Call4Cloud

The Chronicles of MAM

This blog will be about the Managed and Unmanaged App Protection Policies and how you could make sure it also works like it should on IOS devices.

I will divide this blog into multiple parts

  1. Introduction
  2. Conditional Access
  3. App Protection Policies
  4. Android App Protection
  5. IOS App Protection
  6. IOS App Configurations
  7. Deploying them With PowerShell
  8. Results

1. Introduction

When we want to protect the company data we have got multiple options to choose from.

Are you going to require compliant mobile IOS/Android devices, so each device needs to be enrolled (MDM)? Or do you have a lot of front-line workers and you only want the apps to be secured with an App Protection policy (MAM)? Or maybe a combination?

In this example, we did both. We wanted to make sure users who had a Microsoft 365 Business Premium license needed to have their mobile devices managed/enrolled and all the other users could access Office365 without their devices needing to be enrolled. Of course, we will need to apply App Protection for each option.

You have to choose which of the options is the best to protect the company data. Managed devices need to get the Managed devices App Protection policy and the unmanaged devices need to get their unmanaged devices App Protection Policy.

I have to add, we do loosen the screws a bit on the Managed App Protection policies because we do have more power over that device!

2. Conditional Access Rule

So let’s begin with locking down the environment with some Firewall Conditional Access rules. Assuming you already have blocked legacy authentication, we are going to create 2 additional conditional access rules.

*The first CA rule will require ms365Business licensed users to have IOS/Android compliant devices.

*And a second CA rule to make sure approved apps are required when you want to access the Office365 data. Please beware Teams and Require app protection may not go well together, so the best option you got is only requiring Approved apps (Microsoft Apps) to access office 365 data.

UPDATE: Please read my blog about the require app protection misunderstanding:

3. App Protection Policies

After the CA rules were created, we need to create the App protection policies. As shown below we created multiple App protection policies. One App protection policy for Managed devices and one for unmanaged devices

In my opinion, devices that are managed don’t need an additional password to open the app because you probably already made sure you have set up a compliance policy and a device configuration policy. As mentioned before, maybe you want to loosen the screws a bit on managed devices?

Another good example would be the possibility to let managed devices “send org data to other apps” but to block these actions on an unmanaged/personal device. I have created a blog about which option you could choose and how it works in detail.

4. Android Apps

When only working with Android devices, this setup is good enough. You only need to make sure your users will have the Company Portal app installed. You only need to install it, there is no need for any configuration as it functions as the broker on android devices.

But when you have users with IOS mobile devices (I bet you do) you will need some additional configuration.

5. IOS Apps

Just like with an Android phone, App protection will require a Broker app. For IOS devices, the MFA Authenticator app needs to be installed. After we made sure all our IOS users have that app installed, we first need to make sure all the Applications which need the Managed App Protection policies are added to Intune. Because as mentioned earlier we need to define an App Configuration Policy for each app and how could we do this without any apps?

If you read my blogs often, you will probably know the whole setup can be scripted. When you need to do this manually, it will take some time so why not deploy it with PowerShell:

https://call4cloud.nl/wp-content/uploads/2021/03/IOS.zip

6. App Configuration

Now we have all the required Apps installed on the devices we still need to push an additional App Configuration, to make sure the IntuneMAMUPN is configured for each application. Please note: some apps do not support this config. Please visit this Microsoft Doc to check out all the Applications that do support it!

Supported Microsoft Intune apps | Microsoft Docs

You will need to configure the IntuneMAMUPN for each app because this value is required for devices that are managed by Intune to identify the enrolled user account. This is very important because you really want to make sure the protected app has the correct app protection policy applied!

Let’s create a new Managed Device App Configuration Policy and select the Outlook app.  Again, you will need to create an App configuration with the IntuneMAMUPN for each app. To do so you will need to select “Managed Devices” when adding a new App Configuration Policy.

After selecting the proper App Configuration it’s time to select IOS/IPadOS and select the “Targeted App”. In this example, I will select Microsoft Outlook.

