App Protection Policies in Intune: MAM vs MDM Scenarios

Microsoft Intune supports two primary models of managing endpoint and application security:

• Mobile Device Management (MDM): A device-level approach that requires full Intune enrollment.
• Mobile Application Management (MAM): An app-level approach that protects corporate data without requiring device enrollment.

Intune uses App Protection Policies (APPs) to define and enforce app security rules. This includes data encryption, copy/paste and save controls, conditional app launch, and user authentication requirements for specific applications (primarily Microsoft 365 apps).

This guide outlines the steps to configure and apply Intune App Protection Policy for MAM-only (BYOD) and MDM-enrolled (corporate-owned) devices. It also covers how Intune supports the coexistence of both, where a single device may be MDM and MAM-managed to enable layered policy enforcement.

📌 Recommended deployment strategies:

Guide to Microsoft Intune App Protection Policy (APP)

This guide teaches you how to apply App Protection Policies (APPs) in Microsoft Intune for MAM-only and MDM-enrolled scenarios. It also explains Conditional Access integration, validation methods, and key deployment considerations.

📌 General prerequisites:

• Microsoft Intune and Azure AD Premium P1 licenses
• Apps must support Intune SDK (e.g., Outlook, Teams, OneDrive).
• For MAM: No device enrollment is required.
• For MDM: Device must be enrolled in Intune.
• Access to Microsoft Endpoint Manager Admin Center
• Users must be assigned to Azure AD security groups targeted by the policy.

Applying app protection policies: MAM-only (for BYOD)

MAM-only policies protect organizational data inside apps without enrolling the device in MDM.

📌 Use Cases: This is ideal for Bring Your Own Device (BYOD) users, where organizations want to secure corporate data inside apps without managing the entire device.

📌 Prerequisites:

• Devices must support Intune SDK or be wrapped using the Intune App Wrapping Tool.
• Users must be licensed for Intune + Azure AD Premium P1/P2.

Step-by-step:

1. Open the Microsoft Intune admin center.
2. Navigate to Apps > App protection policies > Create policy.
3. Choose the platform: iOS/iPadOS/Android/Windows
4. Under Apps to target, select Microsoft and supported third-party apps.
5. Click Next, then configure app protection settings:
   • Data protection: Set how users can interact with data in the apps (including cut/copy/paste/save and encrypt data).
   • Access requirements: Set requirements users must meet to access apps (including PIN, biometric, or conditional launch).
   • Conditional launch: Set sign-in security requirements for your access protection policy (including block access or wipe data after an offline interval).
6. Click Next, then assign the policy to user groups (not devices) in the Assignments page. (Read #1 in ⚠️ Things to look out for.)
7. Click Next, review the settings, then click Create.
8. Monitor under Monitor > App protection status.

This policy will apply even if the device is unmanaged (MAM Without Enrollment or MAM-WE scenario).

Applying app protection policies: MDM-enrolled devices

Applying app protection policies on MDM-enrolled devices has the same steps as above, but it’s typically in combination with:

• Compliance policies
• Device configuration profiles
• Conditional access policies

This provides an extra layer of protection alongside device-level configurations.

📌 Use Cases: Ideal for corporate-issued devices with full management.

📌 Prerequisites:

• Devices must be enrolled in Intune MDM
• Users must be licensed for Microsoft Intune
• Targeted apps must support Intune App Protection Policies

Step-by-step:

1. Open the Microsoft Intune admin center.
2. Navigate to Apps > App protection policies > Create policy.
3. Choose platform: iOS/iPadOS/Android/Windows
4. On the Apps page, select Microsoft and supported third-party apps.
5. Click Next, then configure app protection settings:
   1. Data protection: Set how users can interact with data in the apps (including cut/copy/paste/save and encrypt app data).
   2. Access requirements: Set requirements users must meet to access apps (including PIN, biometric, or conditional launch).
   3. Conditional launch: Set sign-in security requirements for your access protection policy (including block access or wipe data after an offline interval).
6. Click Next, then assign the policy to user groups with MDM-enrolled devices. (Read #1 in ⚠️ Things to look out for.)
7. Click Next, review all settings, and click Create to deploy the policy.
8. Monitor under Monitor > App protection status.

What is the difference between MDM and MAM?

MDM policies control the device posture. Meanwhile, MAM policies further protect app-level data within managed apps.

💡 Note: Intune prioritizes MDM protection when both are present.

Enforcing access control based on app protection

Organizations can enforce app-based Conditional Access (CA) policies to ensure that only protected apps can access corporate data.

