Forum Discussion
MAM policy targeting unmanaged devices is affecting managed ios device
I've created my first App Protection Policy, in an effort to gain some control over what users can do with company apps & data on personal devices. I set the policy to target apps on unmanaged devices, and assigned the policy to my own user account for testing.
My intent was to install apps and sign in on an unmanaged device to confirm the policy applied as expected, but I soon discovered that the targeted apps on my main iphone (which is already managed) were affected by the policy. I got the notification that my company was managing my data for the app and was required to set up a PIN and enter that when launching the app.
My expectation was that the policy would not be applied to or have any effect on managed devices. Did I misunderstand something about how these settings should work, or is there something I may have done wrong in the configuration which would cause the policy to apply on a managed device?
You have to configure the IntuneMamUPN setting for all the IOS apps. Otherwise, the apps won't know the difference if they are managed or unmanaged.
If you don't specify this setting, unmanaged is the default. So even when your device is enrolled/compliant it will get the unmanaged app protection policies.
Create and deploy app protection policies - Microsoft Intune | Microsoft Docs
- Steve WhitcherBronze ContributorThanks, that looks like it may have been the issue. I did see mention of that setting in the documentation, but wasn't clear on how to set it. I assumed since I was using the templated configuration builder for outlook, that it would have included all the necessary settings. Thanks to your post though, I found this blog post which explained the setting a bit more clearly to me. Though, I see now looking at the docs again it also mentions an IntuneMAMDeviceID setting, while the blog post made no mention of that. It says that's required for third party and lob apps though, so I guess it's not needed for MS apps? ¯\_(ツ)_/¯
It seems odd that they would give you a drop down to select managed/unmanaged/all in the app protection policy, but then require a separate app configuration policy to add a setting needed to make that drop down work. The tool tip should explicitly state that additional configuration is required to make that drop down work as expected.- Hi I also did some blogs about it.
The IntuneMamupn key could be explained a little bit better and why you need to configure it
This one should explain it a little bit better 🙂
https://call4cloud.nl/2021/03/the-chronicles-of-mam/
- danny_grassoBrass ContributorWas this always the case? I'm almost sure I've used this previously without having to set the app settings on iOS enrolled devices.
Would be nice if there was a setting to enable the IntuneMAMUPN for all apps targetted by an app protection policy.......
I think I'll go add a feature request. - ValdularoCopper ContributorI cannot stress to you just how helpful this was. Thank you very very much, this fixed an issue we where having setting this up. A tad silly as a managed device should be recognised from endpoint manager but alas such as it is. Thank you!
- Hi,
Thanx for your kind words! I am glad I could help you out!
- Pa_DBrass Contributor
Steve Whitcher in the app protection policy > "Target to all device types" set to "No" and "Device Type" selected to "Unmanaged" ?
- Steve WhitcherBronze Contributor
- Pa_DBrass Contributor
Can try this and see if both your managed & unmanaged device shows up.
Apps > App Selective wipe > choose your user name and see if both devices shows up.