App Protection for unmanaged devices is known as MAM without enrolment (MAM-WE). MAM-WE is commonly used for personal or bring your own devices (BYOD). Or, use on organisation-owned devices that need specific app configuration, or extra app security.

MAM-WE is also an option for users who don’t enroll their personal devices, but still need access to organisation email.

Create an App Protection Policy

Note – Outlook MAM protection requires an Azure AD account (Hybrid or Cloud) and Exchange Online mailbox (Hybrid or Cloud)

From the home dashboard, navigate to Apps > App Protection Policies.

Select the ‘Add’ button and then select ‘iOS/iPadOS’.

Set a Name and Description.
**Example**
Name: iOS – MAM Policy
Description: MAM Policy for iOS devices.

Select ‘Next’.

For the purposes of this training course, MAM will be targeted to both Managed and Unmanaged iOS devices.

The following App Protection settings will be set:
**Example**
Target to apps on all device types: Yes

Press ‘Select Public Apps’ and then select Outlook from the list.

Select ‘Next’.

Data Transfer

• Backup org data to iTunes and iCloud backups: Block
• Send org data to other apps: Policy managed apps
• Select apps to exempt: Default
• Save copies of org data: Block
• Allow user to save copies to select services: OneDrive for Business & SharePoint
• Transfer telecommunication data to: Any dialer app
• Dialer App URL Scheme: None
• Receive data from other apps: Policy managed apps
• Open data into Org documents: Block
• Allow to user open data from select services: OneDrive for Business, SharePoint & Camera
• Restrict cut, copy, and paste between other apps: Policy managed apps
• Cut and copy character limit for any app: 0
• Third-party keyboards: Allow

Encryption

• Encrypt org data: Require

Functionality

• Sync policy managed app data with native apps: Allow
• Printing org data: Block
• Restrict web content transfer with other apps: Microsoft Edge
• Unmanaged browser protocol: None
• Org data notifications: Allow

Access Requirements

• Pin for Acces: Not Required
• Work or school account credentials for access: Not Required
• Recheck the access requirements after (minutes of inactivity): 30

Conditional Launch

• Offline grace period: 720 – Block access (minutes)
• Offline grace period: 90 – Wipe data (days)
• Jailbroken/Rooted devices: Block access

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the App Protection Policy appear in the list ready for use.

See in Action

App Protection can be validated on the device by the user. Observing our enroled device in Outlook, we can test cut, copy and paste restrictions that are being enforced by our App Protection policy.

For the purposes of this demonstration, we have received an email from our fictional organisation that contains sensitive information. We will attempt to exfiltrate this information by means of Copy and Paste.

Copying text from the body of the email, we close Outlook and then open the native Notes app. Attempting to paste the copied information, App Protection replaces the original text in the clipboard cache with “Your orginastion’s data cannot be pasted here”.

Within the Endpoint Manager portal, we can validate which apps App Protection is applied to by app or user. Navigating to Apps > Monitor > App Protection Status > Reports.

Selecting the User Report, we choose the enroled user – johndoe@traininguemauthority.onmicrosoft.com.

The report shows iOS – MAM Policy is successfully applied against Microsoft Outlook.

Create an iOS Compliance Policy

Note – Compliance requires users and devices to meet criteria set by an organisation. Rules and settings are defined which Endpoint Manager compliance engine will assess users and against to determine their respective compliance status. Compliance does not configure the device.

Sign in to your Endpoint Manager portal by browsing to https://endpoint.microsoft.com
From the home dashboard, navigate to Devices > Compliance Policies.

Select the ‘Create Policy’ button.

Select ‘iOS/iPadOS’ as the platform and then select ‘Create’.

Set a Name and Description.
**Example**
Name: iOS – Compliance Policy
Description: Compliance policy for iOS devices.

Select ‘Next’

For the purposes of this training course, the following example baseline compliance settings will be set:
**Example**
Email

• Unable to set up email on the device: Require

Device Health

• Jailbroken devices: Block
• Require the device to be at or under the Device Threat Level: Not Configured

Device Properties

• Minimum OS version: 13.0
• Microsoft Defender for Endpoint: Not Configured

System Security

• Require a password to unlock mobile devices: Require
• Simple passwords: Block

Minimum password length: 6

• Required password type: Numeric
• Number of non-alphanumeric characters in password: 1
• Maximum minutes after screen lock before the password is required: Immediately
• Maximum minutes of inactivity until screen locks: 5 minutes

Select ‘Next’.
Actions for non-compliance will remain unchanged.

Select ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Corporate Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

Once created, you will see the compliance policy appear in the list ready for use.

