PSA: Careful with MAM – there might be more to it than you think

Back to Blog
03Sep2019

PSA: Careful with MAM – there might be more to it than you think

I have written extensively on Mobile Application Management (MAM), as an alternative to Mobile Device Management (MDM). When implemented properly, it is the perfect solution for protecting company data on unmanaged devices (e.g. BYOD situations).

But therein lies the rub. You need to implement it properly. I can’t blame you if you have it wrong, either. Because Microsoft’s own documentation does not always reflect the reality. Here is a case in point: go to this link and read the following (screenshot included below):

The relevant line reads, “Deployment of Application Protection Policies are not required to enable app selective wipe.”

Oh really? Because that is not my experience. Go ahead and test it–you will find that the exact opposite is the truth. So either this is a typo, or something has changed and the document hasn’t been updated yet.

App protection policies are what enables MAM, really. They are found under Client apps > App protection policies.

The reason this gets confusing for some people is that they will read my guide on Conditional access, and implement my recommended Conditional access policy for iOS and Android, with the access control called “Require approved client app.” Basically the policy says that if you want to access corporate resources, then you have to use the “approved” (read: Microsoft) client apps. E.g. Outlook, not Apple Mail for instance.

Now if you enable that Conditional access policy, it will have the desired effect: you must use the Microsoft apps at that point. But, if you fail to setup an App Protection Policy on top of it, then you will not be able to issue remote wipe requests against those devices, which pulls back the data within the app.

The whole point of managing the application rather than the device is so that you can gain control of the corporate data being presented through that client application without touching the device itself. But you don’t have that control via Intune without applying an App Protection Policy.

Configuring your MAM policies

For some quick guidance on this, just note that the minimum required configuration to enable the remote selective wipe feature would be to have a protection policy that targets the apps you are trying to protect (e.g. Outlook, etc.), with Data protection settings that at least require the app data to be encrypted, like this:

Minimum Data protection settings for enabling app selective wipe:

Notice how this policy doesn’t even restrict data copy/transfers, but still requires encryption

I could likewise leave the access requirements totally wide open, and still be covered with remote selective wipe.

Minimum Access requirements:

NOTE: I like to set the timer “Recheck the access requirements…” to Zero.

Now that would be the minimum recommended settings to get your remote wipe working. You can initiate one of these wipes from Client apps > App selective wipe. Simply click + Create wipe request and then choose a user and device from which you would like to wipe corporate data.

If you do not target your iOS and Android devices with an App protection policy, you will find that these devices don’t even populate for the selected user. If you previously had an App protection policy applied, but since removed it, the devices will show up in here but the wipe requests will not succeed, and it will just sit in a pending state indefinitely.

Data protection for sensitive businesses

If you have more stringent access control requirements due to the sensitive nature of your business data, then you may want more restrictive options, like these:

Here we block data outbound from corporate apps, disable backup, and disable copy/paste except within the managed applications. OneDrive and SharePoint are acceptable locations to save data, but nowhere else. Likewise for Access requirements, you might enforce a PIN or biometric:

Access requirements for sensitive businesses:

Note that when you dial up the protection level, it is going to have a user-facing impact. Not going to lie to you: not everyone is fan of it. Being prompted each time you open the app, even just for a biometric, can feel annoying. And, you may run into some instances when that copy/paste/export restriction can really ruin your day. But, if you deal in sensitive data with lines of red tape and regulations all around it, these may be the right protections to have in place.

If that doesn’t describe your business, and all you want is the ability to remove data from a lost/stolen/terminated device, then the minimum settings may be all you care to have.

So there you have it. Don’t neglect the other half of the equation–the Conditional access policy is not enough on its own. You need the App protection policy to round out the picture, even if its only there to provide encryption of the app data.

Technical , , , , , 5 Comments
Share:

Comments (5)

  • Carolyn Billups Reply

    Good read thank you for sharing. This was a recent gotchya for me as we were doing an implementation of both MAM and MDM and wanted to “require approved app” for Outlook. With our MAM policies we wanted to have more control than we did with our MDM policies when it came to app protection. In order for users to get the right app protection policies and to be able to wipe Outlook we had to be sure to push the app (iOS store app) and put in the configuration key (IntuneMAMUPN, String, {{UserPrincipalName}}).

