App protection policy not applying

Brass Contributor


I'm trying to configure an iOS app protection policy for a client but I'm failing to get it applied on a iPhone XR with a fully licensed user.

I deployed the app config policy with the IntuneMAMUPN key, currently only testing with the Outlook app, which is set as required in the portal. I reseted my phone, even created an Itunes account with my company test mail address, after configuring my phoen for the first time I installed the Intune portal App a go through the device registration process.

My phone gets an compliant status, marked as personally, even if changed to company owned no change until now, Outlook config policy is applied but not the protection policy.

When I check the monitor view I get the warning "This user is blocked by user-level wipe." and I can't find article about this error^^

Can anyone give me a hint to solve this nasty issue?

5 Replies

Hi @Julian12 


Where exactly are you seeing that error from? I usually use the following report to make sure whether or not my policy has applied: Apps > Monitor > App protection status > Reports > User report


What is your Target to apps on all device types selection? If it is not set to Yes or both types that cause some issues, the type state is a bit fiddly to pinpoint and thus its more simple to target both, more about that in Creating an iOS app protection policy docs. 


Ownership type should not matter when it comes to App Protection policies.

Hi @Alo Press,

I see that error in the same reporting tool:


Currently I set the target devices to managed only, tried for a short time with Both but wasn't working too. Will test this again..

Edit: Not sure if this is a problem but atm my test phone has no SIM card or any mobile number attached to it.

best response confirmed by Julian12 (Brass Contributor)

@Julian12 Are the apps that you are trying to Protect managed? Meaning are they published through the Intune Company Portal or are you just testing App Store apps and waiting until they apply? 


In some cases Signing into the app might be needed for the Protection to trigger as the app is assuming the protection from Your specific MDM - this is more relevant with multi-identity enabled apps. 


Also, is there anything special about that test account? What licenses have you enabled to it or is it a DEM account? There is probably a lot of things that might not work quite right for DEM accounts. 


Regarding the user-level wipe.. it might have something to do with pending App selective wipe, if you have any pending delete the requests. Docs here on how to Delete a device wipe request.

Frickin hell, there was really a selective wipe in place for this account, so obvious^^
I deleted that request and reset my device, hopefully it is working now..
Many thanks for this hint, seems too easy :\

Yeah, its working now, thanks for your help :)
Have a nice day!