Forum Discussion
MAM policy targeting unmanaged devices is affecting managed ios device
I've created my first App Protection Policy, in an effort to gain some control over what users can do with company apps & data on personal devices. I set the policy to target apps on unmanaged devic...
You have to configure the IntuneMamUPN setting for all the IOS apps. Otherwise, the apps won't know the difference if they are managed or unmanaged.
If you don't specify this setting, unmanaged is the default. So even when your device is enrolled/compliant it will get the unmanaged app protection policies.
Create and deploy app protection policies - Microsoft Intune | Microsoft Docs
- I cannot stress to you just how helpful this was. Thank you very very much, this fixed an issue we where having setting this up. A tad silly as a managed device should be recognised from endpoint manager but alas such as it is. Thank you!
- Hi,
Thanx for your kind words! I am glad I could help you out!
- Was this always the case? I'm almost sure I've used this previously without having to set the app settings on iOS enrolled devices.
Would be nice if there was a setting to enable the IntuneMAMUPN for all apps targetted by an app protection policy.......
I think I'll go add a feature request.Hi,
Sorry for my late response, couldn't log in some how 🙂
https://twitter.com/ooms_rudy/status/1487387393716068352
But that would be nice indeed, should save you some time, in my github there is a part in it where I automated that deployment..
https://github.com/Call4cloud/Enrollment/blob/main/DU/I am explaining that part also in the blog I mentioned above!
- https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/42782339-app-targetted-apps-applies-intinemamupn-option
- Thanks, that looks like it may have been the issue. I did see mention of that setting in the documentation, but wasn't clear on how to set it. I assumed since I was using the templated configuration builder for outlook, that it would have included all the necessary settings. Thanks to your post though, I found this blog post which explained the setting a bit more clearly to me. Though, I see now looking at the docs again it also mentions an IntuneMAMDeviceID setting, while the blog post made no mention of that. It says that's required for third party and lob apps though, so I guess it's not needed for MS apps? ¯\_(ツ)_/¯
It seems odd that they would give you a drop down to select managed/unmanaged/all in the app protection policy, but then require a separate app configuration policy to add a setting needed to make that drop down work. The tool tip should explicitly state that additional configuration is required to make that drop down work as expected.- Hi I also did some blogs about it.
The IntuneMamupn key could be explained a little bit better and why you need to configure it
This one should explain it a little bit better 🙂
https://call4cloud.nl/2021/03/the-chronicles-of-mam/
