App management policies using System Center Configuration Manager integrated with Microsoft Intune
First published on TECHNET on May 20, 2015
integrated with the newly released
service packs for System Center 2012 and R2 Configuration Manager
, hybrid customers can now leverage the Mobile Application Management (MAM) capabilities of Intune and deploy application management policies to
MAM managed apps
. These policies allow you to ensure company compliance and security policies are met. For example, you can restrict actions such as cut, copy and paste within a MAM managed app, or configure a MAM managed app to open all web links inside the Intune Managed Browser app (as this app is a MAM managed app).
App management policies support:
Devices that run Android 4 and later.
Devices that run iOS 7 and later.
When using System Center Configuration Manager (ConfigMgr) integrated with Intune, you can associate the app management policy with the ConfigMgr application’s deployment type (DT) that you want to restrict. When the application is deployed and the application’s DT is installed on devices, the settings you specify will take effect.
To apply policy to an app, the app must incorporate the Microsoft Intune App Software Development Kit (SDK). There are two methods of obtaining this type of app:
Use a policy managed app
(Android and iOS): Apps that have the Intune App SDK built-in. To add this type of app, you specify a link to the app from an app store such as iTunes or Google Play. No further processing is required for this type of app. See the list of
Available policy managed apps
To define an app management policy, navigate to
Software Library -> Overview -> Application Management -> Application Management Policies
Create Application Management Policy
from the ribbon.
Create Application Management Policy Wizard
enter a name and description for the policy in the
page, choose the platform and policy type for this policy. There are currently two policy types available:
policy type lets you modify the behavior of apps that you deploy to ensure company compliance and security requirements are met. For example, you can restrict actions such as cut, copy and paste within a corporate managed app.
policy type lets you modify the functionality of the Intune Managed Browser app. This app allows you to manage web browsing experience for users. This includes the sites they can visit and how links to content within the browser are opened. For more information on the Intune Managed Browser app, see
for iOS and
Next you can configure the individual settings that are applicable to the platform and policy type selected. For more information on these settings, see
policy type and
After the wizard is complete, click
to save the policy. You do not deploy the policy directly. Instead, you associate the policy with the ConfigMgr application’s deployment type (DT). The next section will walk you through how to do this.
Step 2: Associate the app management policy with a deployment type
When a ConfigMgr application is deployed, ConfigMgr will recognize that an application management policy must be linked to this deployment type (DT) based on that DT’s type.
If the application is not yet deployed, then this association can be made in the
Deploy Software Wizard
, on the
page. ConfigMgr will recognize all deployment types that are associated with the application being deployed, and prompt you to associate an app management policy at this time. (In the case of the Managed Browser, you will be required to associate both a General and Managed Browser policy.)
If the software is already deployed, then the deployment of that application’s DT will fail until this association is made. For existing applications, the association can be made in the
page of the application deployment, under the
Step 3: Monitor app management policies
Monitoring -> Overview -> Deployments
, you can view the status of the app management policies for a particular deployment by selecting
in the details pane of that deployment, under
Monitoring a particular deployment with an app management policy is the same as monitoring any other deployment under
Monitoring -> Overview -> Deployments
. Remember that application deployments will fail if an app management policy has not been associated with Deployment Type that requires it (see step 2 to remedy this).