Intune: Protecting your data in the user’s device, not the device itself.

With the growing trend of employees bringing their own smartphones and tablets to work to access company email and other corporate data, this presents a challenge for IT to ensure that data is well protected. With Microsoft Intune, you can enroll the device into Mobile Device Management (MDM) to manage the complete device – but that might be too much overhead or too much complexity for your organization and it’s business needs. Well, Microsoft Intune also has Mobile Application Management (MAM) capabilities, that enable you to manage just the app and the corporate data inside it, while leaving the rest of the device untouched. This is known as “sandboxing” and provides a great experience for not only the end-user but for IT as well. In this blog we’ll explore how this works.

I will not be discussing Intune MAM in-depth. Please refer to the technical documentation for more information.

From my personal iOS device, I wish to access my company email on it. To do this my company has instructed me to use the Outlook app as it’s the approved app. So I’ll download that from the App Store:

I’ll tap get started:


I’ll type in my credentials:

Next, my company’s sign-in page will be displayed and I will type in my password to finish the sign in process:

Upon signing in I will be prompted that my organization is now protecting it’s data in this app and that I need to restart the app to continue.

When the app restarts, it looks like my company requires a passcode each time I open the app – so I’ll create a new passcode now:

My mailbox will now be displayed:


If I wish to download an attachment and maybe save it locally, it looks like my company prevents me from doing that. Here I’ll bring up the message for you to see:

Upon opening the attachment and tapping the share icon, there’s no options to download or open with another app. My company wants it’s data to stay within the Outlook app:

Another example of how the app is locked down, is it looks like I cannot copy and paste data out of the app and into another app. Here I’ll try to copy data out of a sensitive email:

And then attempt to paste it into the Notes app. Notice the text that is pasted says “Your organization’s data cannot be pasted here”:



Now if I leave the company or get terminated, they can remotely remove any company data from the Outlook app. Here’s an example, I went to launch the Outlook app and was presented with this error:

When I tap OK and relaunch Outlook, it looks like I have to sign in again and have no access to my mailbox:



Now let’s step behind the scenes and into Intune to understand how to configure this capability, starting with configuring Intune Mobile Application Management. I’m going to start by launching Intune Application Management in the Azure portal, and then select App Policy:

I’m going to click on the policy I created, then click Policy Settings. Here you can see the configuration I specified. I’m preventing iTunes and iCloud from backing up data in the app. I’m not allowing data to transfer outbound/inbound to other apps. Preventing Save As. Requiring a Passcode,etc.

Here’s more of the policy:

As for user scope of the policy, I have it applied to a security group of MAM Users:

Clicking on Targeted Apps, it is only targeting the Outlook app (on iOS):

To remove just the company data from the app, I’m going to navigate to Wipe Requests and submit a new wipe request

Note: If I had a personal email account in the Outlook app and my company email was also in the app, this wipe will ONLY remove the company email data. My personal email data will remain untouched.

Next I’ll select the user and her device:

The wipe request will be sent to the device:


Conclusion: It’s fairly easy to setup MAM for your end-users. I encourage you to test this and see how it can enable new business outcomes for your organization. Enjoy!

Microsoft Teams: Manage it using Mobile Application Management (MAM)

Introduction: The purpose of this blog post is to walk the IT administrator through how to configure Mobile Application Management (MAM) for the Microsoft Teams app.

In this blog post we will cover the following MAM topics:

  1. How to assign Intune licenses to end-users.
  2. How to configure Mobile Application Management using the Intune console in the Azure portal.
  3. The user experience with MAM applied (examples include cut/copy/paste, require PIN,etc).
  4. How to wipe data from the Microsoft Teams app only selective wipe) using MAM (and not wiping the device).
  5. The user experience when wiping data from the Microsoft Teams app only.
  6. MAM for other Microsoft mobile applications.

What is MAM? Mobile Application Management (MAM for short) offers the capability to manage only the app, and its data without having to manage the physical device itself. This is very important, as you do not need to enroll the device into Intune at all and do not need to manage the device itself, just the app. The management of the app and the data within the application is all handled through in-band provisioning (i.e. Mobile Application Management) when the user signs in to the application. This provides the following benefits:

  • When management of the device itself is not possible and/or not necessary (enrolling the device into a mobile device management solution)
  • Enable user liable (personal) devices to connect to enterprise resources without having to manage the device (device enrollment).
  • If you want to manage apps separately from the device (for example, different device management solutions).

MAM is a capability of Intune App Protection, and is covered in more detail here: Protect app data using app protection policies with Microsoft Intune.

