Protect company data on mobile devices through …...Protect company data on mobile devices through application management policies Protecting your company's data is vitally important,

Protect company data on mobile devices through application

management policies

Protecting your company's data is vitally important, and is an increasingly challenging task as more

employees are using their mobile devices to access company resources, including email and email

attachments. As an IT administrator, you want to make sure that company data is protected even when

those mobile devices are not within the company’s physical location.

This guide will focus on enablement of managed applications as it applies to two Intune MDM

deployments:

As a cloud management solution using Intune

As an integrated service with Configuration Manager

This allows you to create and deploy apps with mobile app management (MAM) policies to best protect

your company data.

This document focusses on creation of these MAM based policies when the end-user device is enrolled

in Intune for MDM. See Protect line of business apps and data on devices not enrolled in Microsoft

Intune for information about configuring these MAM policies when the device itself is not enrolled in

Intune for MDM.

Introduction Managed apps are apps that have mobile app management (MAM) policies applied to them that make

them compliant with your company’s security requirements. You have two options for managing mobile

apps:

The default capability, such as Apple Managed Open In, which protects corporate data by

controlling the apps that are allowed to open certain documents and email attachments.

The Intune App SDK, which lets you limit the functionality and restrict sharing of data for any

apps that have the Intune App SDK enabled. Some of the main features of the Intune App SDK is

that it allows you to:

o Manage the save-as function

o Prevent cut, copy, paste

o Require authentication when an app is accessed

o Wipe corporate data from an Intune-managed app

See Intune App SDK Overview for a description of all SDK features.

Before you begin Learn about deploying apps using Microsoft Intune

Learn the basics about Intune app deployment.

Evaluate your desired implementation

With all of the different design and configuration options for managing mobile devices, it’s

difficult to determine which combination will best meet the needs of your company. The Mobile

Device Management Design Considerations Guide helps you understand mobile device

management design requirements and details a series of steps and tasks that you can follow to

design a solution that best fits the business and technology needs for your company.

Understand the high level end-user experience

After the solution is implemented, you will be able to protect data on devices whether or not

your company manages them. By simply implementing app-level policies, you can restrict access

to company resources and keep data within the purview of your IT department.

Note

The end-user experience of this solution is described in more details in the End-user Experience

section, later in this topic.

Understand the app lifecycle

Just like with the management of your devices, apps have a lifecycle that takes you from

preparation, to deployment, monitoring, updating, and retiring. Intune can help you at all stages

of this lifecycle. For detailed information about the app lifecycle, see Overview of the app

lifecycle.

Learn about the Microsoft apps you can use with MAM policies

The Microsoft Intune application partner’s page contains the latest information about apps from

Microsoft and other companies that you can use with MAM policies.

You can use the Microsoft Intune App Wrapping Tool to modify the behavior of your in-house

apps to let you configure features of the app without modifying the code of the app itself. See

the following topics for more specific information:

Prepare iOS apps for mobile application management with the Microsoft Intune App

Wrapping Tool

Prepare Android apps for mobile application management with the Microsoft Intune App

Wrapping Tool

Understand how policy conflicts are resolved

When there is a MAM policy conflict on the first deployment to the user or device, the specific

setting value in conflict will be removed from the policy deployed to the app, and the app will

use a built-in conflict value (most restrictive is the default).

When there is a mobile app management policy conflict on later deployments to the app or

user, the specific setting value in conflict will not be updated on the mobile app management

policy deployed to the app, and the app will use the existing value for that setting.

In cases where the device or user receives two conflicting policies, the following behavior

applies:

If a policy has already been deployed to the device, the existing policy settings are not

overwritten.

If no policy has already been deployed to the device, and two conflicting settings are

deployed, the default setting built into the device is used.

Now that you are familiar with the overall process for MAM, you are ready to use mobile app

management policies in Intune or use mobile app management policies in Configuration Manager.

Using Mobile App Management Policies in Intune One of the primary reasons many companies use Microsoft Intune is to deploy apps that users need to

get their work done. Before you deploy apps, you'll need to get your devices managed.

For example, if your company uses Microsoft Word, there are versions available for Windows, iOS,

Android and more. The challenge you, as an IT admin, face is to manage the multitude of apps available,

on many different device and computer platforms, with the aim of allowing users to do their work while

still ensuring the security of your company data.

If you are using Intune with Configuration Manager, see How to Control Apps Using Mobile

Application Management Policies in Configuration Manager.

