Setting Up MAM for iOS Devices with Intune: A Comprehensive Guide 

Topics: Intune

Today, we are going to learn about protecting company data on unmanaged iOS and iPadOS devices and how to set this up using Microsoft Intune. Note, I will refer only to iOS going forward, but this post applies to both iOS and iPadOS. We will be setting up guardrails for our data to ensure that company information remains secure while still providing personal access to organizational data for productivity.

Mobile Application Management (MAM) will be used for unmanaged devices, referred to as personal or BYOD (Bring Your Own Device) devices. These are devices over which your IT staff has no control over their settings.

Find my partner post Mobile Application Management for Android Devices with Intune here.

Understanding MAM and Intune’s Role 

What Is MAM (Mobile Application Management)? 

To provide a bit more context, let’s explore what MAM and App Protection Policies entail. MAM, also known as Mobile Application Management, refers to a suite of management features that empower administrators to publish, configure, and secure mobile applications.  

The Importance of App Protection Policies in Intune 

App Protection Policies within Intune are essentially a collection of rules designed to secure company data within an application by managing how data is accessed and shared. With these policies, administrators can enforce requirements such as a PIN to access the app and prevent the copying of organizational data to personal applications, among other security measures. 

The Benefits of Implementing MAM with Intune 

Enhanced Data Security – Provides a layer of security for organization data on unmanaged devices by setting policies to control how company data is accessed and shared within apps.  

Increase Flexibility – Give your users access to company data such as Outlook, Excel etc. without having to enroll their devices under management.  

Preparing for MAM Setup: What You Need 

  • Company Portal app or MS Authenticator App (broker app)  
  • Microsoft Intune License  
  • Entra ID P1 License  

Step-by-Step Guide to Setting Up MAM for iOS Devices 

Creating Your Conditional Access Policy 

To begin protecting your data, start by creating a Conditional Access Policy in Microsoft Intune. Navigate to Microsoft Intune > Endpoint security > Conditional access > + Create new policy 

MAM for iOS Devices with Intune - conditional access - create policy

Create your Conditional Access Policy. Assign a descriptive name to the policy, such as “MAM for iOS.”

MAM for iOS Devices with Intune - name policy

Assigning Your Policy to Groups 

Select the group the best fits your needs. In my case, I will choose “App Protection Pilot Group” which has a single user account that I will use to demo later.  

MAM for iOS Devices with Intune - select group

Selecting Targeted Resources and Conditions 

Choose the resources to protect, such as “Cloud Apps” or specifically “Office 365.” You can also select All cloud apps to broaden your scope, but for simplicity’s sake I will select Office 365. 

MAM for iOS Devices with Intune - select resources to protect


Set the conditions targeting the Device Platform, as this will tell us the platform the user is signing in from.   

select the conditions

Under Client apps, select both Browser and Mobile apps and desktop clients. 

select both Browser and Mobile apps and desktop clients

Defining Access Controls 

Next, go down to Access Controls and specify the requirements to get access. I have chosen Grant access by Requiring app protection policies to be in place. 

MAM for iOS Devices with Intune - specify requirements for access

Crafting Your App Protection Policy 

Activate the policy by setting the toggle to On, then click Save. 

Activate and save policy

Go to the Intune Admin Center > click on Apps > App protection policies > + Create policy > iOS   

MAM for iOS Devices with Intune - app protection policy

Navigating to Policy Configuration 

On the ‘Create Policy’ page, give your policy a name and a description to clarify its purpose, then click ‘Next’. 

MAM for iOS Devices with Intune - policy configuration

Specifying Apps and Data Transfer Restrictions 

In the following section, we will select what applications we want to target with the App Protection Policies.  

Public Apps 

  • All Apps – This would target policy to all Microsoft and partner apps that have Intune SDK setup 
  • All Microsoft Apps – This target all Microsoft apps that have Intune SDK setup  
  • Core Microsoft Apps – This includes these apps: MS Edge, Excel, Office, OneDrive, OneNote, Outlook, PowerPoint, SharePoint, Teams, To Do and Word. 

If you don’t select an option from the dropdown menu, you can choose to target single apps by using Selected Apps and click + Select public apps to choose your app.  

If you also don’t select any of the predefined groups as mentioned above, you can also select + Custom apps to target a custom app from its Bundle ID.  

create policy --> select apps

Data Transfer Restrictions 

Next, we will create policies to control actions like cutting, copying, paste, as well as other restrictions.  

Below, I’ve outlined my policy choices. Here I will highlight a few and why I made these choices.  

  • Backup org data to iTunes and iCloud Backup: Set to block to prevent data leaks. I want to avoid storing sensitive work or school data in iCloud backup services. 
  • Save copies of org data: Set to Block to disallow saving sensitive data on unmanaged resources. I do not want to allow users to save potential sensitive data on unmanaged resources, but I will allow users to save org data on managed services like SharePoint and OneDrive.  
  • Restrict cut, copy, and paste between other apps: Allow only for managed apps, with paste-in enabled. This helps mitigate the risk of users copying sensitive information on unsupported platforms. 

Setting Encryption and Functionality Parameters 

Require encryption of org data on all devices accessing org data on this app. 

Here I went ahead and Blocked the Sync policy managed app data apps or add ins so that we are consistent with keeping org data contained and not intermixed. I also Blocked Printing org data to keep org data from leaving unmanaged platforms.   

MAM for iOS Devices with Intune - data transfer restrictions

Establishing Access Requirements and Conditional Launch Settings 

In this section, we establish rules governing user access to apps. I did keep the defaults, which require a PIN to access the apps. The PIN is set at the device level so if a user does not have a PIN enabled, they will not be able to access apps. I am also requiring an app pin to access a resource such as Outlook for an extra layer of protection, along with requiring users to use work or school credentials for access. Once set, click ‘next’. 

Establish app rules

Conditional Launch 

Here we set requirements for our App and Device conditions. We can also set actions. For example, if a device is detected as “Jailbroken” or “Rooted” it will Block access to the org’s application. I did not make any changes, keeping to the defaults. Click Next.

App and device conditions

Go ahead and select your Assignments. I chose the App Protection Pilot Group to keep things consistent. 

MAM for iOS Devices with Intune - select assignment group

Review and then create your App Protection Policy once you have verified this meets your needs. 

Testing and Implementing Your MAM Strategy 

Go to unmanaged iOS device > go to Microsoft Word.  

You’ll need to register our iOS device so that we can get policies applied to the application.

Testing MAM strategy

The device is getting policies applied from your App Protection Policy and will close.

MAM for iOS Devices with Intune - policy closes app

In our policy we require an App PIN to access the application. Go ahead and set your PIN to move forward.

PIN test

Now that I have access to Microsoft Word on my unmanaged device, I’m going to copy data on a company document and try to paste it into an unmanaged notepad on my iOS device. As you see, we are not able to paste company data on to a personal device.  

Complete: Set Up of MAM for iOS Devices with Intune

Following these steps will secure your organization’s data on unmanaged iOS devices, leveraging the power of MAM and App Protection Policies in Intune.  

Partner Post on MAM for Android

Back to Top