Android MAM-WE

Copper Contributor

I am trying to rollout MAM-WE for our Android users. My question is how do I block users access to outlook and teams that were already downloaded and logged in with company credentials and force them to use the one in work profile ?



4 Replies

Hello @Sovrano 


Welcome to the Microsoft community, my name is Recep I'll be happy to help you today.


To enforce the use of work profiles for Outlook and Teams on Android devices, you can create and deploy App Protection Policies using Intune. Here are the general steps:


Blocking access to personal Outlook and Teams apps:

  1. Create App Protection Policy:
    • Sign in to the Microsoft Endpoint Manager admin center.
    • Navigate to Apps > App protection policies.
    • Click on + Create Policy.
    • Choose Android as the platform.
    • Select the appropriate settings for your organization, including data transfer and access requirements.
  2. Assign the Policy:
    • After creating the policy, assign it to the relevant user group.
    • Go to the Assignments tab in the policy.
    • Click on Select groups to include and choose the user groups you want to apply the policy to.

Forcing the use of work profile Outlook and Teams:

  1. Configure Work Profile Settings:
    • In the Microsoft Endpoint Manager admin center, navigate to Devices > Android > Work profiles.
    • Configure the work profile settings, ensuring that the required apps (Outlook and Teams) are available in the work profile.
  2. App Configuration Policies:
    • Create App Configuration Policies for Outlook and Teams to pre-configure settings for these apps within the work profile.
    • In the Microsoft Endpoint Manager admin center, go to Apps > App configuration policies.
    • Click on + Add to create a new policy.
    • Choose the app (Outlook or Teams) and configure the settings according to your requirements.
    • Assign the policy to the user groups that need to use the work profile apps.
  3. Educate Users:
  • Inform users about the change in policy and guide them on how to access Outlook and Teams within the work profile.
  1. Monitor and Troubleshoot:
  • Monitor the deployment in the Microsoft Endpoint Manager admin center to ensure policies are applied successfully. 




If I have answered your question, please mark your post as Solved

If you like my response, please give it a Like :smile:

Appreciate your Kudos! Proud to contribute! :)



MAM-WE stands for Without Enrollment, so in other words, you don't have a workprofile on your Android devices.
If you want to work with work profiles, than you should consider to configure MDM for Android and on top of that MAM.
Can you provide more details please. I was able to get App Protection Policy working once I downloaded the company portal. That is fine and dandy

My question is how do I make it that users get prompt to download company portal when they try to sign into outlook and when they do, the device show up in the android device section in Intune?
Do you have a conditional access policy set up for these users? If not, have that in place and the grant should be on "Require App Protection Policy".
From what I have seen, if an app protection policy is assigned for the users, they should automatically be prompted to download the Company portal app, which is the Android broker app.