MAM policies support:

Devices that run Android 4 and later.

Devices that run iOS 7 and later.

Note

MAM policies support devices that are enrolled with Intune.

If you are looking for information about how to create app management policies for devices that are not

managed by Intune, see Protect app data using mobile app management policies with Microsoft Intune.

Unlike other Intune policies, you do not deploy a MAM policy directly. Instead, you associate the policy

with the app that you want to restrict. When the app is deployed and installed on devices, the settings

you specify will take effect.

To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software

Development Kit (SDK). There are two methods of obtaining this type of app:

Use a policy managed app – Has the App SDK built-in. To add this type of app, you specify a link

to the app from an app store such as the iTunes store or Google Play. No further processing is

required for this type of app. To see the full list of supported Microsoft apps, go to Microsoft

Intune mobile application gallery on the Microsoft Intune application partners page. Choose an

app to see the supported scenarios, platforms and whether or not the app supports multi-

identity.

Use a ‘wrapped’ app - Apps that are repackaged to include the App SDK by using the Microsoft

Intune App Wrapping Tool. This tool is typically used to process company apps that were

created in-house. It cannot be used to process apps that were downloaded from the app store.

See:

o Prepare iOS apps for mobile application management with the Microsoft Intune App

Wrapping Tool

o Prepare Android apps for mobile application management with the Microsoft Intune

App Wrapping Tool

Some managed apps, like the Outlook app for iOS and Android, support multi-identity. This means that

Intune only applies management settings to corporate accounts or data in the app.

Tip

For example, using the Outlook app:

If the user configures a corporate, and a personal email account, Intune only applies

management settings to the corporate account and does not manage the personal account.

If the device is retired, or unenrolled, only the corporate Outlook data is removed from the

device.

The corporate account used must be the same account that was used to enroll the device with

Intune.

Word, Excel, and PowerPoint all support multi-identity as well, except the policy restrictions only apply

when managing and editing corporate-identifiable data from a service such as OneDrive or SharePoint.

Create and deploy an app with a mobile app management policy Step 1: Get the link to a policy managed app, or create a wrapped app.

Step 2: Publish the app to your cloud storage space.

Step 3: Create a MAM policy.

Step 4: Deploy the app, selecting the option to associate the app with a MAM policy.

Step 5: Monitor the app deployment.

Step 1: Obtain the link to a policy managed app, or create a wrapped app

To obtain a link to a policy managed app - From the app store, find, and note the URL of the

policy managed app you want to deploy.

For example, the URL of the Microsoft Word for iPad app is

https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8

To create a wrapped app - Use the information in the topics Prepare iOS apps for mobile

application management with the Microsoft Intune App Wrapping Tool and Prepare Android

apps for mobile application management with the Microsoft Intune App Wrapping Tool to

create a wrapped app. The tool creates a processed app that you will use when you publish the

app to your cloud storage space.

Step 2: Upload the app to your cloud storage space When you publish a managed app, the procedures differ depending on whether you are publishing a

policy managed app, or an app that was processed using the Microsoft Intune App Wrapping Tool for

iOS.

1. In the Microsoft Intune administrator console, choose Apps > Add Apps to start the Intune

software publisher.

You might need to enter your Intune username and password before the publisher starts.

2. On the Software setup page of the software publisher, configure the following:

Select how this software is made available to devices

To publish an app that was processed using the Microsoft Intune App Wrapping Tool,

select Software installer, then specify:

Tip

Setting Details

Select the software

installer file type

This indicates the type of software you want to deploy. For

example, if you want to install an iOS app, choose App

Package for iOS (*.ipa file).

Specify the location of

the software setup files

Enter the location of the installation files or choose Browse

to select the location from a list.

Include additional files

and subfolders from the

same folder

For the Windows Installer file type only

Some software that uses Windows Installer requires

supporting files which are typically found in the same folder

as the installation files. Select this option if you also want to

deploy these files.

This installation type uses some of your cloud storage space.

To publish a policy managed app for Android, select External link, then specify:

Setting Details

Specify the URL Enter the app store URL of the app you want to deploy. For example,

if you want to deploy the Microsoft Remote Desktop app for Android,

specify

https://play.google.com/store/apps/details?id=com.microsoft.rdc

.android.

Tip

To find the URL of the app, use a search engine to find the

store page containing the app. For example, to find the

Remote Desktop app, you could search Microsoft Remote

Desktop Android.