    September 3, 2019 at 9:21 am
  • antony brookman Reply

    Hi Alex
    Not sure if you, or any other readers have come across the same recent experience I have had with this topic…. In the last 24 hours, I ticked ON “Require app protection policy” in an App Protection policy that we’ve had running for a few months now, which already had just the “Require approved app” ticked on. The policy had 12 “Targeted apps” selected.
    After doing so, when testing with a Managed iPhone, I found that 6 out of the 12 apps would no longer load with a message saying “you can’t get there from here…. it looks like you’re trying to open this resource with a client app that is not available for use with app protection policies……….”.
    And then rather ironically, after de-selecting “require app protection policy” and trying again, the apps DID load, along with an initial message saying “your organization is now protecting its data in this app. restart the app to continue.”!

    Apps that loaded ok when require app protection was ticked on were::
    Word
    Excel
    OneDrive
    Planner
    PowerPoint
    OneNote

    and those that failed when require app protection was ticked on were::
    Flow
    Power BI
    Skype for Business
    SharePoint
    Teams
    To Do

    October 3, 2019 at 7:37 am
  • Francisco MAtos Reply

    Hi Alex
    I’ve found that TEAMS IOS client doesn’t work with conditional access if you check both settings, managed app and app protection, but it does if you only check app protection.
    Have you heard about this issue?

    December 2, 2019 at 6:25 pm
    • Alex Reply

      You will not want to enforce the control for app protection, just “require approved client app.” Yes, Teams is not supported yet for that access control.

      December 2, 2019 at 7:17 pm
  • franisco Matos Reply

    Thank you Alex

    December 3, 2019 at 1:16 am

Leave a Reply

Back to Blog

Related Posts

06Apr

Inventory and Control of Apps within and beyond the perimeter with Microsoft 365

Managing devices is a topic I have probably burnt my readers out on by this point, so it's time we move into the next stage: wrangling all those crazy third-party applications hiding out in your environment! To build up a foundation of good security, we... read more
17Sep

Enable the Archive Mailbox and modify the default retention policy (for cloud-only and hybrid users)

In any subscription that includes Exchange Online Archiving, such as Office 365 E3 or Microsoft 365 Business (as well as any subscription to which the Archiving add-on is applied), it is possible to enable an unlimited storage container for those hoarders out there, known as... read more
26May

Migration path from SBS to Office 365 & Windows Server 2016

So many small businesses adopted Microsoft's Windows Small Business Server (SBS) product--now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011. Do I still need an On-premises Windows Server? With the option to... read more
08Aug

Hyper-V Failover Cluster: MPIO & CSV Storage

Continuing our last post on Hyper-V Failover Clustering, we turn our focus from networking to storage. To bring storage into the picture, we will have to provision some volumes from Storage Spaces, our SAN or other Shared Storage device. This varies by vendor, so see their... read more
13Oct

Top Mobility-Enabling Security Features in Office 365

At this point, even the staunchest conservatives among us have to admit that we live in a post-perimeter world. In recent years there have been even more developments and trends chipping away at our traditional conceptions of so-called perimeter-based security. Cloud and mobility means two things: Users... read more
19Nov

How to configure Mobile Application Management (MAM) with Microsoft 365 Business (and Intune)

With a traditional MDM solution, the goal is typically to impose management controls at the device level--enforcing policies like pass code with automatic screen lock, encryption, and remote device wipe. It can also be helpful in tracking inventory of mobile devices. All of these "MDM"... read more
11Oct

Removing local admin: a game of compromise (and some tips and tricks)

Look, I am a realist. Yes: from a security perspective it would be ideal if we could take away local admin privileges on every corporate owned Windows 10 workstation. But that still isn't very easy to do for many organizations. Some orgs do need to maintain... read more
01Nov

How to migrate from Windows Server Active Directory to Azure AD and Microsoft 365 Business (including Teams) in 5 easy steps

Microsoft 365 Business is a very compelling platform for the small business, particularly those that are "born in the cloud," or, those who have shed most of their on-premises server weight already, by moving their line of business apps to cloud-based alternatives. I can't tell... read more
07Jul

Migrate Printer Shares from SBS to Windows Server 2016

If you have printer shares on the source server, you will want to export them, then import and publish them on the new server. Whether you are coming from Windows SBS 2008, 2011 or Windows Server 2008 or 2008 R2, the following steps will work for you. Step... read more
29Nov

Three ways to protect your customer’s on-premises data with Azure: Part 3 – Azure Site Recovery

In the previous two posts we looked at: Azure Backup (using the MARS agent) Azure Backup Server (free DPM server) Those two solutions are markedly different from one another, but they both basically provide some kind of backup. The former does only file, folder & system... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me