Requirements: MAM has the following requirements:

  • Microsoft Intune license assigned to each user that MAM will be applied to. (Either Intune standalone, EMS E3, EMS E5 license SKUs).
  • iOS version 8.1 or later.
  • Android 4 or later.
  • Windows 10

Note: There are specific prerequisites if configuring for Windows 10. See Get ready to configure app protection policies for Windows 10 for more information

Assign Intune licenses to end-users:

Before we get started with configuring Intune, we first need to assign the Intune license to the end-user(s) who the MAM policies will be applied to. For demonstration purposes, I will be assigning the license to a single user. However to assign licenses to multiple users (i.e. the entire organization, or groups of users) you can follow these articles for automated ways of doing so: Assign licenses to users by group membership in Azure Active Directory (or use PowerShell or other methods).

Within the Office 365 Admin Portal, I will assign the license to my test user Megan:

Configure Mobile Application Management for Microsoft Teams:

 Navigate to and login. On the left side, at the bottom click Intune App Protection:


On the Intune App Protection blade, under the App Management category click App Policy:

Click Add a policy:

On the Add a Policy blade, I will give the policy a name and for this specific policy I will apply it to the iOS platform. I will then click Apps and place a check mark next to Microsoft Teams and then click Select:

Note: You must create a separate policy per platform if there are multiple platforms you wish to support (i.e. one for iOS and one for Android)

Back on the Add a policy blade, click Settings. For demonstration purposes, I will configure the following two policy settings: Restrict cut, copy, paste with other apps to Policy managed apps and Require PIN for access to Yes.
When finished click OK:

Note: For a description of each one of these settings and what they do, see the following articles:

For iOS: iOS mobile app protection policy settings

For Android: Android app protection policy settings in Microsoft Intune

Back on the Add a policy blade, click Create:

Once the policy has been created, it needs to be deployed (Notice the Deployed column shows No) Click the name of the policy:

On the Microsoft Teams blade, click Assignments:

MAM policies must be assigned to a group of users. For demonstration purposes, I will use a security group titled Retail Employees. Click Select groups, and place a check mark next to Retail Employees then click Select:

Close the Assignments blade. Close both Microsoft Teams blades and you will be returned to the list of policies. Notice the Deployed column now shows Yes.

Clicking Overview on the left side will provide me with a dashboard to see MAM status across my apps:

User experience with MAM applied:

IMPORTANT: It may take up to an hour for the policy to be applied after creating it.

Now that the MAM policy has been created, I will launch the Microsoft Teams app on my smartphone. I will be presented with a new message indicating the MAM policy is now effective. Tap OK.

Relaunch the app. Once the app is relaunched, because I configured the MAM policy to require a PIN when using Microsoft Teams, the app will prompt me to create a PIN:

I will now have access to the app:

To test the policy setting for restricting cut/copy/paste, I will open an existing private chat with another user:

Next, I will highlight some text and with a long press tap Copy text:

Next, I will open another app (Outlook) where my personal email account is configured and attempt to paste the confidential information from the Microsoft Teams app into a new personal email message. Notice the text that displays indicating the data cannot be pasted (the policy worked!):

How to wipe data from the Microsoft Teams app:

Return to the Intune App Protection blade in the Azure portal. On the left side, under Remote requests, click Wipe Requests:


Click New Wipe Request:

On the New wipe request blade click User. For this demonstration, I will choose Megan. Click Select after choosing the user

Next on the New wipe request blade click Device. Select the device by placing a check mark next to it then click Select then click OK:

Note: The name of the device is Matts iPhone as I am using my device for this demonstration.

A new wipe request will be created and queued to be sent to the device:


Note: the wipe request can be cancelled by clicking the ellipsis and selecting Delete wipe request:

User experience when wiping data from the Microsoft Teams app:

The user must open the app for the wipe to occur, and the wipe may take up to 30 minutes after the request was sent.

Launching the Microsoft Teams app after the wipe request has been sent, I will be prompted with a message indicating the app has been wiped. Tap OK to proceed:

I will be returned to the home screen. After re-launching Microsoft Teams app, I will be asked to sign-in. At this point, the app has been returned to its default out of the box state:

Back in the Azure portal, notice the wipe request is now marked as Complete:

Conclusion: The Microsoft Teams app can be managed by the organization and the data within that app can be protected through MAM policy such as preventing users from copying data out of the app and pasting into a non-managed app, etc. What questions, comments, feedback or input do you have? Let me know down below in the comments.

MAM for other Microsoft mobile applications

If you are curious about MAM for other Microsoft apps such as Outlook, OneDrive, etc the process is identical to the above to configure MAM for those apps. In addition, the user experience within the app when MAM is applied, and the wipe experience, is also identical.