The possibility to add the required “IntuneMAMUPN” key can be found under “Additional Configuration”. Please beware the App configuration keys are case sensitive. Use the proper casing to ensure the configuration takes effect.

And a quick summary on how and where to configure the IntuneMAMUPN keuy

Policy TypePolicy SelectionPolicy location Application NameConfiguration KeyValue TypeConfiguration Value
App ConfigurationManaged DevicesMicrosoft Intue>Client Apps>App ConfigurationOutlookIntuneMAMUPNString{{UserPrincipalName}}

7. Deploying them With PowerShell

Of course, you can do this all manually for each IOS Managed app but why not automate the deployment of app configuration policies. As always you can Automate it with the use of PowerShell and Graph. Take a look at my Github Page if you want to know how

Enrollment/DU at main · Call4cloud/Enrollment · GitHub

8. Results

After a while and I mean really a while (could take up to 8 hours? read this blog below), it will start working. I have created a blog on how to troubleshoot App Protection policies. Please read if you want to more about troubleshooting those app protection policies.

In the link above, I also showed you how to monitor/troubleshoot the app protection policies. So let’s take a look at which apps understood the IntuneMAMUPN configuration.

When taking a look at the Microsoft Edge app configuration, you can check if the configuration did apply successfully.

As shown above, it is telling us it’s “Not Applicable“, I guess Edge does not respond to the configuration policy but Teams/Onedrive and Outlook did.

Please Note: If the app assignment was configured as available instead of required. You will need to reinstall the already installed app from the company portal.

When you are at the customer and you want to determine which App Protection policies were applied, you could do so by opening edge and type: about:intunehelp. It will give you a brief summary of all the Protection Policies applied to a specific app!

Conclusion:

You will need to find the golden middle when securing your office 365 data, otherwise, lines will be drawn in the sand. On your left, there is data to protect, and on your right side, there are users who need to get their job done. You really need to let the end-users understand why it’s important.

Baby Cow confused idiot insult james corden GIF

9 thoughts on “The Chronicles of MAM

  1. For Step 6, I’m pretty sure the IntuneMAMUPN stuff is only needed for MDM, so “Managed Devices” instead of “Managed Apps”. In Managed Apps, you will find there’s no way to add that config key.

    1. Totally true… After migrating my website it looks like somehow some old versions of mine blogs were migrated… Just uploaded the right version in where I am referring to the Managed Devices

  2. Hello good sir! Great article, very informative. When you state “After a while and I mean really a while, it will start working” – do you have an estimate on how long?

    1. Hi thanx!!.. I am explaining that part in the blog: https://call4cloud.nl/2021/01/the-sum-of-all-app-protection-policies/ I mentioned at the end

  3. In section 5, referring to iOS apps – how does the deployment of VPP apps play info this scenario? Also, what if the user has downloaded the apps and they are not deployed from the management console?

  4. Thank you so much for this post.
    I’m having a strange issue one iOS devices when enable the app protection policy.

    As soon as app protection policy is enabled, the Settings native app on iOS start to ask for the Microsoft account password. When i try to reenter the password, says that the Apple Internet Accounts enterprise application (default on on Azure, didn’t create anything) is not compliant with app protection policy.

    Did you have any issue of this kind ? Microsoft support don’t have a clue about this after hours and hours of calls and troubleshooting.

    Thank you so much

    1. Hi… So you are saying that when an app protection policy was applied the settings app ask for a Microsoft account password?(which apps did you target? all or some specific ones?)

      1. Hi, just Microsoft Edge. But for some reason as soon as you enable the app protection policy on Conditional Access, the Settings app start to ask for a password and when you try to enter the password, we got an error for Apple Internet Accounts.

        Did you have any idea of why ? Or did you get any issue like this before ?

        Thank you so much

  5. Rudy I set this up as described but it didn’t work for me. My app protection policy disables app pins but I keep getting prompted for it on fully managed iPads. Are there any situations where this wouldn’t work ?
    Also it seems it takes quite a long time fro app config policies to apply. how long in your experience ?

    Andy Jones

Leave a Reply

Your email address will not be published. Required fields are marked *

70  +    =  71