Forum Discussion

Steve Whitcher's avatar
Steve Whitcher
Bronze Contributor
Feb 04, 2021

MAM policy targeting unmanaged devices is affecting managed ios device

I've created my first App Protection Policy, in an effort to gain some control over what users can do with company apps & data on personal devices.  I set the policy to target apps on unmanaged devices, and assigned the policy to my own user account for testing.  

 

My intent was to install apps and sign in on an unmanaged device to confirm the policy applied as expected, but I soon discovered that the targeted apps on my main iphone (which is already managed) were affected by the policy.  I got the notification that my company was managing my data for the app and was required to set up a PIN and enter that when launching the app.  

My expectation was that the policy would not be applied to or have any effect on managed devices.  Did I misunderstand something about how these settings should work, or is there something I may have done wrong in the configuration which would cause the policy to apply on a managed device? 

 

    • Steve Whitcher's avatar
      Steve Whitcher
      Bronze Contributor
      Thanks, that looks like it may have been the issue. I did see mention of that setting in the documentation, but wasn't clear on how to set it. I assumed since I was using the templated configuration builder for outlook, that it would have included all the necessary settings. Thanks to your post though, I found this blog post which explained the setting a bit more clearly to me. Though, I see now looking at the docs again it also mentions an IntuneMAMDeviceID setting, while the blog post made no mention of that. It says that's required for third party and lob apps though, so I guess it's not needed for MS apps? ¯\_(ツ)_/¯
      It seems odd that they would give you a drop down to select managed/unmanaged/all in the app protection policy, but then require a separate app configuration policy to add a setting needed to make that drop down work. The tool tip should explicitly state that additional configuration is required to make that drop down work as expected.
    • danny_grasso's avatar
      danny_grasso
      Brass Contributor
      Was this always the case? I'm almost sure I've used this previously without having to set the app settings on iOS enrolled devices.
      Would be nice if there was a setting to enable the IntuneMAMUPN for all apps targetted by an app protection policy.......
      I think I'll go add a feature request.
    • Valdularo's avatar
      Valdularo
      Copper Contributor
      I cannot stress to you just how helpful this was. Thank you very very much, this fixed an issue we where having setting this up. A tad silly as a managed device should be recognised from endpoint manager but alas such as it is. Thank you!
  • Pa_D's avatar
    Pa_D
    Brass Contributor

    Steve Whitcher  in the app protection policy > "Target to all device types" set to "No" and "Device Type" selected to "Unmanaged" ?

      • Pa_D's avatar
        Pa_D
        Brass Contributor

        Steve Whitcher 

        Can try this and see if both your managed & unmanaged device shows up.

        Apps > App Selective wipe > choose your user name and see if both devices shows up.

Resources