This installation type does not use any of your cloud storage space.

To publish a policy managed app for iOS, select Managed iOS app from the app store,

then specify:

Setting Details

Specify the URL Enter the app store URL of the app you want to deploy. For

example, if you want to deploy the Microsoft Work Folders app for

iOS, specify https://itunes.apple.com/us/app/work-

folders/id950878067?mt=8.

This installation type does not use any of your cloud storage space.

3. On the Software description page, configure the following:

Depending on the installer type you are using, some of these values might have been

automatically entered, or might not appear.

Setting Details

Publisher Enter the name of the publisher of the app.

Name Enter the name of the app as it will be displayed in the

company portal.

Tip

Make sure all app names you use are unique. If the same app name exists twice, only one of the apps will be displayed to users in the company portal.

Description Enter a description for the app. This will be displayed to

users in the company portal.

URL for software information Available only if you selected Software installer.

(optional) Enter a URL to a website that contains

information about this app. The URL will be displayed to

users in the company portal.

Privacy URL Available only if you selected Software installer.

Tip

Setting Details

(optional) Enter a URL to a website that contains privacy

information for this app. The URL will be displayed to users

in the company portal.

Category (optional) Select one of the built-in app categories. This will

make it easier for users to find the app when they browse

the company portal.

Display this as a featured app

and highlight it in the company

portal

Display the app prominently on the main page of the

company portal when users browse for apps.

Icon (optional) Upload an icon that will be associated with the

app. This is the icon that will be displayed with the app

when users browse the company portal.

4. On the Requirements page, select the requirements that must be met before the app can start

to install on a device. For example, for an app package for iOS, you can select the minimum

version of iOS required, and the type of device it must be, like an iPhone, or an iPad.

The Requirements page is not displayed for all types of apps.

Tip

5. Further wizard pages are displayed if you choose the Windows Installer file type. This file type is

not used by mobile devices.

6. On the Summary page, review the information you specified. Once you are ready, choose

Upload.

7. Choose Close to finish.

The app is displayed on the Apps node of the Apps workspace.

Step 3: Create a MAM policy This step describes the process of creating a MAM policy in the Intune admin console. You can also

create a MAM policy by using the Azure portal.

1. In the Microsoft Intune administration console, choose Policy > Overview > Add Policy.

2. Choose Software to configure and deploy one of the following policies, depending on the device

type you want to configure apps for:

o Mobile Application Management Policy (Android 4 and later)

o Mobile Application Management Policy (iOS 7 and later)

You can use recommended settings or customize the settings. For details, see Manage settings

and features on your devices with Microsoft Intune policies.

3. Configure the following settings as required. The options might differ depending on the device

type for which you are configuring the policy.

Setting Details

Name Specify a name for this policy.

Description Optionally, specify a description for this policy.

Restrict web content

to display in a

corporate managed

browser

When this setting is enabled, any links in the app will be opened in the

Managed Browser. You must have deployed this app to devices in

order for this option to work.

Prevent Android

backups or Prevent

iTunes and iCloud

backups

Disables the backup of any information from the app.

Allow app to transfer

data to other apps

Specifies the apps that this app can send data to. You can choose to

not allow data transfer to any app, only allow transfer to other

managed apps, or to allow transfer to any app. This setting does not

control use of the Open In feature on mobile devices.

For example, when you do not allow data transfer, you restrict data

transfer to services like SMS messaging, assigning images to

contacts, and posting to Facebook or Twitter.

For iOS devices, to prevent document transfer between managed and

unmanaged apps, you must also configure and deploy a mobile device

security policy that disables the setting Allow managed documents

in other unmanaged apps. If you select to only allow transfer to other

Setting Details

managed apps, the Intune PDF and image viewers (if deployed) will be

used to open content of the respective types.

Additionally, if you set this option to Policy Managed Apps or None,

the iOS 9 feature that allows Spotlight Search to search data within

apps will be blocked.

Important

This setting does not control use of the Open In feature on mobile

devices. To manage Open In, go here.

Allow app to receive

data from other apps

Specifies the apps that this app can receive data from. You can

choose to:

not allow data transfer from any app

only allow transfer from other managed apps

allow transfer from any app

Note

For iOS apps that support multi-identity (where Intune only applies

management settings to corporate accounts or data in the app), the

following behavior applies:

On an enrolled device with a MAM policy applied, when a user

accesses data from an app that is not managed by a MAM

policy, the data will be treated as corporate data and protected

by the policy.

