This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Contoso lets employees access corporate email from their personal iPhones but doesn't want IT to manage the entire device. Which Microsoft Intune approach best meets this requirement?
Enroll each personal device in Mobile Device Management (MDM) and apply a device compliance policy.
Deploy Mobile Application Management (MAM) without enrollment by assigning an App Protection Policy to the user's corporate identity.
Block all access to corporate email from personal devices using a Conditional Access policy.
An administrator wants to allow users to copy text from their personal browser into a managed work email but block copying confidential data out of the work email into personal apps. Which App Protection Policy data relocation setting achieves this?
Set Restrict cut, copy, and paste between other apps to Any app.
Set Restrict cut, copy, and paste between other apps to Blocked.
Set Restrict cut, copy, and paste between other apps to Policy managed apps with paste in.
Why should App Protection Policies be assigned to user groups rather than device groups in Microsoft Intune?
Because App Protection Policies target the corporate identity inside supported apps, not the physical device.
Because device groups can't be created in Microsoft Intune for mobile platforms.
Because user groups apply policies faster than device groups.
Users on BYOD iPhones are still able to read corporate mail in the native iOS Mail app, bypassing the Outlook App Protection Policy. Which control closes this gap?
Add a stricter App PIN requirement to the existing App Protection Policy.
Create a Microsoft Entra Conditional Access policy that requires an approved client app or app protection policy for Exchange Online.
Increase the conditional launch offline grace period in the App Protection Policy.
A licensed user reports that the App Protection Policy isn't applying when they sign into Microsoft Outlook on their phone. What should you verify first?
That the user is signing in with their corporate Microsoft Entra ID account, not a personal account.
That the device is enrolled in Microsoft Intune MDM.
That the App Protection Policy is assigned to a device group that contains the phone.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?