See in Action

Device compliance status can be validated on the device by the user. Observing our enrolled device within the Company Portal app, we can see the status says “Can access company resources”.

Within the Endpoint Manager portal, we can validate the compliance status of a device by navigating to Devices > All Devices.

Observing the device in question, we can see the compliance column indicates the device is compliant.

Selecting the device entry, under Device Compliance on the left side menu, we can see the compliance policy we created successfully assessed the device.

• Number of devices.
• Operating systems and versions.

Configure Device Type Restrictions

Note – Enrollment restrictions are not security features. Compromised devices can misrepresent their character. These restrictions are a best-effort barrier for non-malicious users.

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Android Enterprise (Work Profile)

• Platform: Allow
• Versions: 10.0 min
• Personally Owned: Block

Android Device Administrator

• Platform: Block

iOS/iPadOS

• Platform: Allow
• Versions: 13.0 min
• Personally Owned: Block

macOS

• Platform: Block

Windows (MDM)

• Platform: Allow
• Personally Owned: Block

Select ‘Review + Save’ and then ‘Save’.

Top Tip – A separate personally owned device type policy allows an organisation better control over whom and what has access to corporate resources. For example, an organisation may choose to limit personal device or BYOD enrolment to eligible users or personas. Device Type restriction enables such granular gate keeping.

To create a personally owned or BYOD policy, using the best practice example below, select the ‘Create Restriction’ button.

Select the ‘Device Type Restriction’ option.

Set a Name and Description:
**Example**
Name: Personally Owned/BYOD Policy
Description: A device type restriction policy that limits enrolment of personally owned and BYOD devices to an eligible group of users.

Select ‘Next’.

Set the policy Platform Settings:
**Example**
Android Enterprise (Work Profile)

• Platform: Allow
• Versions: 10.0 min
• Personally Owned: Allow

Android Device Administrator

• Platform: Block

iOS/iPadOS

• Platform: Allow
• Versions: 13.0 min
• Personally Owned: Allow

macOS

• Platform: Block

Windows (MDM)

• Platform: Allow
• Personally Owned: Block

Select ‘Next’, and then ‘Next’.

Under Assignments, select ‘Add Groups’.

In this example, the ‘Personal BYOD Devices’ group will be selected.

Select ‘Select’ to add your Azure AD Group.

Select ‘Next’ and then ‘Create’.

You will see the Device Type Restrictions policy appear ready for use.

See in Action

Top Tip – During Personally Owned/BYOD enrolment for an iOS/iPadOS device, the enrolment profile will fail to install. The Personally Owned Device Type Restrictions policy will block this device from being able to enrol. Generally, this means the user’s Azure AD/AD account does not yet reside in the eligible Azure AD Group.

Test User 01 Azure AD user account does not yet reside within any groups.

Attempting to enrol on an iOS device, installation of the profile will fail.

Observing Intune enrolment failures report under Devices > Monitor > Enrolment Failures, we can see the reason why enrolment was blocked.

Configure Device Limit Restrictions

Important – Device limit restrictions don’t apply for the following Windows enrollment types:
– Co-managed enrollments
– GPO enrollments
– Azure Active Directory joined enrollments
– Bulk Azure Active Directory joined enrollments
– Autopilot enrollments
– Device Enrollment Manager enrollments

From the home dashboard, navigate to Devices > Enrol Devices > Enrolment Restrictions

Under Device Type Restrictions, select the Default Policy called All Users.

Select Properties. Under Platform Settings, select Edit.

In this example, the Default Policy will be modified to reflect the below settings:
**Example**
Device Limit: From 10 to 5

Select ‘Review + Save’ and then ‘Save’.

Configure an end-user Terms & Conditions policy

From the home dashboard, select ‘Tenant Administration’.

Under ‘End User Experiences’ select ‘Terms and Conditions’.

Select the ‘Create’ button.

Set a Name and Description.

Select the ‘Next’ button.

Complete the required information:
**Example**
Title: The name for your terms that users see in the Company Portal above the Summary.
Terms and Conditions: The terms and conditions that users see and must either accept or reject.
Summary of Terms: Text that explains what it means when users accept the terms. For example, “By enrolling your device, you’re agreeing to the terms of use set out by UEM Authority. Read the terms carefully before proceeding.”

Select the ‘Next’ button.

On the Assignments page, choose whether to target select groups or all enrolled users.

Select the ‘Next’ button, then select the ‘Create’ button.

Once created, you will see the new policy populate in the Terms and Conditions settings overview pane.

See in Action

During enrolment to Endpoint Manager, Company Portal app will display a Terms & Conditions policy applied by your organisation. The user is given a choice to accept or decline.