Prevent “Save As” Disables use of the Save As option to save data to personal cloud

storage locations (such as OneDrive Personal or Dropbox) in any app

that uses this policy.

Restrict cut, copy

and paste with other

apps

Specifies how cut, copy, and paste operations can be used with the

app. Choose from:

Blocked – Do not allow cut, copy, and paste operations

between this app and other apps.

Policy Managed Apps – Only allow cut, copy, and paste

operations between this app and other managed apps.

Policy Managed Apps with Paste In – Allow data cut or

copied from this app only to be pasted into other managed

apps. Allow data cut or copied from any app to be pasted into

this app.

Any App – No restrictions to cut, copy, and paste operations

to, or from this app.

To copy and paste data between managed apps, both apps must have

either the Policy Managed Apps or Policy Managed Apps with

Paste In settings configured.

Require simple PIN

for access

Requires the user to enter a PIN number which they specify to use this

app. The user will be asked to set this up the first time they run the

app.

Number of attempts

before PIN reset

Specify the number of PIN entry attempts which can be made before

the user must reset the PIN.

Setting Details

Require corporate

credentials for

access

Requires that the user must enter their corporate logon information

before they can access the app.

Require device

compliance with

corporate policy for

access

Only allows the app to be used when the device is not jailbroken or

rooted.

Recheck the access

requirements after

(minutes)

In the Timeout field, specify the time period before the access

requirements for the app are rechecked after the app is launched.

Offline grace period If the device is offline, specify the time period before the access

requirements for the app are rechecked.

Encrypt app data Specifies that all data associated with this app will be encrypted,

including data stored externally, such as SD cards.

Encryption for iOS

For apps that are associated with an Intune mobile app management

policy, data is encrypted at rest using device level encryption provided

by the OS. This is enabled through device PIN policy that must be set

by the IT admin. When a PIN is required, the data will be encrypted per

the settings in the MAM policy. As stated in Apple documentation, the

modules used by iOS 7 are FIPS 140-2 certified.

Encryption for Android

For apps that are associated with an Intune mobile app management

policy, encryption is provided by Microsoft. Data is encrypted

synchronously during file I/O operations according to the setting in the

MAM policy. Managed apps on Android use AES-128 encryption in

CBC mode utilizing the platform cryptography libraries. The encryption

method is not FIPS 140-2 certified. Content on the device storage will

always be encrypted.

Block screen

capture (Android

devices only)

Specifies that the screen capture capabilities of the device are blocked

when using this app.

4. When you are finished, choose Save Policy.

The new policy displays in the Configuration Policies node of the Policy workspace.

Step 4: Associate the app with a MAM policy, then deploy the app. Deploy the app, ensuring that you select the MAM policy on the Mobile App Management page to

associate the policy with the app. For details about some of the concepts you need to understand

before you start deploying apps with Microsoft Intune, see Deploy apps in Microsoft Intune.

1. In the Microsoft Intune administrator console, choose Apps > Apps to view the list of apps you

manage.

2. Select the app you want to deploy, and then choose Manage Deployment.

3. In the <app name>dialog box on the Select Groups page, choose the user or device groups to

which you want to deploy the app.

4. In the dialog box on the Mobile App Management page, select the App Management Policy you

want to associate with the app.

Other pages let you configure other deployment options. For details, go here.

For devices that run operating systems earlier than iOS 7.1, associated policies will not be removed

when the app is uninstalled.

If the device is unenrolled from Intune, polices are not removed from the apps; any apps that had

policies applied will retain the policy settings even after the app is uninstalled and reinstalled.

What to do when an app is already deployed on devices

There might be situations where you deploy an app and one of the targeted users or devices already has

an unmanaged version of the app installed, for example, the user installed Microsoft Word from the app

store.

In this case, you must ask the user to manually uninstall the unmanaged version so that the managed

version you configured can be installed.

However, for devices that run iOS 9 and later, Intune will automatically ask the user for permission to

take over management of the existing app. If they agree, then the app will become managed by Intune

and any MAM policies you associated with the app will also be applied.

If the device is in supervised mode, Intune will take over management of the existing app without

asking the users permission.

Step 5: Monitor the app deployment with MAM policy. Once you have created and deployed an app associated with a MAM policy, use the following

procedures to monitor the app and resolve any policy conflicts.

Note

For general information about monitoring app deployment, see Monitor app deployments in Microsoft

Intune.

