MAM policy targeting unmanaged devices is affecting managed ios device

Bronze Contributor

I've created my first App Protection Policy, in an effort to gain some control over what users can do with company apps & data on personal devices.  I set the policy to target apps on unmanaged devices, and assigned the policy to my own user account for testing.  

 

My intent was to install apps and sign in on an unmanaged device to confirm the policy applied as expected, but I soon discovered that the targeted apps on my main iphone (which is already managed) were affected by the policy.  I got the notification that my company was managing my data for the app and was required to set up a PIN and enter that when launching the app.  

My expectation was that the policy would not be applied to or have any effect on managed devices.  Did I misunderstand something about how these settings should work, or is there something I may have done wrong in the configuration which would cause the policy to apply on a managed device? 

 

17 Replies

@Steve Whitcher  in the app protection policy > "Target to all device types" set to "No" and "Device Type" selected to "Unmanaged" ?

@Pa_D Yes

 
 
 
 
 
 
 
 
 

mam.png

 
 

 

 

@Steve Whitcher 

Can try this and see if both your managed & unmanaged device shows up.

Apps > App Selective wipe > choose your user name and see if both devices shows up.

@Pa_D Good question.  I show 3 devices in that screen, one of which is an old PC and can be ruled out.  The other 2 are unfortunately just named iPhone at the moment, so I can't say for sure.  I'll rename the devices and check again after it updates. 

@Pa_D After changing the name on both devices, one of the two 'iPhone' entries on that screen updated, while the other still says 'iPhone'.  I'm assuming the one that didn't update must be an old phone, not my current one.  

 

 

@Steve Whitcher is it showing the iOS device that is "Managed"?

No, the managed device does not show up under my user on the Create Wipe Request screen. 
Strike that - It seems that the managed device was on that list, the name just wasn't updating for some reason.
I decided to send a wipe request for the 'iPhone' that did not get renamed. After submitting the request, the wipe request screen showed my various apps and showed the device name as the correct, updated name of my managed device.

@Steve Whitcher I would suggest  try and reproduce it on another "Managed" iOS device to see if app protection policy is applying again.

@Steve Whitcher 

 

You have to configure the IntuneMamUPN setting for all the IOS apps. Otherwise, the apps won't know the difference if they are managed or unmanaged.

 

If you don't specify this setting, unmanaged is the default. So even when your device is enrolled/compliant it will get the unmanaged app protection policies. 

 

Create and deploy app protection policies - Microsoft Intune | Microsoft Docs

 

 

Thanks, that looks like it may have been the issue. I did see mention of that setting in the documentation, but wasn't clear on how to set it. I assumed since I was using the templated configuration builder for outlook, that it would have included all the necessary settings. Thanks to your post though, I found this blog post which explained the setting a bit more clearly to me. Though, I see now looking at the docs again it also mentions an IntuneMAMDeviceID setting, while the blog post made no mention of that. It says that's required for third party and lob apps though, so I guess it's not needed for MS apps? ¯\_(ツ)_/¯
It seems odd that they would give you a drop down to select managed/unmanaged/all in the app protection policy, but then require a separate app configuration policy to add a setting needed to make that drop down work. The tool tip should explicitly state that additional configuration is required to make that drop down work as expected.
Was this always the case? I'm almost sure I've used this previously without having to set the app settings on iOS enrolled devices.
Would be nice if there was a setting to enable the IntuneMAMUPN for all apps targetted by an app protection policy.......
I think I'll go add a feature request.
I cannot stress to you just how helpful this was. Thank you very very much, this fixed an issue we where having setting this up. A tad silly as a managed device should be recognised from endpoint manager but alas such as it is. Thank you!
Hi I also did some blogs about it.
The IntuneMamupn key could be explained a little bit better and why you need to configure it
This one should explain it a little bit better :)
https://call4cloud.nl/2021/03/the-chronicles-of-mam/

Hi,

Sorry for my late response, couldn't log in some how :)
https://twitter.com/ooms_rudy/status/1487387393716068352
But that would be nice indeed, should save you some time, in my github there is a part in it where I automated that deployment..

https://github.com/Call4cloud/Enrollment/blob/main/DU/

 

I am explaining that part also in the blog I mentioned above!

Hi,

Thanx for your kind words! I am glad I could help you out!