📌 Use Cases: Use this to:

• Block access from unmanaged apps or devices
• Enforce app-level data compliance (MAM-only or hybrid)
• Implement Zero Trust security.

📌 Prerequisites:

• Intune and Azure AD Premium P1/P2 licenses
• Valid Microsoft 365 user licensing
• Apps must be protected via an existing App Protection Policy

Step-by-step: (Read #2 in ⚠️ Things to look out for.)

1. Sign in to Microsoft Entra Admin Center (Azure AD).
2. Navigate to: Entra ID > Protection > Conditional Access > Policies > New Policy.
3. Under Assignments, select users or groups to target. (Read #1 in ⚠️ Things to look out for.)
4. Choose target apps (e.g., Exchange Online, SharePoint).
5. Under Access Controls > Grant:
   • Select the Require app protection policy.
   • Optional: Require approved app and Require MFA
6. Enable the policy and click Create.

These policies work in tandem with Intune App Protection Policies (APP).

💡 You may also read How to Configure Conditional Access Policies in Azure AD.

Validation Method 1: Use PowerShell to query user/app compliance

PowerShell can be used with Graph API to retrieve policy assignments and evaluate enforcement status across devices and apps.

📌 Use Cases: Use this to:

• Validate APP assignments across tenant users
• Audit which devices or users are MAM-managed
• Generate compliance reports for MSP or enterprise environments

📌 Prerequisites:

• Admin rights with Intune Admin, Global Admin, or Security Reader roles
• The Microsoft Graph PowerShell SDK must be installed.

Here’s how:

1. Install Graph SDK (if not already):

Install-Module Microsoft.Graph -Scope CurrentUser

2. Connect to Microsoft Graph:

Connect-MgGraph -Scopes "DeviceManagementApps.Read.All","Policy.Read.All"

You will be prompted to sign in with an admin account.

3. List all app protection policies and their assignments:

Get-MgDeviceAppManagementTargetedManagedAppPolicy

4. Query specific user assignment:

Get-MgDeviceAppManagementManagedAppRegistration -UserId <[email protected]>

💡 Note: You may export results to CSV using | Export-Csv –Path “filename.csv” for reporting.

Validation Method 2: Use Windows Registry to determine MAM vs MDM agent

This method helps determine whether a device is managed via MDM or MAM. If both, it aims to identify which agent is actively enforcing policies.

📌 Use Cases: Use this to:

• Troubleshoot enrollment conflicts
• Confirm MDM or MAM status on endpoints during migration
• Differentiate BYOD vs corporate-owned configuration

📌 Prerequisites:

• You must be signed in as an administrator.
• Devices must be Azure AD registered or joined and have either MAM or MDM configured.

⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding. (Read #3 in ⚠️ Things to look out for.)

Here’s how:

1. Press Win + R, type regedit, and click Enter.
2. Click Yes if prompted by UAC.
3. To check for MDM enrollment keys, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

Check:

• • EnrollmentType (0 = MDM, 6 = MDM+EAS)
  • ProviderName
  • UPN

4. To check for MAM registration, navigate to:

HKEY_CURRENT_USER\Software\Microsoft\MSEnrollment\EnrollmentEntries

Review keys for:

• • ADDTenantID
  • AzureADDeviceID
  • UPN

5. Navigate to the following path to check legacy WIP MAM:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\

Review keys for:

• • SystemSecurity
  • DataProtection
  • WindowsInformationProtection (WIP = legacy MAM for Windows)

On Android/iOS, MAM policies are enforced via SDK and cannot be verified through local registry access.

Validation Method 3: Use CMD to validate MDM enrollment status

This method provides a quick snapshot of MDM enrollment and Azure AD join status.

📌 Use Cases: Use this to:

• Confirm if a device is properly enrolled in Intune MDM
• Troubleshoot auto-enrollment failures
• Validate prerequisites for APP enforcement

📌 Prerequisites:

• You must be signed in as an administrator.

Here’s how:

1. Press Win + X and select Command Prompt (Admin) or Windows Terminal (Admin).
2. Run this command to verify device MDM enrollment:

dsregcmd /status

Look for:

• • MDMUrl: Confirms MDM endpoint
  • DeviceCompliancePolicyReceived: YES
  • WIPEnabled: YES (only if using Windows Information Protection)

The CMD utility doesn’t provide direct MAM indicators but helps validate MDM prerequisites.

Manage Group Policy and Intune MDM coexistence

This configuration is used in hybrid environments where some management comes from Group Policy and others from Intune MDM.