To view the status of the deployment 1. In the Microsoft Intune administration console, choose Groups.

2. Perform one of the following steps:

o Choose All Users, then double-click on the user whose devices you want to examine. On

the User Properties page, choose Devices, then double-click the device you want to

examine.

o Choose All Devices > All Mobile Devices. On the Device Group Properties page, choose

Devices, then double-click the device you want to examine.

3. From the Mobile Device Properties page, choose Policy to see a list of the MAM policies that

have been deployed to the device.

Important

Tip

4. Select the MAM policy whose status you want to view. You can view details of the policy in the

bottom pane and expand its node to display its settings.

5. Under the Status column of each of the MAM policies, Conforms, Conforms (Pending), or Error

will be displayed. If the selected policy has one or more settings in conflict, Error will be

displayed in this field.

6. Once you have identified a conflict, you can revise conflicting policy settings to use the same

setting, or deploy only one policy to the app and user.

Using Mobile App Management policies in Configuration Manager Beginning with System Center 2012 Configuration Manager SP2, app management policies let you

modify the functionality of apps that you deploy to help bring them into line with your company

compliance and security policies. For example, you can restrict cut, copy and paste operations within a

restricted app, or configure an app to open all web links inside a managed browser. App management

policies support:

Devices that run Android 4 and later.

Devices that run iOS 7 and later.

In addition to managed devices, mobile app management policies can be used to protect apps

on devices that are not managed by Intune. Using this new capability, you can apply mobile app

management policies for apps connecting to Office 365 services. This is not supported for apps

connecting to on-premises Exchange or SharePoint.

To use this new capability, you must use the Azure preview portal. The following topics can help

you get started:

Get ready to configure mobile app management policies with Microsoft Intune

Monitor mobile app management policies with Microsoft Intune

Unlike configuration items and baselines in Configuration Manager, you do not deploy an application

management policy directly. Instead, you associate the policy with the app deployment type (DT) that

Tip

you want to restrict. When the app DT is deployed and installed on devices, the settings you specify will

take effect.

To apply restrictions to an app, the app must incorporate the Microsoft Intune App Software

Development Kit (SDK). There are two methods of obtaining this type of app:

Use a policy managed app (Android and iOS): Has the App SDK built-in. To add this type of app,

you specify a link to the app from an app store such as the iTunes store or Google Play. No

further processing is required for this type of app. For a list of the policy managed apps that are

available for iOS and Android devices, see Microsoft Intune mobile application gallery.

Use a ‘wrapped’ app – (Android and iOS): Apps that are repackaged to include the App SDK by

using the Microsoft Intune App Wrapping Tool. This tool is typically used to process company

apps that were created in-house. It cannot be used to process apps that were downloaded from

the app store. See Prepare iOS apps for mobile application management with the Microsoft

Intune App Wrapping Tool and Prepare Android apps for mobile application management with

the Microsoft Intune App Wrapping Tool.

Create and deploy an app with a MAM policy

Step 1: Obtain the link to a policy managed app, or create a wrapped app. To obtain a link to a policy managed app (iOS and Android) - From the app store, find, and note

the URL of the policy managed app you want to deploy.

For example, the URL of the Microsoft Word for iPad app is

https://itunes.apple.com/us/app/microsoft-word-for-ipad/id586447913?mt=8

To create a wrapped app (iOS and Android) - Use the information in the topics Prepare iOS apps

for mobile application management with the Microsoft Intune App Wrapping Tool and Prepare

Android apps for mobile application management with the Microsoft Intune App Wrapping Tool

to create a wrapped app. The tool creates a processed app and an associated manifest file. You

will use these files when you create a Configuration Manager application containing the app.

Step 2: Create a Configuration Manager application that contains an app. The procedure to create the Configuration Manager application differs depending on whether you are

using a policy managed app (external link), or an app that was created by using the Microsoft Intune App

Wrapping Tool for iOS (App package for iOS). Use one of the following procedures to create the

Configuration Manager application.

To create an application for an App Wrapping Tool for iOS app

1. In the Configuration Manager console, choose Software Library.

2. In the Software Library workspace, expand Application Management, and then choose

Applications.

3. In the Home tab, in the Create group, choose Create Application to open the Create Application

Wizard. Or, you can go to Software Library > Overview > Application Management >

Applications and then choose Create Application.

4. On the General page, select Automatically detect information about this application from

installation files.

