App Protection Policies (MAM)
Understanding the Concept
App Protection Policies (also known as MAM policies) protect corporate data at the application level. They work with both enrolled (MDM) and unenrolled (MAM-only) devices. Policies can be applied to Microsoft apps (Outlook, Teams, OneDrive) and apps that integrate with the Intune App SDK.
Key protection settings include: preventing data transfer to unmanaged apps (copy/paste restrictions), requiring PIN or biometric access, encrypting app data, blocking screenshots, preventing save-to-personal storage, and requiring minimum app/OS versions.
Conditional launch settings control app access based on conditions: max PIN retry attempts, offline grace period, jailbreak/root detection, minimum OS version, and maximum allowed threat level from Defender for Endpoint.
Key Points
- MAM policies protect corporate data at the app level
- Work on both enrolled (MDM) and unenrolled (MAM-only) devices
- Data protection: prevent copy/paste, save-to-personal, screenshots
- Access requirements: PIN, biometric, minimum OS/app version
- Conditional launch: block access based on security conditions
- Selective wipe removes only corporate data from apps
Why This Matters in Real Organizations
App protection policies are the cornerstone of BYOD security. They ensure corporate data is protected even on unmanaged personal devices, enabling organizations to support BYOD without compromising data security.
Common Mistakes to Avoid
Interview Tips
- Explain app protection policy capabilities and use cases
- Discuss your BYOD data protection strategy using MAM
- Describe how you test and validate MAM policies
Exam Tips (MD-102)
- Know all app protection policy settings and their effects
- Understand the difference between MAM with and without enrollment
- Know conditional launch settings and their actions
- Understand selective wipe vs full wipe behavior
Course Complete!
You've finished all lessons