Protect Corporate Apps & Data on devices with Intune Mobile Application Management (MAM) – Using Intune in Azure Portal

Mobile Application Management or simply MAM is a great feature that comes with Enterprise Mobility + Security suite. It helps to protect corporate apps and data by enforcing configurable policies. MAM policies can be deployed to employee-owned unmanaged devices, devices that are enrolled in Intune and devices managed by a third-party mobile device management (MDM) solution.
This article describes how to configure MAM policies on Android devices that are enrolled in Intune.

For this guide I am using a device which is enrolled in Intune.

Step – 1 (Configure the App)

Wrap your LOB Android app with Intune App Wrapping Tool to allow it to be managed by Microsoft Intune App Protection. Or use Intune App SDK to develop an app that has built in manageability features. I’m not going to guide you on this. Please refer below article.

Prepare line of business apps for MAM

Step – 2 (Add the App in Intune)

1. Logon to new Intune portal (portal.azure.com) > Open Intune blade > "Mobile apps workload and click Apps blade.




2. Click “Add” to add a LOB app. On Add app blade fill the details and select the .apk file from computer. Click OK.




3. Configure App information and click OK. Finally click Add. (It will take some time to upload the app.)




4. Now the app can be visible under Apps blade and it display as a Managed Android line-of-business app.

Step – 3 (Configure MAM Policy)

1. Select App protection policies blade and click on "Add a policy".




2. Enter a name for the policy and select the LOB app.




3. Configure the policy settings and click Create.




4. Now the created MAM policy is visible in App protection policies blade.




5. Select the policy and under Assignments blade select the user group that this MAM policy will be applied to.

Step – 4 (Assign App and MAM Policy)

1. In Apps blade select the added line of business app.

2. Under Assignments blade, select the user group that this app will be assigned to and the Assignment Type*. Click on Save.




3. Now the added LOB app will be assigned to the group with the configured MAM policy.

Step – 5 (Install App and Test)

1. On user’s mobile device, in Company Portal app, the deployed LOB app will display as available (depends on the assignment type). Install it.






2. Upon the completion of installation, when user try to open the app, a message will be displayed as “Your organization protects data in this app” which means Intune MAM protects this app & data.




3. Sign in with your credentials.




4. It will ask to enter a PIN since the policy configured as PIN is required. Therefore it is confirmed that the MAM policies have applied successfully. Open the app and test cut,copy, paste functions too.

*Additional Information

If you select Deployment Type as "Available with or without enrollment" in Step - 4, 2nd instruction point, app can be used without device enrollment in Intune.

😃