5. In the Type drop-down list, select App package for iOS (*.ipa file).

6. Choose Browse to select the app package you want to import, and then choose Next.

7. On the General Information page, enter the descriptive text and category information that you

want users to see in the company portal.

8. Complete the wizard.

The new application is displayed in the Applications node of the Software Library workspace.

To create an application containing a link to a policy managed app

1. In the Configuration Manager console, choose Software Library.

2. In the Software Library workspace, expand Application Management, and then choose

Applications.

3. In the Home tab, in the Create group, choose Create Application to open the Create Application

Wizard. Or, you can go to Software Library > Overview > Application Management >

Applications and then choose Create Application.

4. On the General page, select Automatically detect information about this application from

installation files.

5. In the Type drop-down, select one of the following:

o For iOS: App Package for iOS from App Store

o For Android: App Package for Android on Google Play

6. Enter the URL for the app (from step 1), and then choose Next.

7. On the General Information page, enter the descriptive text and category information that you

want users to see in the company portal.

8. Complete the wizard.

The new application is displayed in the Applications node of the Software Library workspace.

Step 3: Create a MAM policy. Next, you create an application management policy that you will associate with the application. You can

create a general or managed browser policy.

1. In the Configuration Manager console, choose Software Library.

2. In the Software Library workspace, expand Application Management, and then choose

Application Management Policies.

3. In the Home tab, in the Create group, choose Create Application Management Policy.

4. On the General page, enter the name and description for the policy, and then choose Next.

5. On the Policy Type page, select the platform (such as iOS Android) and the policy type for this

policy, and then choose Next. The following policy types are available:

o General: The General policy type lets you modify the functionality of apps that you

deploy to help bring them into line with your company compliance and security policies.

For example, you can restrict cut, copy and paste operations within a restricted app.

o Managed Browser: Configure whether to allow or block the managed browser from

opening a list of URLs. The Managed Browser policy type lets you modify the

functionality of the Intune Managed Browser app. This is a web browser that lets you

manage the actions that users can perform, including the sites they can visit, and how

links to content within the browser are opened. For more information about the Intune

Managed Browser app, see here for iOS and here for Android.

6. If you selected General on the Policy Type page, then on the iOS Policy or Android Policy page,

configure the following values as required, and then choose Next. The options might differ

depending on the device type for which you are configuring the policy.

Value More information

Restrict web content

to display in a

corporate managed

browser

When this setting is enabled, any links in the app will be opened in the

Managed Browser. You must have deployed this app to devices in

order for this option to work.

Prevent Android

backups or Prevent

iTunes and iCloud

backups

Disables the backup of any information from the app.

Allow app to transfer

data to other apps

Specifies the apps that this app can send data to. You can choose to

not allow data transfer to any app, only allow transfer to other

restricted apps, or to allow transfer to any app.

For iOS devices, to prevent document transfer between managed and

unmanaged apps, you must also configure and deploy a mobile

device security policy that disables the setting Allow managed

documents in other unmanaged apps.

Value More information

Note

If you select to only allow transfer to other restricted apps, the Intune

PDF and image viewers (if deployed) will be used to open content of

the respective types.

Allow app to receive

data from other apps

Specifies the apps that this app can receive data from. You can

choose to:

not allow data transfer from any app

only allow transfer from other restricted apps

allow transfer from any app

Prevent “Save As” Disables use of the Save As option in any app that uses this policy.

Restrict cut, copy

and paste with other

apps

Specifies how cut, copy, and paste operations can be used with the

app. Choose from:

Blocked – Do not allow cut, copy, and paste operations

between this app and other apps.

Policy Managed Apps – Only allow cut, copy, and paste

operations between this app and other restricted apps.

Policy Managed Apps with Paste In – Allow data cut or

copied from this app only to be pasted into other restricted

apps. Allow data cut or copied from any app to be pasted into

this app.

Any App – No restrictions to cut, copy, and paste operations

to, or from this app.

Require simple PIN

for access

Requires the user to enter a PIN number which they specify to use

this app. The user will be asked to set this up the first time they run

the app.

Number of attempts

before PIN reset

Specify the number of PIN entry attempts which can be made before

the user must reset the PIN.

Require corporate

credentials for

access

Requires that the user must enter their corporate logon information

before they can access the app.

Require device

compliance with

corporate policy for

access

Only allows the app to be used when the device is not jailbroken or

rooted.

Recheck the access

requirements after

(minutes)

In the Timeout field, specify the time period before the access

requirements for the app are rechecked after the app is launched.