📌 Use Cases: Use this to:

• Enable automatic MDM enrollment for hybrid Azure AD-joined devices
• Avoid conflicts between GPO and Intune configurations

📌 Prerequisites:

• Devices must be domain-joined and Azure AD-registered or hybrid-joined.
• Admin Access to Group Policy Management Console (GPMC) or local gpedit.msc.

Step-by-step:

1. Press Win + R, type gpedit.msc, and click Enter.
2. Navigate to:

Computer Configuration > Administrative Templates > Windows Components > MDM

3. Enable:
   • Enable automatic MDM enrollment using default Azure AD credentials
   • Set User Credential as the enrollment type (for hybrid join)
4. Apply the policy and restart the device.

This ensures a device is eligible for MDM-driven enforcement, allowing separation of MDM and MAM management as needed.

⚠️ Things to look out for

Additional considerations

Get to know some of the platform limitations, user requirements, and how MAM and Conditional Access work in tandem when applying APP with Intune:

Supported apps

Mobile Application Management (MAM) policies apply only to supported apps:

• Apps that have been integrated with the Intune App SDK
• Apps that have been wrapped using the Intune App Wrapping Tool

User-based management

MAM is user-based, not device-based. This means users must have an Intune license assigned to their Microsoft Entra ID account.

Windows limitations

MAM support on Windows is currently limited to Microsoft Edge. For full device and app control, user MDM enrollment via Intune.

Access control

Conditional Access (CA) policies must be layered to restrict access based on app state and protection. Without CA, users may bypass protections by accessing corporate data through unmanaged apps.

Troubleshooting

Here are common problems and solutions you may encounter with Microsoft Intune App Protection Policies (APP) across MAM and MDM scenarios:

Policy not applying

Verify if the user is in the target group and using a supported app.

1. Open Intune Admin Center > Apps > App protection policies.
2. Open the affected policy and navigate to Assignments.
3. Confirm the user is part of an included Azure AD group.

💡 Tip: You may refer to the Microsoft Intune protected apps list to confirm app compatibility.

App not protected

Check if the app is wrapped or has SDK support. How?

1. For public apps, you may refer to the Microsoft Intune protected apps list and search for the app name.
2. For custom LOB (Line-of-Business) apps, ask your app development team if the Intune App SDK has been added.
3. Confirm if the app was processed using the Intune App Wrapping Tool.

(💡 Read Wrap Android apps with the Intune Wrapping Tool.)

MAM-WE fails

Confirm Intune license and that the device is not MDM-enrolled.

1. Open Microsoft 365 Admin Center > Users > Select user > Licenses.
2. Check if the user has an Intune license assigned.
3. To check if the device is not MDM-enrolled:

• Press Win + I to open Settings > Accounts > Work or School Account.
• If the device is listed as Azure AD joined, it’s MDM-managed. You may remove the account and re-add it with MAM-only intent.

Access denied errors

Review Conditional Access and compliance state in Azure logs:

• Go to Azure Portal > Entra ID > Security > Conditional Access > Insights & Reporting. Then, filter by affected user, app, and failure.

To check the compliance state:

• Go to Intune Admin Center > Devices > Select device > Device compliance.
• Check the compliance state and last check-in time.

Diagnostics

Here is where to find logs:

• Intune console logs (iOS/Android)
• Company Portal logs
• Endpoint.microsoft.com > Monitor > App Protection Status

NinjaOne Services

NinjaOne enhances app-level and device-level protection through:

With these, MSPs can manage and secure diverse device fleets regardless of management type.

Configure Intune Application Protection Policy for BYOD and MDM-enrolled scenarios

App Protection Policies offer a flexible and powerful way to protect corporate data, whether or not the device is enrolled in a management platform. These policies empower MSPs and IT teams to enforce consistent app-level security across devices in both MAM-only (BYOD) and MDM-enrolled (corporate-owned) environments.

This guide provides clear steps for creating, configuring, and assigning APPs for both scenarios. It also includes practical tools for validating deployment through the registry, CMD, and GPO. Beyond that, you’ll find best practices for Compliance Access integrations and how NinjaOne supports MSPs to streamline policy enforcement at scale.

Related topics:

• MDM vs MAM: 8 Key Differences
• Exploring Enterprise Mobility Management (EMM)
• A Comprehensive Guide to Unified Endpoint Management
• How to Deploy Applications Using Microsoft Intune Admin Center
• Choosing the Right Software Deployment Tool: Intune vs. NinjaOne – A User’s Perspective