  • The Corporate Device (Defense-in-Depth): A sales team is issued fully managed (MDM) corporate iPads. Even though the devices are trusted, IT applies APPs to ensure that if a user downloads a personal cloud storage app from the App Store, they cannot accidentally upload corporate client lists into it.