In the Offline grace period field, if the device is offline, specify the

time period before the access requirements for the app are

rechecked.

Encrypt app data Specifies that all data associated with this app will be encrypted,

including data stored externally, such as SD cards.

Value More information

Note

Encryption for iOS

For apps that are associated with a Configuration Manager mobile

application management policy, data is encrypted at rest using device

level encryption provided by the OS. This is enabled through device

PIN policy that must be set by the IT admin. When a PIN is required,

the data will be encrypted per the settings in the MAM policy. As

stated in Apple documentation, the modules used by iOS 7 are FIPS

140-2 certified

.

Encryption for Android

For apps that are associated with a Configuration Manager mobile

application management policy, encryption is provided by Microsoft.

Data is encrypted synchronously during file I/O operations according

to the setting in the MAM policy. Managed apps on Android use AES-

128 encryption in CBC mode utilizing the platform cryptography

libraries. The encryption method is not FIPS 140-2 certified. Content

on the device storage will always be encrypted.

Block screen

capture (Android

devices only)

Specifies that the screen capture capabilities of the device are

blocked when using this app.

7. If you selected Managed Browser on the Policy Type page, then on the Managed Browser page,

select whether the managed browser is allowed to open only URLs in the list or to block the

managed browser from opening the URLs in the list, manage the URLs in the list, and then

choose Next.

For more information, see Manage Internet access using managed browser policies with

Configuration Manager.

8. Complete the wizard.

The new policy is displayed in the Application Management Policies node of the Software Library

workspace.

Step 4: Associate the application management policy with a deployment type. When a deployment type is created for an app that requires an application management policy,

Configuration Manager will recognize that an app management policy must be linked to this deployment

type when the associated app gets deployed and prompt you to associate an app management policy.

For the Managed Browser, you will be required to associate both a General and Managed Browser

policy. For more information, see How to Create and Deploy Applications for Mobile Devices in

Configuration Manager.

For devices that run operating systems earlier than iOS 7.1, associated policies will not be

removed when the app is uninstalled.

If the device is unenrolled from Configuration Manager, polices are not removed from the apps.

Apps that had policies applied will retain the policy settings even after the app is uninstalled and

reinstalled.

Step 5: Monitor the app deployment. Once you have created and deployed an app associated with a MAM policy, you can monitor the app

and resolve any policy conflicts.

1. In the Configuration Manager console, choose Software Library.

Important

2. In the Monitoring workspace, expand Overview, and then choose Deployments.

3. Select the deployment and on the Home tab, choose Properties.

4. In the details pane for the deployment, choose Application Management Policies under Related

Objects.

For more information about monitoring applications, see How to Monitor Applications in Configuration

Manager.

End-user Experience MAM polices are applied only when apps are used in the work context. Read the following scenarios to

help you educate your users so that they understand how managed apps work.

This section provides examples of the following end-user experiences:

Scenario: Accessing OneDrive on an iOS device

Scenario: Accessing OneDrive on an Android device

For information on other specific end-user experiences, see the following articles:

Using apps with multi-identity support

Managing user accounts

Viewing media files with the Rights Management sharing app

Scenario: Accessing OneDrive on an iOS device 1. The user launches the OneDrive app to open the sign in page.

Note

On a personal device, typically the end user would download the app. If the device is managed

by a MDM solution, you can deploy the app to the device.

2. The user types their work account user name and is redirected to the O365 authentication page

to enter work credentials.

After the credentials are successfully authenticated by Azure AD, the MAM polices are applied.

3. The user is prompted to set a PIN for the app (if you configured the policy for this).

4. Once the PIN is set and confirmed, the user can access the files on their OneDrive for Business.

Note

When you change a deployed policy, the changes will be applied next time the app is opened.

Scenario: Accessing OneDrive on an Android device 1. The user launches the OneDrive app to open the sign in page.

Note

On a personal device, typically the end-user would download the app. If the device is managed

by a MDM solution, you can deploy the app to the device.

2. The user types their work account user name and is redirected to the O365 authentication page

to enter work credentials.

After the credentials are successfully authenticated by Azure AD, the MAM polices are applied.

3. The OneDrive app launches automatically and the user is prompted to set a PIN, provided the

policy settings are set to require a PIN to access the OneDrive app.

4. Once the PIN is set and confirmed, the user can continue using OneDrive, which is now

managed by app policies.